Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XClient.exe

Overview

General Information

Sample name:XClient.exe
Analysis ID:1517141
MD5:e5937a618f5d6f059974cf27804df37f
SHA1:bce00ca4322d18aaf5856d5f884d03fffbda688c
SHA256:95931b4531f538137929756d736735981e7d7bcf4d43a750fb1bb01c76b3219f
Tags:exevecotr-viewdns-netuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • XClient.exe (PID: 4252 cmdline: "C:\Users\user\Desktop\XClient.exe" MD5: E5937A618F5D6F059974CF27804DF37F)
    • WerFault.exe (PID: 7924 cmdline: C:\Windows\system32\WerFault.exe -u -p 4252 -s 1660 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
    XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x6b1a:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1243593028.0000000000812000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.1243593028.0000000000812000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x6aa8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x6b45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x6c5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x691a:$cnc4: POST / HTTP/1.1
      00000000.00000002.2209264482.0000000002B91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: XClient.exe PID: 4252JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.XClient.exe.810000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.XClient.exe.810000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x6b1a:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-24T19:24:27.823152+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            2024-09-24T19:24:32.899750+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            2024-09-24T19:24:42.903049+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            2024-09-24T19:24:56.354321+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            2024-09-24T19:25:02.894597+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            2024-09-24T19:25:10.961544+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            2024-09-24T19:25:24.879580+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            2024-09-24T19:25:25.800592+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            2024-09-24T19:25:26.324610+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            2024-09-24T19:25:30.212660+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            2024-09-24T19:25:31.078704+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            2024-09-24T19:25:32.877208+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            2024-09-24T19:25:46.007270+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-24T19:24:27.920563+020028529231Malware Command and Control Activity Detected192.168.2.749699191.96.207.18050000TCP
            2024-09-24T19:24:42.906205+020028529231Malware Command and Control Activity Detected192.168.2.749699191.96.207.18050000TCP
            2024-09-24T19:24:56.356816+020028529231Malware Command and Control Activity Detected192.168.2.749699191.96.207.18050000TCP
            2024-09-24T19:25:10.970041+020028529231Malware Command and Control Activity Detected192.168.2.749699191.96.207.18050000TCP
            2024-09-24T19:25:24.887550+020028529231Malware Command and Control Activity Detected192.168.2.749699191.96.207.18050000TCP
            2024-09-24T19:25:25.806967+020028529231Malware Command and Control Activity Detected192.168.2.749699191.96.207.18050000TCP
            2024-09-24T19:25:26.326991+020028529231Malware Command and Control Activity Detected192.168.2.749699191.96.207.18050000TCP
            2024-09-24T19:25:30.214476+020028529231Malware Command and Control Activity Detected192.168.2.749699191.96.207.18050000TCP
            2024-09-24T19:25:31.081806+020028529231Malware Command and Control Activity Detected192.168.2.749699191.96.207.18050000TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-24T19:24:32.899750+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            2024-09-24T19:25:02.894597+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            2024-09-24T19:25:32.877208+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.749699TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-24T19:24:27.649186+020028559241Malware Command and Control Activity Detected192.168.2.749699191.96.207.18050000TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: XClient.exeAvira: detected
            Found malware configuration
            Source: XClient.exeMalware Configuration Extractor: Xworm {"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
            Multi AV Scanner detection for submitted file
            Source: XClient.exeReversingLabs: Detection: 84%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: XClient.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: XClient.exeString decryptor: vecotr.viewdns.net
            Source: XClient.exeString decryptor: 50000
            Source: XClient.exeString decryptor: <123456789>
            Source: XClient.exeString decryptor: <Xwormmm>
            Source: XClient.exeString decryptor: XWorm V5.6
            Source: XClient.exeString decryptor: USB.exe
            Source: XClient.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: XClient.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: lib.pdbI source: XClient.exe, 00000000.00000002.2210643924.000000001BA50000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Xml.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.pdbMZ@ source: WERA038.tmp.dmp.15.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: XClient.exe, 00000000.00000002.2210643924.000000001BA50000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Configuration.pdb` source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Windows.Forms.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: mscorlib.pdb/ source: XClient.exe, 00000000.00000002.2210643924.000000001BA9B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Configuration.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: XClient.exe, 00000000.00000002.2210454529.000000001B558000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA038.tmp.dmp.15.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Configuration.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: XClient.exe, 00000000.00000002.2210454529.000000001B558000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Xml.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: 0C:\Windows\mscorlib.pdb source: XClient.exe, 00000000.00000002.2210454529.000000001B558000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb@ source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Core.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: XClient.exe, 00000000.00000002.2210454529.000000001B558000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: XClient.exe, 00000000.00000002.2208764710.0000000000D33000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERA038.tmp.dmp.15.dr
            Source: Binary string: t.PDB source: XClient.exe, 00000000.00000002.2210643924.000000001BA94000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Management.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: mscorlib.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Management.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb8 source: XClient.exe, 00000000.00000002.2210643924.000000001BA50000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: XClient.exe, 00000000.00000002.2210643924.000000001BA50000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Windows.Forms.pdbx source: WERA038.tmp.dmp.15.dr
            Source: Binary string: mscorlib.pdbN source: XClient.exe, 00000000.00000002.2210643924.000000001BAAF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbL source: XClient.exe, 00000000.00000002.2210643924.000000001BA50000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERA038.tmp.dmp.15.dr
            Source: Binary string: .pdbG source: XClient.exe, 00000000.00000002.2210454529.000000001B558000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: indoC:\Windows\mscorlib.pdb source: XClient.exe, 00000000.00000002.2210454529.000000001B558000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: mscorlib.pdbH source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERA038.tmp.dmp.15.dr

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49699 -> 191.96.207.180:50000
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 191.96.207.180:50000 -> 192.168.2.7:49699
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49699 -> 191.96.207.180:50000
            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 191.96.207.180:50000 -> 192.168.2.7:49699
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: vecotr.viewdns.net
            Source: global trafficTCP traffic: 192.168.2.7:49699 -> 191.96.207.180:50000
            Source: Joe Sandbox ViewIP Address: 191.96.207.180 191.96.207.180
            Source: Joe Sandbox ViewASN Name: ASN-XTUDIONETES ASN-XTUDIONETES
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: vecotr.viewdns.net
            Source: XClient.exe, 00000000.00000002.2209264482.0000000002B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Amcache.hve.15.drString found in binary or memory: http://upx.sf.net

