Edit tour

Windows Analysis Report
1LFcs1ZJy2.exe

Overview

General Information

Sample name:	1LFcs1ZJy2.exe renamed because original name is a hash value
Original sample name:	d3d4e37cd7a27366db914f08d48d65bf4fc257c34b8c2ddd679b60be97c91cc5.exe
Analysis ID:	1561589
MD5:	96c63c560697e1e6df07cf6db078500c
SHA1:	b057f8fb6d927b76508da85d221032d9612183dd
SHA256:	d3d4e37cd7a27366db914f08d48d65bf4fc257c34b8c2ddd679b60be97c91cc5
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

1LFcs1ZJy2.exe (PID: 6512 cmdline: "C:\Users\user\Desktop\1LFcs1ZJy2.exe" MD5: 96C63C560697E1E6DF07CF6DB078500C)

schtasks.exe (PID: 1600 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 1264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 6580 cmdline: C:\Windows\system32\WerFault.exe -u -p 6512 -s 2088 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

XClient.exe (PID: 5628 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 96C63C560697E1E6DF07CF6DB078500C)

XClient.exe (PID: 6984 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 96C63C560697E1E6DF07CF6DB078500C)

XClient.exe (PID: 7064 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 96C63C560697E1E6DF07CF6DB078500C)

XClient.exe (PID: 4268 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 96C63C560697E1E6DF07CF6DB078500C)

XClient.exe (PID: 1876 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 96C63C560697E1E6DF07CF6DB078500C)

XClient.exe (PID: 1248 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 96C63C560697E1E6DF07CF6DB078500C)

XClient.exe (PID: 612 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 96C63C560697E1E6DF07CF6DB078500C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["sales-mathematical.gl.at.ply.gg"], "Port": 2708, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1LFcs1ZJy2.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1LFcs1ZJy2.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7532:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x75cf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x76e4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x736e:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7532:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x75cf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x76e4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x736e:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2014444732.0000000000942000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2014444732.0000000000942000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7332:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x73cf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x74e4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x716e:$cnc4: POST / HTTP/1.1
Process Memory Space: 1LFcs1ZJy2.exe PID: 6512	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.1LFcs1ZJy2.exe.940000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.1LFcs1ZJy2.exe.940000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7532:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x75cf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x76e4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x736e:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1LFcs1ZJy2.exe, ProcessId: 6512, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\1LFcs1ZJy2.exe, ProcessId: 6512, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\1LFcs1ZJy2.exe", ParentImage: C:\Users\user\Desktop\1LFcs1ZJy2.exe, ParentProcessId: 6512, ParentProcessName: 1LFcs1ZJy2.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", ProcessId: 1600, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T21:08:01.442600+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.5	49900	147.185.221.24	2708	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1LFcs1ZJy2.exe

Avira: detected

Antivirus detection for URL or domain

Source: sales-mathematical.gl.at.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: 1LFcs1ZJy2.exe

Malware Configuration Extractor: Xworm {"C2 url": ["sales-mathematical.gl.at.ply.gg"], "Port": 2708, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: 1LFcs1ZJy2.exe

ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1LFcs1ZJy2.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1LFcs1ZJy2.exe	String decryptor: sales-mathematical.gl.at.ply.gg
Source: 1LFcs1ZJy2.exe	String decryptor: 2708
Source: 1LFcs1ZJy2.exe	String decryptor: <123456789>
Source: 1LFcs1ZJy2.exe	String decryptor: <Xwormmm>
Source: 1LFcs1ZJy2.exe	String decryptor: XWorm V5.6
Source: 1LFcs1ZJy2.exe	String decryptor: USB.exe
Source: 1LFcs1ZJy2.exe	String decryptor: %AppData%
Source: 1LFcs1ZJy2.exe	String decryptor: XClient.exe

Source: 1LFcs1ZJy2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1LFcs1ZJy2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: 2.PDB source: 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BA60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdbSystem.Core.ni.dll source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbed source: 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BAD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: *Win32_OperatingSystemblib.pdbaB! source: 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BA9E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 5c561934e089\mscorlib.pdb source: 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BAD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1LFcs1ZJy2.exe, 00000000.00000002.4152300888.000000001BF48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: *Win32_VideoControllerb.pdb?B source: 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BA9E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: 1LFcs1ZJy2.exe, 00000000.00000002.4152300888.000000001BF48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: 1LFcs1ZJy2.exe, 00000000.00000002.4152300888.000000001BF48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1LFcs1ZJy2.exe, 00000000.00000002.4152300888.000000001BF48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BA60000.00000004.00000020.00020000.00000000.sdmp, WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Management.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Core.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: 1LFcs1ZJy2.exe, 00000000.00000002.4152300888.000000001BF48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER6EFF.tmp.dmp.14.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 147.185.221.24:2708
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49900 -> 147.185.221.24:2708