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: XClient.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.XClient.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1243593028.0000000000812000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFAACCC5D760_2_00007FFAACCC5D76
            Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFAACCC6B220_2_00007FFAACCC6B22
            Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFAACCC1E600_2_00007FFAACCC1E60
            Source: C:\Users\user\Desktop\XClient.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4252 -s 1660
            Source: XClient.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: XClient.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.XClient.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1243593028.0000000000812000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: XClient.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: XClient.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: XClient.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.evad.winEXE@2/5@1/1
            Source: C:\Users\user\Desktop\XClient.exeMutant created: NULL
            Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4252
            Source: C:\Users\user\Desktop\XClient.exeMutant created: \Sessions\1\BaseNamedObjects\N5Yy5TM3WOXfdPYN
            Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\21876190-e3ff-4738-9f8c-2fc02dd86616Jump to behavior
            Source: XClient.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: XClient.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\XClient.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: XClient.exeReversingLabs: Detection: 84%
            Source: C:\Users\user\Desktop\XClient.exeFile read: C:\Users\user\Desktop\XClient.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\XClient.exe "C:\Users\user\Desktop\XClient.exe"
            Source: C:\Users\user\Desktop\XClient.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4252 -s 1660
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\XClient.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: XClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: XClient.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: lib.pdbI source: XClient.exe, 00000000.00000002.2210643924.000000001BA50000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Xml.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.pdbMZ@ source: WERA038.tmp.dmp.15.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: XClient.exe, 00000000.00000002.2210643924.000000001BA50000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Configuration.pdb` source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Windows.Forms.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: mscorlib.pdb/ source: XClient.exe, 00000000.00000002.2210643924.000000001BA9B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Configuration.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: XClient.exe, 00000000.00000002.2210454529.000000001B558000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA038.tmp.dmp.15.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Configuration.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: XClient.exe, 00000000.00000002.2210454529.000000001B558000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Xml.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: 0C:\Windows\mscorlib.pdb source: XClient.exe, 00000000.00000002.2210454529.000000001B558000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb@ source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Core.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: XClient.exe, 00000000.00000002.2210454529.000000001B558000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: XClient.exe, 00000000.00000002.2208764710.0000000000D33000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERA038.tmp.dmp.15.dr
            Source: Binary string: t.PDB source: XClient.exe, 00000000.00000002.2210643924.000000001BA94000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Management.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: mscorlib.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Management.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb8 source: XClient.exe, 00000000.00000002.2210643924.000000001BA50000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: XClient.exe, 00000000.00000002.2210643924.000000001BA50000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Windows.Forms.pdbx source: WERA038.tmp.dmp.15.dr
            Source: Binary string: mscorlib.pdbN source: XClient.exe, 00000000.00000002.2210643924.000000001BAAF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbL source: XClient.exe, 00000000.00000002.2210643924.000000001BA50000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERA038.tmp.dmp.15.dr
            Source: Binary string: .pdbG source: XClient.exe, 00000000.00000002.2210454529.000000001B558000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: indoC:\Windows\mscorlib.pdb source: XClient.exe, 00000000.00000002.2210454529.000000001B558000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WERA038.tmp.dmp.15.dr
            Source: Binary string: mscorlib.pdbH source: WERA038.tmp.dmp.15.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERA038.tmp.dmp.15.dr

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: XClient.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: XClient.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: XClient.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: XClient.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: XClient.exe, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\XClient.exeMemory allocated: C70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeMemory allocated: 1AB90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\XClient.exeWindow / User API: threadDelayed 818Jump to behavior
            Source: C:\Users\user\Desktop\XClient.exeWindow / User API: threadDelayed 8997Jump to behavior
            Source: C:\Users\user\Desktop\XClient.exe TID: 7216Thread sleep time: -25825441703193356s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\XClient.exe TID: 7220Thread sleep count: 818 > 30Jump to behavior
            Source: C:\Users\user\Desktop\XClient.exe TID: 7220Thread sleep count: 8997 > 30Jump to behavior
            Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Amcache.hve.15.drBinary or memory string: VMware
            Source: Amcache.hve.15.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.15.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.15.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.15.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.15.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.15.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.15.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.15.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.15.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.15.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.15.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: XClient.exe, 00000000.00000002.2208764710.0000000000D82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: Amcache.hve.15.drBinary or memory string: vmci.sys
            Source: Amcache.hve.15.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.15.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.15.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.15.drBinary or memory string: VMware20,1
            Source: Amcache.hve.15.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.15.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.15.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.15.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.15.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.15.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.15.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.15.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.15.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.15.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.15.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
            Source: Amcache.hve.15.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\XClient.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeMemory allocated: page read and write | page guardJump to behavior
            Source: XClient.exe, 00000000.00000002.2209264482.000000000301A000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000000.00000002.2209264482.0000000003133000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: XClient.exe, 00000000.00000002.2209264482.000000000301A000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000000.00000002.2209264482.0000000003133000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: XClient.exe, 00000000.00000002.2209264482.000000000301A000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000000.00000002.2209264482.0000000003133000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: XClient.exe, 00000000.00000002.2209264482.000000000301A000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000000.00000002.2209264482.0000000003133000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
            Source: XClient.exe, 00000000.00000002.2209264482.000000000301A000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000000.00000002.2209264482.0000000003133000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
            Source: C:\Users\user\Desktop\XClient.exeQueries volume information: C:\Users\user\Desktop\XClient.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\XClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.15.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.15.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.15.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.15.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: XClient.exe, 00000000.00000002.2208764710.0000000000D82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: Amcache.hve.15.drBinary or memory string: MsMpEng.exe
            Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: XClient.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.XClient.exe.810000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1243593028.0000000000812000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2209264482.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 4252, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: XClient.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.XClient.exe.810000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1243593028.0000000000812000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2209264482.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 4252, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		2
            Process Injection            		1
            Disable or Modify Tools            		OS Credential Dumping131
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		141
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
            Process Injection            		Security Account Manager141
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture11
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Software Packing            		LSA Secrets13
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            XClient.exe84%ReversingLabsByteCode-MSIL.Backdoor.XWorm
            XClient.exe100%AviraHEUR/AGEN.1305769
            XClient.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://upx.sf.net0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            vecotr.viewdns.net0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            vecotr.viewdns.net
            		191.96.207.180
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              vecotr.viewdns.nettrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://upx.sf.netAmcache.hve.15.drfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXClient.exe, 00000000.00000002.2209264482.0000000002B91000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              191.96.207.180
              		vecotr.viewdns.netChile
              		60458ASN-XTUDIONETEStrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1517141
              Start date and time:2024-09-24 19:23:15 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 13s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:18
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:XClient.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@2/5@1/1
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 49
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 52.182.143.212
              • Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target XClient.exe, PID 4252 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtSetInformationFile calls found.
              • VT rate limit hit for: XClient.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              13:24:12API Interceptor1147367x Sleep call for process: XClient.exe modified
              15:03:28API Interceptor1x Sleep call for process: WerFault.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              191.96.207.180GvJxEfWyS1.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                7lFbTUxX9m.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                  XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                    lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                      payload_1.vbsGet hashmaliciousXWormBrowse
                        Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          vecotr.viewdns.netGvJxEfWyS1.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                          • 191.96.207.180
                          7lFbTUxX9m.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                          • 191.96.207.180
                          XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                          • 191.96.207.180
                          lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                          • 191.96.207.180
                          payload_1.vbsGet hashmaliciousXWormBrowse
                          • 191.96.207.180
                          Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse
                          • 191.96.207.180

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          ASN-XTUDIONETESGvJxEfWyS1.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                          • 191.96.207.180
                          7lFbTUxX9m.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                          • 191.96.207.180
                          XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                          • 191.96.207.180
                          lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                          • 191.96.207.180
                          payload_1.vbsGet hashmaliciousXWormBrowse
                          • 191.96.207.180
                          Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse
                          • 191.96.207.180
                          file_5822aee2333945a68f99cf2cfdd0e024_2024-09-16_14_28_33_034000.zipGet hashmaliciousUnknownBrowse
                          • 179.61.228.98
                          mlnZfOifRX.elfGet hashmaliciousOkiruBrowse
                          • 45.151.195.118
                          arm7.elfGet hashmaliciousMiraiBrowse
                          • 185.37.230.233
                          file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 45.131.83.43

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_XClient.exe_6effdd05a2974476353f94223a92dcbdb64af0_81528a0c_cef53090-dc85-43c7-a262-2065c3599dc2\Report.wer

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.244037228716977
                          Encrypted:false
                          SSDEEP:192:8wUUPztPUN081iHxaWz8iyolL7XRiEzuiFMZ24lO8mL:DXPztP981iRa48irPfzuiFMY4lO8mL
                          MD5:1DE5C205E5CCBC2F40115BABC37667DF
                          SHA1:ED692FCF0BC3B831D0CC4553B283C60C47446879
                          SHA-256:EA7D4ED76D02C53BB95F2A6D8E15DA3F1E1A778C937ECB2E7FD700E7E1E5127F
                          SHA-512:333BA02A2CE9B2FBDEFD8555B0CA365B253F4C53119CDA65CBA0C6300589DE324EFCBBC7CC65F877D184B76DD36FE1294811C388EC4C71D50A638E48B2965026
                          Malicious:true
                          Reputation:low
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.6.7.8.1.9.4.7.3.3.2.7.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.6.7.8.1.9.5.2.9.5.7.7.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.f.5.3.0.9.0.-.d.c.8.5.-.4.3.c.7.-.a.2.6.2.-.2.0.6.5.c.3.5.9.9.d.c.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.d.3.5.4.f.4.-.5.f.b.5.-.4.4.9.4.-.8.8.9.2.-.c.a.4.3.3.f.b.3.4.5.e.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.X.C.l.i.e.n.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X.C.l.i.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.9.c.-.0.0.0.1.-.0.0.1.4.-.f.b.a.a.-.4.f.9.0.a.6.0.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.4.4.b.4.c.4.9.8.d.8.b.2.8.5.4.6.3.9.6.3.0.8.8.2.6.e.7.b.5.9.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.e.0.0.c.a.4.3.2.2.d.1.8.a.a.f.5.8.5.6.d.5.f.8.8.4.d.0.3.f.f.f.b.d.a.6.8.8.c.!.X.C.l.i.e.n.t...e.x.e.....T.a.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA038.tmp.dmp

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Mini DuMP crash report, 16 streams, Tue Sep 24 19:03:14 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):534595
                          Entropy (8bit):3.052701620922794
                          Encrypted:false
                          SSDEEP:3072:RkC0gJ2FGEUPQYc1CCqBp3pW93+vqILpNMk4pHhRdd3T7+yRDcSE5FLf:n0mCUbyqBpZW93QvwkClFZX8
                          MD5:8C988CB1B6F25930C6F29CD69484C762
                          SHA1:C791224F810745831CBD18B77B4AA41EFAD5430E
                          SHA-256:15BB4FF484DF78EAE22D7115338E626EA958967E5DEDB55A5F371907228FB207
                          SHA-512:12242C291B947FCF2E9B765A41104868696B102B6AB79F5CF60E98C44F0E9347E1833ACB483781853D6060813462D41A017B3443F4633BA32D58CD272AF971BF
                          Malicious:false
                          Reputation:low
                          Preview:MDMP..a..... ..........f............4...........d...T.......$....(......d....(.......8..............l.......8...........T............@..............@6..........,8..............................................................................eJ.......8......Lw......................T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA190.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8878
                          Entropy (8bit):3.699513602388072
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJhu5ZS6YNF8z4gmfZy8CprE89beggrfzqm:R6lXJoy6Yf8z4gmfo/enrfv
                          MD5:54FCE1E7DBEBA0377D070E2A7D66B49B
                          SHA1:1290705C6BB3B57F96B3A76475B4ABE93EA4405F
                          SHA-256:B9F12EF990847B75E6277150894D3FD0F71301FEA135A3A3915B434C5ED69EA7
                          SHA-512:8BC2C48C9EB57560809DA1D489CA959C1C2C7147BBD881A5012664E3FD8C5E9A1765B7A10AF70E6C0589E1BC972ECEFE78522E8C26F9C833C22B4D2C0C45EAC2
                          Malicious:false
                          Reputation:low
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.5.2.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1D0.tmp.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4765
                          Entropy (8bit):4.438316601409016
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zs9Jg771I9y1WpW8VYjxYm8M4JsNFnyq8vxR/UDRd6EIDuBd:uIjfXI7BE7VlJqW3UDRdvIDuBd
                          MD5:25BF2BD862AD99170A7EEE0ED6F8A857
                          SHA1:1D8B541DF6E6B1A45BD26403AB57AFBAAF8A73EA
                          SHA-256:0BF7E197C1B73DB2BADCEAFF3F8E3878C9964F4FE82CF777185953BAB313E86A
                          SHA-512:5AF37C21F886DE38785C6139AC430DD145048AF0B4A4F2A6E2F5C36604BC775F758BE02E26A279C1C4155C300C50ACD9BAD56E2AE0A5D718575C405D8944BBCE
                          Malicious:false
                          Reputation:low
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="514685" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\Windows\appcompat\Programs\Amcache.hve

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:MS Windows registry file, NT/2000 or above
                          Category:dropped
                          Size (bytes):1835008
                          Entropy (8bit):4.416681643673323
                          Encrypted:false
                          SSDEEP:6144:Xcifpi6ceLPL9skLmb0mkSWSPtaJG8nAgex285i2MMhA20X4WABlGuNv5+:Mi58kSWIZBk2MM6AFBZo
                          MD5:9EEC8FA60A5A07FFAA92EE2F7333A051
                          SHA1:B29C0881C07ED2F90022C7680BBE2A44211A2665
                          SHA-256:D507AFFE4832C9BD619BAC0435BE5EA931F1D3DF4A2200FE4BAC4B74304C71EF
                          SHA-512:448837D5CCD2E64A37B6E442CE37E0E9108C457C34D4C08D585EFA4FF36D346BE6A4D375B670BFDE29BE75EB8ABD43F5F914FA5FA5EFA91F3DCD763BB21589E2
                          Malicious:false
                          Reputation:low
                          Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.Plh..................................................................................................................................................................................................................................................................................................................................................{\........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):5.595487872183829
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                          • Win32 Executable (generic) a (10002005/4) 49.75%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Windows Screen Saver (13104/52) 0.07%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          File name:XClient.exe
                          File size:33'280 bytes
                          MD5:e5937a618f5d6f059974cf27804df37f
                          SHA1:bce00ca4322d18aaf5856d5f884d03fffbda688c
                          SHA256:95931b4531f538137929756d736735981e7d7bcf4d43a750fb1bb01c76b3219f
                          SHA512:f386fdbe891893888123b8dee38b7fa1a4b7e96177bd360fe447b7c1ab5f3b2a3d5fe80275a582b1fec324a01427a0d7b37be6ffe6f78983051d3623bcad7b96
                          SSDEEP:768:HRPD9OQhx/BV3Tw4OlzVFE9jz8Ojh8br:Hd9OW/V3U4OnFE9jz8OjKn
                          TLSH:ACE23B4877E44712DAEEAFB12DF362061271D51BD813EF9E0CE485EA2B67AC047407E6
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..f.................x............... ........@.. ....................................@................................