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: sales-mathematical.gl.at.ply.gg

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 147.185.221.24:2708

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: sales-mathematical.gl.at.ply.gg

Source: XClient.exe, 00000009.00000002.2691426154.0000000000669000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: 1LFcs1ZJy2.exe, 00000000.00000002.4142754662.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 1LFcs1ZJy2.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.1LFcs1ZJy2.exe.940000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2014444732.0000000000942000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Code function: 0_2_00007FF848F40E79	0_2_00007FF848F40E79
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Code function: 0_2_00007FF848F47EF2	0_2_00007FF848F47EF2
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Code function: 0_2_00007FF848F47146	0_2_00007FF848F47146
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Code function: 0_2_00007FF848F41799	0_2_00007FF848F41799
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F10E79	4_2_00007FF848F10E79
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F11799	4_2_00007FF848F11799
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 5_2_00007FF848F10E79	5_2_00007FF848F10E79
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 5_2_00007FF848F11799	5_2_00007FF848F11799
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 7_2_00007FF848F10E79	7_2_00007FF848F10E79
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 7_2_00007FF848F11799	7_2_00007FF848F11799
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 9_2_00007FF848F30E79	9_2_00007FF848F30E79
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 9_2_00007FF848F31799	9_2_00007FF848F31799
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 10_2_00007FF848F30E79	10_2_00007FF848F30E79
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 10_2_00007FF848F31799	10_2_00007FF848F31799
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 13_2_00007FF848F00E79	13_2_00007FF848F00E79
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 13_2_00007FF848F01799	13_2_00007FF848F01799
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 16_2_00007FF848F20E79	16_2_00007FF848F20E79

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6512 -s 2088

Source: 1LFcs1ZJy2.exe, 00000000.00000000.2014460124.000000000094C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGorilla Tag.exe4 vs 1LFcs1ZJy2.exe
Source: 1LFcs1ZJy2.exe	Binary or memory string: OriginalFilenameGorilla Tag.exe4 vs 1LFcs1ZJy2.exe

Source: 1LFcs1ZJy2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1LFcs1ZJy2.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.1LFcs1ZJy2.exe.940000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2014444732.0000000000942000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 1LFcs1ZJy2.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1LFcs1ZJy2.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1LFcs1ZJy2.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: XClient.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: XClient.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1LFcs1ZJy2.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1LFcs1ZJy2.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/8@1/1

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\XClient.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Mutant created: \Sessions\1\BaseNamedObjects\mzmCBahaAVHfld9a
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1264:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6512

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1142c6ae-5140-4cb1-9bfa-166d5abf8664

Jump to behavior

Source: 1LFcs1ZJy2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1LFcs1ZJy2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1LFcs1ZJy2.exe

ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe

File read: C:\Users\user\Desktop\1LFcs1ZJy2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1LFcs1ZJy2.exe "C:\Users\user\Desktop\1LFcs1ZJy2.exe"
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6512 -s 2088
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"	Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: XClient.lnk.0.dr

LNK file: ..\..\..\..\..\XClient.exe

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1LFcs1ZJy2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1LFcs1ZJy2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: 2.PDB source: 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BA60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdbSystem.Core.ni.dll source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbed source: 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BAD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: *Win32_OperatingSystemblib.pdbaB! source: 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BA9E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 5c561934e089\mscorlib.pdb source: 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BAD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1LFcs1ZJy2.exe, 00000000.00000002.4152300888.000000001BF48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: *Win32_VideoControllerb.pdb?B source: 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BA9E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: 1LFcs1ZJy2.exe, 00000000.00000002.4152300888.000000001BF48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: 1LFcs1ZJy2.exe, 00000000.00000002.4152300888.000000001BF48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1LFcs1ZJy2.exe, 00000000.00000002.4152300888.000000001BF48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BA60000.00000004.00000020.00020000.00000000.sdmp, WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Management.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Core.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: 1LFcs1ZJy2.exe, 00000000.00000002.4152300888.000000001BF48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER6EFF.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER6EFF.tmp.dmp.14.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1LFcs1ZJy2.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1LFcs1ZJy2.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 1LFcs1ZJy2.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 1LFcs1ZJy2.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 1LFcs1ZJy2.exe, Messages.cs	.Net Code: Memory
Source: XClient.exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, Messages.cs	.Net Code: Memory

Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F100BD pushad ; iretd	4_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 5_2_00007FF848F100BD pushad ; iretd	5_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 7_2_00007FF848F100BD pushad ; iretd	7_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 9_2_00007FF848F300BD pushad ; iretd	9_2_00007FF848F300C1
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 10_2_00007FF848F300BD pushad ; iretd	10_2_00007FF848F300C1
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 16_2_00007FF848F200BD pushad ; iretd	16_2_00007FF848F200C1

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Memory allocated: E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Memory allocated: 1AC10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A7D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 26F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A5C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A4A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 13A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1AF80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A810000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Window / User API: threadDelayed 2992			Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Window / User API: threadDelayed 6859			Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe TID: 6544	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe TID: 2352	Thread sleep count: 2992 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe TID: 2352	Thread sleep count: 6859 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 6204	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 1576	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 6984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 1196	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 2520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 5044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BA10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWleSe%SystemRoot%\system32\mswsock.dllb.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication" />
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"

Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Queries volume information: C:\Users\user\Desktop\1LFcs1ZJy2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BA9E000.00000004.00000020.00020000.00000000.sdmp, 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BA10000.00000004.00000020.00020000.00000000.sdmp, 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BABE000.00000004.00000020.00020000.00000000.sdmp, 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BA60000.00000004.00000020.00020000.00000000.sdmp, 1LFcs1ZJy2.exe, 00000000.00000002.4151721846.000000001BAD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1LFcs1ZJy2.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 1LFcs1ZJy2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1LFcs1ZJy2.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2014444732.0000000000942000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1LFcs1ZJy2.exe PID: 6512, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 1LFcs1ZJy2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1LFcs1ZJy2.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2014444732.0000000000942000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1LFcs1ZJy2.exe PID: 6512, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	231 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	141 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	141 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
1LFcs1ZJy2.exe	87%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
1LFcs1ZJy2.exe	100%	Avira	HEUR/AGEN.1305769
1LFcs1ZJy2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\XClient.exe	100%	Avira	HEUR/AGEN.1305769
C:\Users\user\AppData\Roaming\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	87%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label	Link
sales-mathematical.gl.at.ply.gg	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sales-mathematical.gl.at.ply.gg	147.185.221.24	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
sales-mathematical.gl.at.ply.gg	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://upx.sf.net	Amcache.hve.14.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	1LFcs1ZJy2.exe, 00000000.00000002.4142754662.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	false	high
http://go.mic	XClient.exe, 00000009.00000002.2691426154.0000000000669000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.24	sales-mathematical.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561589
Start date and time:	2024-11-23 21:05:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1LFcs1ZJy2.exe renamed because original name is a hash value
Original Sample Name:	d3d4e37cd7a27366db914f08d48d65bf4fc257c34b8c2ddd679b60be97c91cc5.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/8@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 96 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 1LFcs1ZJy2.exe, PID 6512 because it is empty
Execution Graph export aborted for target XClient.exe, PID 1248 because it is empty
Execution Graph export aborted for target XClient.exe, PID 1876 because it is empty
Execution Graph export aborted for target XClient.exe, PID 4268 because it is empty
Execution Graph export aborted for target XClient.exe, PID 5628 because it is empty
Execution Graph export aborted for target XClient.exe, PID 612 because it is empty
Execution Graph export aborted for target XClient.exe, PID 6984 because it is empty
Execution Graph export aborted for target XClient.exe, PID 7064 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: 1LFcs1ZJy2.exe

Simulations

Behavior and APIs

Time	Type	Description
15:06:02	API Interceptor	8072694x Sleep call for process: 1LFcs1ZJy2.exe modified
15:09:29	API Interceptor	1x Sleep call for process: WerFault.exe modified
21:06:02	Task Scheduler	Run new task: XClient path: C:\Users\user\AppData\Roaming\XClient.exe
21:06:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
21:06:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
21:06:19	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	enigma_loader.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	exe006.exe	Get hash	malicious	SheetRat	Browse	147.185.221.23
	exe003.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	yF21ypxRB7.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	OXhiMvksgM.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	9GlCWW6bXc.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	fiPZoO6xvJ.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	EternalPredictor.exe	Get hash	malicious	Blank Grabber, Skuld Stealer, XWorm	Browse	147.185.221.23
	eternal.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	svchost.exe	Get hash	malicious	Unknown	Browse	147.185.221.23