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x40979e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66CBCF7A [Mon Aug 26 00:42:34 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x97440x57.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x4d8.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x77a40x7800c835925e2218306559d4f2c102bc9ddaFalse0.5017252604166667data5.746031352586271IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xa0000x4d80x600afbb984503128042cc38bf70e5e337f4False0.375data3.7203482473352403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xc0000xc0x200fbad57bc563b9a0d7654c19529129cc5False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0xa0a00x244data0.4724137931034483
                          RT_MANIFEST0xa2e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-09-24T19:24:27.649186+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749699191.96.207.18050000TCP
                          2024-09-24T19:24:27.823152+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:24:27.920563+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749699191.96.207.18050000TCP
                          2024-09-24T19:24:32.899750+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:24:32.899750+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:24:42.903049+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:24:42.906205+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749699191.96.207.18050000TCP
                          2024-09-24T19:24:56.354321+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:24:56.356816+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749699191.96.207.18050000TCP
                          2024-09-24T19:25:02.894597+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:25:02.894597+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:25:10.961544+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:25:10.970041+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749699191.96.207.18050000TCP
                          2024-09-24T19:25:24.879580+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:25:24.887550+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749699191.96.207.18050000TCP
                          2024-09-24T19:25:25.800592+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:25:25.806967+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749699191.96.207.18050000TCP
                          2024-09-24T19:25:26.324610+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:25:26.326991+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749699191.96.207.18050000TCP
                          2024-09-24T19:25:30.212660+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:25:30.214476+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749699191.96.207.18050000TCP
                          2024-09-24T19:25:31.078704+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:25:31.081806+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749699191.96.207.18050000TCP
                          2024-09-24T19:25:32.877208+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:25:32.877208+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.749699TCP
                          2024-09-24T19:25:46.007270+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.749699TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 24, 2024 19:24:13.163139105 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:24:13.168020010 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:24:13.168102980 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:24:13.382775068 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:24:13.388061047 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:24:27.649185896 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:24:27.654201984 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:24:27.823152065 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:24:27.876102924 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:24:27.920562983 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:24:27.925688028 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:24:32.899749994 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:24:32.954288006 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:24:41.908370972 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:24:42.219974041 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:24:42.715312958 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:24:42.715332985 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:24:42.903048992 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:24:42.906204939 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:24:42.926707029 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:24:56.173486948 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:24:56.180960894 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:24:56.354321003 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:24:56.356816053 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:24:56.362039089 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:02.894597054 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:02.938698053 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:10.439441919 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:10.751224995 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:10.792814970 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:10.792826891 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:10.961544037 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:10.970041037 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:10.974951982 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:24.705138922 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:24.710011005 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:24.879580021 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:24.887550116 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:24.892570972 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:25.626843929 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:25.631886005 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:25.800591946 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:25.806967020 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:25.811777115 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:25.939291954 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:26.156196117 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:26.324609995 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:26.326991081 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:26.332437992 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:30.033200026 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:30.038600922 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:30.212660074 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:30.214476109 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:30.219322920 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:30.720403910 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:30.910362959 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:31.078704119 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:31.081805944 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:31.086738110 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:32.877207994 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:32.923104048 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:45.833545923 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:45.838404894 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:46.007270098 CEST5000049699191.96.207.180192.168.2.7
                          Sep 24, 2024 19:25:46.048156977 CEST4969950000192.168.2.7191.96.207.180
                          Sep 24, 2024 19:25:46.200748920 CEST4969950000192.168.2.7191.96.207.180

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 24, 2024 19:24:13.135561943 CEST4920953192.168.2.71.1.1.1
                          Sep 24, 2024 19:24:13.145940065 CEST53492091.1.1.1192.168.2.7

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Sep 24, 2024 19:24:13.135561943 CEST192.168.2.71.1.1.10xd9beStandard query (0)vecotr.viewdns.netA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Sep 24, 2024 19:24:13.145940065 CEST1.1.1.1192.168.2.70xd9beNo error (0)vecotr.viewdns.net191.96.207.180A (IP address)IN (0x0001)false

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:13:24:08
                          Start date:24/09/2024
                          Path:C:\Users\user\Desktop\XClient.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\XClient.exe"
                          Imagebase:0x810000
                          File size:33'280 bytes
                          MD5 hash:E5937A618F5D6F059974CF27804DF37F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1243593028.0000000000812000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1243593028.0000000000812000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2209264482.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:15
                          Start time:15:03:14
                          Start date:24/09/2024
                          Path:C:\Windows\System32\WerFault.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\WerFault.exe -u -p 4252 -s 1660
                          Imagebase:0x7ff686b90000
                          File size:570'736 bytes
                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Executed Functions

                            Function 00007FFAACCC1E60 Relevance: 3.6, Strings: 2, Instructions: 1145COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID: $H
                            • API String ID: 0-1323546614
                            • Opcode ID: 912deef3fd79aa69184191d275bb59af2876206fd180c626da95b1a86790b1d1
                            • Instruction ID: 3df9ee24c284987b3527ad772dfa99f857cf3dc8c205804ae2907b342daa3c6d
                            • Opcode Fuzzy Hash: 912deef3fd79aa69184191d275bb59af2876206fd180c626da95b1a86790b1d1
                            • Instruction Fuzzy Hash: FA827370B1D9198BFB99EB78C456A79B2D2EF99740F508578D00ED32C2DE28EC468781
                            Function 00007FFAACCC5D76 Relevance: .5, Instructions: 470COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b74a591a6b7feb41ed523ac30899b06421c2d13ed3cbb8f0f6d6a99285da71e4
                            • Instruction ID: 6944d923ddd078763faf969e6ff19912a7804408503925315db217e1ee69b183
                            • Opcode Fuzzy Hash: b74a591a6b7feb41ed523ac30899b06421c2d13ed3cbb8f0f6d6a99285da71e4
                            • Instruction Fuzzy Hash: E6F1927090DA8E8FEBA9DF28C855BE937E1FF55311F04826AE84DC7291CB34D9458B81
                            Function 00007FFAACCC6B22 Relevance: .5, Instructions: 456COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be5c59b9b5a0ca8435d84912c22137b1c8f4097fd4b1ba04497d2a6fb1316ade
                            • Instruction ID: c160ad24c2d37da58c39acd4df8d44d04ebf2eb89416753dc7512e97802b115b
                            • Opcode Fuzzy Hash: be5c59b9b5a0ca8435d84912c22137b1c8f4097fd4b1ba04497d2a6fb1316ade
                            • Instruction Fuzzy Hash: 30E1A07090DA8D8FEBA9DF28C8567E977E1EF55310F04826AE84DC7291CE74E9448B81
                            Function 00007FFAACCC0758 Relevance: 5.4, Strings: 4, Instructions: 393COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID: 6$r6$r6$r6
                            • API String ID: 0-3926755054
                            • Opcode ID: ce4d240114e17218ce4838395bebded4925c5224ea963fe8d440cb4e10268450
                            • Instruction ID: 9dab1c10dbc8ca2beceb93a1cdabb8720fc17ea9be515d727d524d4eb52dc51f
                            • Opcode Fuzzy Hash: ce4d240114e17218ce4838395bebded4925c5224ea963fe8d440cb4e10268450
                            • Instruction Fuzzy Hash: 84C1F7B1A5CA198FEB99EF28D494674B7D1FF9A350F4045B9E04EC7292CE28EC0587C1
                            Function 00007FFAACCC21DD Relevance: 2.9, Strings: 2, Instructions: 375COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0&$r6
                            • API String ID: 0-1342382475
                            • Opcode ID: e2ae2d94aa2a2be1339859b55939cf39f99c672d88bbb6b38171eaddb97adb13
                            • Instruction ID: a4b8d9c5e4ec023ef35a465712c4e3ef16ed3090cca5a6501cfe9a3fbbdaa6a9
                            • Opcode Fuzzy Hash: e2ae2d94aa2a2be1339859b55939cf39f99c672d88bbb6b38171eaddb97adb13
                            • Instruction Fuzzy Hash: 83B12AA1B1CA494FE799AF2C84597B9ABD2EF99350F444579D04EC32D2ED28DC0287C1
                            Function 00007FFAACCC21FD Relevance: 2.9, Strings: 2, Instructions: 353COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0&$r6
                            • API String ID: 0-1342382475
                            • Opcode ID: 006771c17ef095943d4d0a80b2250ec3d32c89bc5a845071fda137180071a6a3
                            • Instruction ID: e83dfbfcb98f0f5ed87864f72d170a1c8f18a26a9a4e814985547792b0cbc195
                            • Opcode Fuzzy Hash: 006771c17ef095943d4d0a80b2250ec3d32c89bc5a845071fda137180071a6a3
                            • Instruction Fuzzy Hash: 7AA13BA1B1CA494FE799EB3C84597B9BBD2EF99350F444579E04EC32D2ED28980683C1
                            Function 00007FFAACCC1738 Relevance: 2.7, Strings: 2, Instructions: 199COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID: /$/
                            • API String ID: 0-972056843
                            • Opcode ID: 16290f5e7ec626a01a40803ce8500d1b654ba3595772803fe937c5bea66450e9
                            • Instruction ID: d4a41649d1e7f8e8caf512b9b04729bf802c75bbb807e2a8e7ca992776b69bdc
                            • Opcode Fuzzy Hash: 16290f5e7ec626a01a40803ce8500d1b654ba3595772803fe937c5bea66450e9
                            • Instruction Fuzzy Hash: EE61F330D0D6868FEB4BDB7488526A97BA1EF57310F1842E9D05EC72D3CE28A846C791
                            Function 00007FFAACCC25F5 Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID: 6
                            • API String ID: 0-1452363761
                            • Opcode ID: f5eacdd7e14b291ef3fa87aa33cc8fc12d0f96759cc250f398815778d4a224e4
                            • Instruction ID: d38aa79b31624c3107f3aeab712d781ac39f330ea79e784fb23321eed1cb29d8
                            • Opcode Fuzzy Hash: f5eacdd7e14b291ef3fa87aa33cc8fc12d0f96759cc250f398815778d4a224e4
                            • Instruction Fuzzy Hash: 68A1C4A071DA098BEB49BB7DD455BB9B6D2EFA9300F5445B5E00DC32D3CE68EC418392
                            Function 00007FFAACCC1D05 Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID: %N_I
                            • API String ID: 0-4270823541
                            • Opcode ID: a31a2469102a8dc6d2d80a191ae7722edddb3580d1af6a3c4944c62d6e46f823
                            • Instruction ID: dc93184865d3cc66c5bf19c8ba188633e329b249e8c7815287964df7243a6a36
                            • Opcode Fuzzy Hash: a31a2469102a8dc6d2d80a191ae7722edddb3580d1af6a3c4944c62d6e46f823
                            • Instruction Fuzzy Hash: 8371C5A2A0E6C58FF75B9B7888156B87B91FF57310B1884FAD08CC7197D919EC0987C1
                            Function 00007FFAACCC1D55 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID: %N_I
                            • API String ID: 0-4270823541
                            • Opcode ID: 0b625a5ff2bf6d16c097908fdfa62acfa1562b58bffc423d001127bb5f754c08
                            • Instruction ID: 8450ecffd79f15152c70d6ffbab5f05aef08a0583442a4e23776d350e9d1edeb
                            • Opcode Fuzzy Hash: 0b625a5ff2bf6d16c097908fdfa62acfa1562b58bffc423d001127bb5f754c08
                            • Instruction Fuzzy Hash: 0D61F8A2A0EA859FF756AF7888556B97BD1FF57310B0880FAD04CC7197D919EC0A83C1
                            Function 00007FFAACCC04EA Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID: r6
                            • API String ID: 0-2984296541
                            • Opcode ID: 6432d514364d185d5a732541abefbb13eab072ba5558e1b7c155d04be295a13b
                            • Instruction ID: 88a436e3474769517addda2ac8343b099d812aaa91c7941a2f6c8b5fa8fd3bd0
                            • Opcode Fuzzy Hash: 6432d514364d185d5a732541abefbb13eab072ba5558e1b7c155d04be295a13b
                            • Instruction Fuzzy Hash: FE5129A2B1DA454FE349AB7CD46A6B9BBC1DF99315F0445FAE04DC3293DE189C0683C1
                            Function 00007FFAACCC0B5E Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID: r6