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1LFcs1ZJy2.exe_73fc80f9f32ec3627adb6e84ef30b754d077e0_089bc09d_1781eaf7-9379-4f4a-b314-2a9ae27ff6a7\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3526127804599533
Encrypted:	false
SSDEEP:	192:QJKLTHN081iHBaWz8iyX8CNlWu3zuiFnZ24lO830:6eTu81iha48i/SWGzuiFnY4lO830
MD5:	81A3996B1CF68DA2654E4316E71FC733
SHA1:	4D9F7A0B7EDA0D239EFF3D496CD6E59CA0D6F06F
SHA-256:	A0CFC4594998BE52BD83A1E339990795A336E229FA4863119B9DFA91C2467AAD
SHA-512:	97AE24B0D582FA5DC58748AC64FC41192C1125D6AE2AFD9089CFC225C9C84F8B0E9FC007E4E8E17102350667CE09C9C48C53CC5D76BED855F26A7ACDCD2DE819
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.8.6.6.1.4.1.2.1.1.9.1.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.8.6.6.1.4.1.9.1.5.0.3.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.8.1.e.a.f.7.-.9.3.7.9.-.4.f.4.a.-.b.3.1.4.-.2.a.9.a.e.2.7.f.f.6.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.6.e.d.5.7.9.-.f.d.9.3.-.4.2.5.5.-.b.8.1.3.-.a.2.6.f.8.1.c.1.4.4.5.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.1.L.F.c.s.1.Z.J.y.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.G.o.r.i.l.l.a. .T.a.g...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.7.0.-.0.0.0.1.-.0.0.1.4.-.7.c.2.c.-.e.5.1.b.e.3.3.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.7.d.d.a.2.f.0.4.1.4.8.9.d.f.1.7.8.8.8.d.b.d.8.5.5.7.3.f.0.9.0.0.0.0.0.0.0.0.!.0.0.0.0.b.0.5.7.f.8.f.b.6.d.9.2.7.b.7.6.5.0.8.d.a.8.5.d.2.2.1.0.3.2.d.9.6.1.2.1.8.3.d.d.!.1.L.F.c.s.1.Z.J.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6EFF.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sat Nov 23 20:09:01 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	497217
Entropy (8bit):	3.0841718219561267
Encrypted:	false
SSDEEP:	3072:WPpGhS2cx6Q4+xcSY1PTy6xRmWT1CCqZseefbkwphrWRorUIx3+v2zd:ukSHFY17yALqZseefQwphrQeUa3Qc
MD5:	844D542091B6E3034B4900BE857ED67E
SHA1:	AC920C7DBA89BBD15CF24DA8DFF26D5783CAB050
SHA-256:	80DD6274CFCE11F452156A48BE5EED83B59933B08F64671C3552FD1868116C03
SHA-512:	6A678D007BCDC4EB32FA7630A65C795C9E8E32D48BEF59E2D03A6B718CFFD3D0681B155E49672B00C72BAB138E9C80A98EE022C5482106CF8196F4A3988A40F8
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......]6Bg.........................&..........$....0...........0.......?..............l.......8...........T...........xQ...D...........>..........x@..............................................................................eJ.......A......Lw......................T.......p....5Bg....S........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70C5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8944
Entropy (8bit):	3.701692021598311
Encrypted:	false
SSDEEP:	192:R6l7wVeJYsZj6YEIGOggmfZN8pprB89bdRRPeHCftfm:R6lXJrd6YEZOggmfTrdXPeHCfY
MD5:	DC921E1EFB00D44FF3DB886D663CEBB3
SHA1:	39EEFAA83EDEC1D70075AFB1C1B494EC5F2F64C0
SHA-256:	784D8388287310716FB2F044317C051E49409FA03C0CF75103003A0AD0880FDC
SHA-512:	F4B71658A6DAE675472C74D4AD30A4CB037200EE6C0948CD72FED5C1653646E7899280AC19629B41DB78C14AD150385172825A4C7D45CD9424528606FA8EA1AC
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7104.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4792
Entropy (8bit):	4.460194923552557
Encrypted:	false
SSDEEP:	48:cvIwWl8zsgJg771I9KVWpW8VYtYm8M4J0KNecFyyq8vdKNe8AttFud:uIjfmI7lk7V5J0hWd6AvFud
MD5:	6FCD78EAB0CFFD7D7505D35E43186459
SHA1:	5705BFADAB4261FD24DA3941C0369639148F1E77
SHA-256:	88576BA5424C822ED445BF829EF5DE8C12F5A4F63B676378032A41688F0D269C
SHA-512:	3052E18681423D343851A8CBEA3095F82CFEC2A7B92CFC7212BC3EC7A1B52E05C932A48BFCE109562C21ACB1D521A4F52152E39B80EACD6ADE8D21AAD080876B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="601151" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\XClient.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\Desktop\1LFcs1ZJy2.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Nov 23 19:06:01 2024, mtime=Sat Nov 23 19:06:01 2024, atime=Sat Nov 23 19:06:01 2024, length=35840, window=hide
Category:	dropped
Size (bytes):	765
Entropy (8bit):	5.0123478205226935