                            • API String ID: 0-2984296541
                            • Opcode ID: 71d11f5b037aa494f7ecc3f2e19272d173cc87af4f8f62f3420f41208e8cd66c
                            • Instruction ID: 29310f1aa333d32c94e5f3128beacb69926c64f31367b81ea882c4a62069281d
                            • Opcode Fuzzy Hash: 71d11f5b037aa494f7ecc3f2e19272d173cc87af4f8f62f3420f41208e8cd66c
                            • Instruction Fuzzy Hash: 78414C6171DA890FE789A77CD46A6787FD6DF9A210F0801FEE04DC72A3CD188C068381
                            Function 00007FFAACCC04C8 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID: r6
                            • API String ID: 0-2984296541
                            • Opcode ID: a79aafaddf77b7c0544b6fb174806ee0152889074466baff96e98e4db714acfb
                            • Instruction ID: e16ec2cc01fc69794db458fa55f3f2a6f8c647f00a50f8f34f492a59268cdeb2
                            • Opcode Fuzzy Hash: a79aafaddf77b7c0544b6fb174806ee0152889074466baff96e98e4db714acfb
                            • Instruction Fuzzy Hash: 3E31F761B1C9484FE788EB7CD46AB79B6C6EF99315F0405BEE04EC3293DD249C018381
                            Function 00007FFAACCC0E11 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID: 6
                            • API String ID: 0-1452363761
                            • Opcode ID: f54993031cd539c94b569b1305148f4104a7cef6411c7bb9887fb2f65b38c6a7
                            • Instruction ID: 966e5eecaea1f66c6ffad16d5e31a5b7a142b150c607ea98b50250c6881e3309
                            • Opcode Fuzzy Hash: f54993031cd539c94b569b1305148f4104a7cef6411c7bb9887fb2f65b38c6a7
                            • Instruction Fuzzy Hash: 0C31A691B1CA095FF785BBBC981A7BC67D6EF99751F0442BAE00DC3292DE58DC414381
                            Function 00007FFAACCC0E30 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID: 6
                            • API String ID: 0-1452363761
                            • Opcode ID: 8f44cc12c2b1e6075758bf43ea8eebe21476223fcb2729fd0babbd05d928ebb1
                            • Instruction ID: 22e549d0e9675b58a75b6d924f6aa35d84b5dfb39bebd556b2ddb1c601a4e18a
                            • Opcode Fuzzy Hash: 8f44cc12c2b1e6075758bf43ea8eebe21476223fcb2729fd0babbd05d928ebb1
                            • Instruction Fuzzy Hash: 19318092B18E095BFB84BBBC985E7BD66D6EF98751F0041BAE00DC3292DE68DC4143C1
                            Function 00007FFAACCC7CE1 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID: d
                            • API String ID: 0-2564639436
                            • Opcode ID: b467049736e9551cd84b48becae73e63a94b7485c168ea75886010a8647719f2
                            • Instruction ID: c63fb18c3ebc966b8f5da46e827c5f3b268ca0e8e25aecd89bc7d5be42a6253b
                            • Opcode Fuzzy Hash: b467049736e9551cd84b48becae73e63a94b7485c168ea75886010a8647719f2
                            • Instruction Fuzzy Hash: 7C219271C0D2AACFEB46AFB488456F9BBF0EF4A310F0541BAD44DD7192DA28984987D1
                            Function 00007FFAACCC6736 Relevance: .3, Instructions: 329COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aa5c53b0e6a3d62ff090d21441ed73333a45c1d95ed635b02259ccf1ed80d65e
                            • Instruction ID: 10997aa6988b0f4ade3dab4c0fe700d41002e1a08b055359fcf9e6f6b7a06474
                            • Opcode Fuzzy Hash: aa5c53b0e6a3d62ff090d21441ed73333a45c1d95ed635b02259ccf1ed80d65e
                            • Instruction Fuzzy Hash: CFB1947050CA8D8FEBA9DF28D8557E93BE1EF55310F04826AE84DC7292CB34D945CB82
                            Function 00007FFAACCC7FF9 Relevance: .3, Instructions: 269COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0b5bd99988631ad2d799139ca9225fd2818203f886f290e52f0f3f2c96fd5e82
                            • Instruction ID: 3e71fd6ddfd381fb3ef86b13ead09fbb00e19355dea0e4e96e0e8a854b2a1f62
                            • Opcode Fuzzy Hash: 0b5bd99988631ad2d799139ca9225fd2818203f886f290e52f0f3f2c96fd5e82
                            • Instruction Fuzzy Hash: A481E6B190DA598FEB86EF78C4559A97BF1FF5A310B0441BAD409C3292DF38A845C781
                            Function 00007FFAACCC845E Relevance: .2, Instructions: 232COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 53a72e72ce362b6cf8613df452f6fd74d70559009aed25183a5863315330314e
                            • Instruction ID: 63cd876fb9b00cfce10d87747fad52dfa4ca67dcfd5dfea811bbfdfe15a1586b
                            • Opcode Fuzzy Hash: 53a72e72ce362b6cf8613df452f6fd74d70559009aed25183a5863315330314e
                            • Instruction Fuzzy Hash: E87138B1D1EA4A8FFB8AEB38C4556A5B7D0FF15314F4485B9D04DC3192DE28E94A83C1
                            Function 00007FFAACCC7578 Relevance: .2, Instructions: 229COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 802a5b05841c50f402e153a89ed15bec7e1222f13410f8ef3a7cd614c42b1207
                            • Instruction ID: 3f8253d697248d8a5a61ff25c711c4a1b5953c9e138c9402f12f6e646288aa61
                            • Opcode Fuzzy Hash: 802a5b05841c50f402e153a89ed15bec7e1222f13410f8ef3a7cd614c42b1207
                            • Instruction Fuzzy Hash: 45314C52A0EA9A8EF7539B6CA8650ED7FA0EF93220B0806F7D189C7193D915980A43D1
                            Function 00007FFAACCC0925 Relevance: .2, Instructions: 211COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 674c29940a37d2448a03690d53864058c0b74ff4b526ca249412679315523cf7
                            • Instruction ID: 565ba539394cae5e5a4fe627faea1eacd0420f532782aaef66bf353ed7117a86
                            • Opcode Fuzzy Hash: 674c29940a37d2448a03690d53864058c0b74ff4b526ca249412679315523cf7
                            • Instruction Fuzzy Hash: 8B5119A1F5DA4E5FEB89EB78D4696BD7B91FF89310B8044B9E00EC31D3DD2898058391
                            Function 00007FFAACCC7DCD Relevance: .2, Instructions: 211COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f4db7ac770bc2bdab2789d56b96c4548fe818a195c9ffce3bc44421f855b1cb
                            • Instruction ID: 1c74a36682b3e2b27a2690741190d3d097b9017617893b6a931fe1b17857fe5a
                            • Opcode Fuzzy Hash: 7f4db7ac770bc2bdab2789d56b96c4548fe818a195c9ffce3bc44421f855b1cb
                            • Instruction Fuzzy Hash: 6C51A470A18A1D8FDB58DF68D845BEDBBF1FF59310F1082AAD44DD3252CA34A846CB81
                            Function 00007FFAACCC7588 Relevance: .2, Instructions: 202COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5a33f7d91010a27d41c4a65df42259b1a5cd6e138a07b3d7fe2dc103f5cfe895
                            • Instruction ID: 8a861498764b43064313ad6e7727154eeafae3b002e9fda56d6337c8710d6d23
                            • Opcode Fuzzy Hash: 5a33f7d91010a27d41c4a65df42259b1a5cd6e138a07b3d7fe2dc103f5cfe895
                            • Instruction Fuzzy Hash: 19216156A0EB998EF7539B6CA8651FD7FB0EF97220B0806F7D089C7093D914980A43D1
                            Function 00007FFAACCC86F1 Relevance: .2, Instructions: 202COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b04345d260ba9f453be313d296f5d56b47cfcac87cb5327e04a9dc166483868c
                            • Instruction ID: 5f588e6a7ffca1f4df66e89e6437d4d55b13eb0542d8bbf66f69879731fcd60a
                            • Opcode Fuzzy Hash: b04345d260ba9f453be313d296f5d56b47cfcac87cb5327e04a9dc166483868c
                            • Instruction Fuzzy Hash: DC51B671E1D9599FEB99EB38D855AB9B7F1FF89300F0444B9E00DD3292DE28AC458780
                            Function 00007FFAACCC366C Relevance: .2, Instructions: 194COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e26b5b312ef75927987003e9294294f28b38830f8c8bd13cde9c5c899fdf5f5c
                            • Instruction ID: 8e4d8466074a595e99f7307ce3a1f51708f0153d76171de4c8c6a4c60ba8a378
                            • Opcode Fuzzy Hash: e26b5b312ef75927987003e9294294f28b38830f8c8bd13cde9c5c899fdf5f5c
                            • Instruction Fuzzy Hash: AF517071918A0C8FDB99DF68D845BE9BBB1FF59310F0482AAD00DD3252DF34A9848F81
                            Function 00007FFAACCC8F6A Relevance: .2, Instructions: 193COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e638a9c167d420e236583676a0cc7f0b8490cb7c46360c6a191fc1ae837c3514
                            • Instruction ID: 58b8bb49cb73a4cff5ec546ea9cd9b9301bf600183b501796a806995bb1d4a2f
                            • Opcode Fuzzy Hash: e638a9c167d420e236583676a0cc7f0b8490cb7c46360c6a191fc1ae837c3514
                            • Instruction Fuzzy Hash: E251017090CA498FE759DF68D855AB87BF0EF56311F0482AED00DC7292CB29A846CB91
                            Function 00007FFAACCC7598 Relevance: .2, Instructions: 192COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d974765b4dfcc27a968a914c4e446163952dcaa0e89ff3285bceae3d86364fc3
                            • Instruction ID: 75aac8e69c320d592d80da955c85bb510bdd7e32c10a8ca50b3e89fa5d1b461f
                            • Opcode Fuzzy Hash: d974765b4dfcc27a968a914c4e446163952dcaa0e89ff3285bceae3d86364fc3
                            • Instruction Fuzzy Hash: 0F218356A0DA998FF753AB6CA8551FD7FB0EF97220B0802F7D08DC3193D914980943D1
                            Function 00007FFAACCC897D Relevance: .2, Instructions: 189COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 27ee31d374505d0872677c2575f7b3ebe96bf4cd2601311ea461eaddabe6de39
                            • Instruction ID: 1e63eda5327e63e808a2e4efd2c9280a7006f80453bece3eae06c802264c221e
                            • Opcode Fuzzy Hash: 27ee31d374505d0872677c2575f7b3ebe96bf4cd2601311ea461eaddabe6de39
                            • Instruction Fuzzy Hash: A7515B71A0D6488FEB95EB78C859AF977E1EF49310F0541BAE00DC7292CD28EC46C781
                            Function 00007FFAACCC9BCD Relevance: .2, Instructions: 187COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 69f9cec179343eb0716148ee051d81d599e67455380689faedfdf4023155c9ad
                            • Instruction ID: ea6903bea626325bdd2f1d46644f9ec41854cd1125c9ca8735c46dbc4bd9b494
                            • Opcode Fuzzy Hash: 69f9cec179343eb0716148ee051d81d599e67455380689faedfdf4023155c9ad
                            • Instruction Fuzzy Hash: 8C513771A0E68D8FEB56AB3888156B97BE0FF46320F0445FAD04DC7193DA2CE806C781
                            Function 00007FFAACCC75A8 Relevance: .2, Instructions: 182COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f3736946fddfeba5e29c789af4b0b5d246ccd40517b5a8c5752197b194e1e703
                            • Instruction ID: 472259fb62f50cf432a7f08b6711f6d48124ea7ab31d9142108cf09e0bb60f99
                            • Opcode Fuzzy Hash: f3736946fddfeba5e29c789af4b0b5d246ccd40517b5a8c5752197b194e1e703
                            • Instruction Fuzzy Hash: 8A216F56A0EA998FF753AB6CA8661FD7FB0EF97220B0805F7D08DC3193D918980943D1
                            Function 00007FFAACCC05A0 Relevance: .2, Instructions: 180COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ebc30f94be4f95dbb9ef09fa3452ac67a25548c468fb45ec565d417b051e246e
                            • Instruction ID: cc3d921c514815c0b706bb7b64a03af695589e5c384dd4dadfd9f4cabaab6fd7
                            • Opcode Fuzzy Hash: ebc30f94be4f95dbb9ef09fa3452ac67a25548c468fb45ec565d417b051e246e
                            • Instruction Fuzzy Hash: F8416862B1DA4A4FF799EB3CD446A7977C2EF86310B0444B9E48EC3292DD18EC438381
                            Function 00007FFAACCC75B8 Relevance: .2, Instructions: 171COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b93373d0c3ca5cb1701db002abcadfcbde49c035e640c8944293073868b5d1a5
                            • Instruction ID: bea1b552711f3a4188ea4cad4b841fe7e7becc5441b4d062a12579c11f0ae373
                            • Opcode Fuzzy Hash: b93373d0c3ca5cb1701db002abcadfcbde49c035e640c8944293073868b5d1a5
                            • Instruction Fuzzy Hash: C3117F66A0DA994FE742AB68A8161AD7FB0EF96310B0801F7D08DC3193D918980943D2
                            Function 00007FFAACCC75C8 Relevance: .2, Instructions: 163COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b9aae6937b7c2f544fba8fc61bb8a00f25e82eed80a1cd35c584df0b72a6c374
                            • Instruction ID: bc959d3209ec653aa5080d38ba26000489538c8d981ead9f357121042de59474
                            • Opcode Fuzzy Hash: b9aae6937b7c2f544fba8fc61bb8a00f25e82eed80a1cd35c584df0b72a6c374
                            • Instruction Fuzzy Hash: D211A062A0DA998FEB42EB7C98161AD7FF0EF96310B0801F7D04DC3193D9189C0943D2
                            Function 00007FFAACCC1495 Relevance: .2, Instructions: 160COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a89834cc226c53b72c9c25025314dad12dbf1bb55b22c4e19aaa0761e07e67aa
                            • Instruction ID: dcb11d2febfd0031b7a5d6368db2bbdc13d90dc5e64308e1105d89676d9aa436
                            • Opcode Fuzzy Hash: a89834cc226c53b72c9c25025314dad12dbf1bb55b22c4e19aaa0761e07e67aa
                            • Instruction Fuzzy Hash: 1C418FB4949A1C8FEF9CEF68D455BA97BE0FB55311F00416EE00EC3691CB35E8468B81
                            Function 00007FFAACCC9C25 Relevance: .2, Instructions: 154COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d5eb9c8414680bb291f8aef8c497a9589f3a5c6b1c053497eeff05b538334ded
                            • Instruction ID: 7084c2f4e31fbcbedcc7dac756cd7e06364766d57fd8cf569d9109f66c89dc33
                            • Opcode Fuzzy Hash: d5eb9c8414680bb291f8aef8c497a9589f3a5c6b1c053497eeff05b538334ded
                            • Instruction Fuzzy Hash: 3A412671A0D64C8FEB55EB38C8116E97BE1FF56320F0546FAE04DC3193DA28E8468781
                            Function 00007FFAACCC89D0 Relevance: .2, Instructions: 152COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f0d91a2a52eedeb27ac74d522cbcf8f27c3554b1d6fb4a851ae9e5139c13c08
                            • Instruction ID: 7a03ee28b8a526ef2d7f50b418286c820b5d9175a28bd77ca190937bdcba3230
                            • Opcode Fuzzy Hash: 7f0d91a2a52eedeb27ac74d522cbcf8f27c3554b1d6fb4a851ae9e5139c13c08
                            • Instruction Fuzzy Hash: 64418471B1890C8FEB98EB7CC459AA9B7E2EF99310F144579E00DD3292DE24EC458780
                            Function 00007FFAACCC82F5 Relevance: .1, Instructions: 131COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4d08453b765830ca8e2afe65bad95dcc14ee52997d237c8dbd55ef2d9cbec9ea
                            • Instruction ID: 06333f3bbc158a075a11e6a47f49aaf607238f69d202b415be2ca23778199318
                            • Opcode Fuzzy Hash: 4d08453b765830ca8e2afe65bad95dcc14ee52997d237c8dbd55ef2d9cbec9ea
                            • Instruction Fuzzy Hash: 6A4127B181D6868FF3469B648C525F6BBF0EF42310B5841FAD05EC75D3DD1CA94A8382
                            Function 00007FFAACCC0CC1 Relevance: .1, Instructions: 121COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 35c1b1f26dd7a8131159207edb47b4102494a4c8f0b5b924ff42aee7d1cac9f1
                            • Instruction ID: 556f8f78c14531772afb9f2693ebae61cb8f7493be8f3d6b672d583371b8ab9d
                            • Opcode Fuzzy Hash: 35c1b1f26dd7a8131159207edb47b4102494a4c8f0b5b924ff42aee7d1cac9f1
                            • Instruction Fuzzy Hash: 8F41A3B0A1D6499FEB45EB78C8656F9BBA1FF99300F5444B9D04DC3286DE38A805C781
                            Function 00007FFAACCC137D Relevance: .1, Instructions: 105COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1f3f78417c91b97a5f782dcf05313de4252ca56dc1e5dd38567d5e96f70f9cc6
                            • Instruction ID: 79b630aea01caf172886cb8e09dc84bb353efa19f4371c8cb72ce233673b0df4
                            • Opcode Fuzzy Hash: 1f3f78417c91b97a5f782dcf05313de4252ca56dc1e5dd38567d5e96f70f9cc6
                            • Instruction Fuzzy Hash: 5B31F5A190E6898FF75ADF78846A2B93FD1EF56300F4445FAD44ED76D2DE28A8058380
                            Function 00007FFAACCC9335 Relevance: .1, Instructions: 100COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e192cabe4bd0011b1821e1f0be1a1687533a5618b7d24eff380db9c019808741
                            • Instruction ID: f819041549c84b0b3de114af10d89fe68e8257a6c90e026da48cef5fae82ece8
                            • Opcode Fuzzy Hash: e192cabe4bd0011b1821e1f0be1a1687533a5618b7d24eff380db9c019808741
                            • Instruction Fuzzy Hash: 3931A13140D7488FDB55DFA8D889AE9BBF0EF56310F0482AFD049C7552DB74A405CB51
                            Function 00007FFAACCC9141 Relevance: .1, Instructions: 97COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7a267beee2aac32c0554be1b3c77c32228327d5b3e4c5476fefe138f138125fb
                            • Instruction ID: 62b689541f04307196e047bb53e449460e8c50f24c40a5257489b4ec12786c06
                            • Opcode Fuzzy Hash: 7a267beee2aac32c0554be1b3c77c32228327d5b3e4c5476fefe138f138125fb
                            • Instruction Fuzzy Hash: 0A21E6A0A5DA5D8BEB45BBB8D816BF977D1EF59310F5002B6E00DC31C3DE6CA8458392
                            Function 00007FFAACCC8B31 Relevance: .1, Instructions: 94COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 956f4fe1704cdc58c5ef4db913df581ee7539066dd9f0da093396d68bf5e2594
                            • Instruction ID: d726678219ece6f829f3cfe2409394a5c1d56643cdf2cc83da5d73f569ce2bca
                            • Opcode Fuzzy Hash: 956f4fe1704cdc58c5ef4db913df581ee7539066dd9f0da093396d68bf5e2594
                            • Instruction Fuzzy Hash: AC21D8B1A0D5598BE7999F28D4A56BDB7D0EF65311F00067ED00ED3291CF39A544C781
                            Function 00007FFAACCC9259 Relevance: .1, Instructions: 83COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 14b91b7bf20be26a5325c2c16ba13044e8a64cdf79608bee5afa7510f686a0c2
                            • Instruction ID: e2f66cde0a4cb9eb1908deb04f964bacce6c7f098e34b3e0d748fcd5cb03362d
                            • Opcode Fuzzy Hash: 14b91b7bf20be26a5325c2c16ba13044e8a64cdf79608bee5afa7510f686a0c2
                            • Instruction Fuzzy Hash: 07210831A4E69A4FE747DB6888119F93BE1DF9B260F0482BAD08FC7192CD1CD9068391
                            Function 00007FFAACCC12C1 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 61454020539771cbc17be6561a8fe778bc30462451fe1029be64b1cb62bd0c5f
                            • Instruction ID: 27d775b9287b877010b9b3518e4cb598ecbfde966b9bd846f202ea64b28eed4c
                            • Opcode Fuzzy Hash: 61454020539771cbc17be6561a8fe778bc30462451fe1029be64b1cb62bd0c5f
                            • Instruction Fuzzy Hash: 2811E465D0E6828BF317AB7A89525B83BA29F93250F4881B5D05DCB1C3DE1CEC5E83D1
                            Function 00007FFAACCC7C21 Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e579de8c46938de720f795dcf8e311fe8336e4e33705cdd868788d4a211bbe2f
                            • Instruction ID: 872bcabc319538db21736014c508f9f182cdc85015062c7bce673a898ae9363d
                            • Opcode Fuzzy Hash: e579de8c46938de720f795dcf8e311fe8336e4e33705cdd868788d4a211bbe2f
                            • Instruction Fuzzy Hash: 570126B2D0CA9D8FDB45EBA4C41A6ED7BF0FF25201F4501FBD048C7192DA28984087C1
                            Function 00007FFAACCC1141 Relevance: .0, Instructions: 44COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f03d57c43a9cbb18cb3d08f3924236474eff5103629d941139de7e5dd8d1a62a
                            • Instruction ID: ca4c8a21267b29f3ca33517175ecf7113554fad85cf09c1d140c1676f1c1aba8
                            • Opcode Fuzzy Hash: f03d57c43a9cbb18cb3d08f3924236474eff5103629d941139de7e5dd8d1a62a
                            • Instruction Fuzzy Hash: 97F02E35828B8C8FEB41BF20C8011AA7B64FB55328F00068BF86CC3091EB24D268C782
                            Function 00007FFAACCC1328 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 341de092fd7f837542cf6c89c1482d7a2e6179def7682cf04cba8eec959abf4a
                            • Instruction ID: 8180e520e2f1e76c9526ee53def48a38bd1cd53ecf0f9dd486569781c130adc0
                            • Opcode Fuzzy Hash: 341de092fd7f837542cf6c89c1482d7a2e6179def7682cf04cba8eec959abf4a
                            • Instruction Fuzzy Hash: 2EF0A97490D4028BF216DF2AC1406A837A1AF96314F488674C02D836D2DE28E85A87C0
                            Function 00007FFAACCC1284 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c6d644b17164f990b22cafc8d8568c90c470b762405a38a2dc7113b882159fd5
                            • Instruction ID: 89398b73644b426b5512e1376d412450b319f5118f18f95664757c75daf92105
                            • Opcode Fuzzy Hash: c6d644b17164f990b22cafc8d8568c90c470b762405a38a2dc7113b882159fd5
                            • Instruction Fuzzy Hash: 94D0C200C4E2C24BF70B23B80C425947F608A031A0F4942D1D458C70D3E84D949E43B2
                            Function 00007FFAACCC0795 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2211278466.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffaaccc0000_XClient.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b9e65dd4ba68bbb97a4f2f36a3ef5b2bb626c93ac90d9831ab7b834ad64c2e06
                            • Instruction ID: f62475327811579d1ec488ff5a3d5ddfc8fe648cba38cdee643bc823a6c55d09
                            • Opcode Fuzzy Hash: b9e65dd4ba68bbb97a4f2f36a3ef5b2bb626c93ac90d9831ab7b834ad64c2e06
                            • Instruction Fuzzy Hash: 61B09200E7F88688A40A3B79094B0A8BB60AB8B124FD444B0D48C80082984E54AA42C2