Encrypted:	false
SSDEEP:	12:8e+a24fxYsw88CKlsY//d3xVSL2pC6PjAOzvHklFoLCmV:8wfxYsL8hZrVs2pdA68lFoLCm
MD5:	3C5565E0AE0E615F29E892FD1ABDB60D
SHA1:	681BF02EE8CCD7CC752A521FE1AD823F73B8CDAB
SHA-256:	D41F1496732F6466DF3A30D9BC779CEA194FD6F421E8E7387F3C3CA82F5EAC57
SHA-512:	D8070AC8FBF9CF66E28FA9B2D2E1CC0802929D776CC305FC8B586A310A95EF00A2078673E5814B963323F885396CA5D8475E2F2CFC29B6F117DFD5190A8120F3
Malicious:	false
Preview:	L..................F.... ....'...=...'...=...'...=..........................v.:..DG..Yr?.D..U..k0.&...&...... M..........=..x....=......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlwY......B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....wY....Roaming.@......DWSlwY......C.....................@...R.o.a.m.i.n.g.....b.2.....wY.. .XClient.exe.H......wY..wY......x.......................3.X.C.l.i.e.n.t...e.x.e.......Z...............-.......Y............c8......C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......494126...........hT..CrF.f4... .{2=.b...,...W..hT..CrF.f4... .{2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\Desktop\1LFcs1ZJy2.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	35840
Entropy (8bit):	5.557229789688029
Encrypted:	false
SSDEEP:	768:7DMfF7zLKYs2Byj54uddqL89Fk9wwO/hC/q27:7kF7HKYs/1ddbFk9wwO/sC27
MD5:	96C63C560697E1E6DF07CF6DB078500C
SHA1:	B057F8FB6D927B76508DA85D221032D9612183DD
SHA-256:	D3D4E37CD7A27366DB914F08D48D65BF4FC257C34B8C2DDD679B60BE97C91CC5
SHA-512:	08C761551F06132618235BA68EF009A72EFAF43E99BF8D499388976E7A3491E693B12F7F26E285D84A98C0ABC3DEAFECDA719072D12B44F1C6C6A627BDA0DB63
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.@g................................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........S...L............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4216998427634895
Encrypted:	false
SSDEEP:	6144:MSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN80uhiTw:3vloTMW+EZMM6DFyG03w
MD5:	E6EBF41C6059B7CE6B1B7E45A1CF740E
SHA1:	ACBA2ECED44C7EB7C9063866803520C78F5D85BB
SHA-256:	0C116F747DA862B074BD7B3717AE9103C0C09904D27C4218D20BEAAA3170192F
SHA-512:	21AF89DAB00DAEA9824E8D2810456736EE44B3E56F1D35799353B730F2304A96B3285AEF7DDFDC8EAAD70A85BF085C56665A8D77EC76991F492AAF1266912CDC
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..x..=...............................................................................................................................................................................................................................................................................................................................................6o.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.557229789688029
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	1LFcs1ZJy2.exe
File size:	35'840 bytes
MD5:	96c63c560697e1e6df07cf6db078500c
SHA1:	b057f8fb6d927b76508da85d221032d9612183dd
SHA256:	d3d4e37cd7a27366db914f08d48d65bf4fc257c34b8c2ddd679b60be97c91cc5
SHA512:	08c761551f06132618235ba68ef009a72efaf43e99bf8d499388976e7a3491e693b12f7f26e285d84a98c0abc3deafecda719072d12b44f1c6c6a627bda0db63
SSDEEP:	768:7DMfF7zLKYs2Byj54uddqL89Fk9wwO/hC/q27:7kF7HKYs/1ddbFk9wwO/sC27
TLSH:	66F24B4877A04321DAFD6FF51EB3A2164275B5178813EB5F0CC889DA6B736C28A007F6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.@g................................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40a09e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6740CA60 [Fri Nov 22 18:16:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa04c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x4e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x80a4	0x8200	087693bdf71b41ae10456dde01156bc8	False	0.4935997596153846	data	5.694252963601133	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x4e8	0x600	fd56861d8bdf4ce8df8cd009b3a9d863	False	0.3776041666666667	data	3.7489805501507396	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	204b722f0778313166bf16ae062f0116	False	0.044921875	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0a0	0x254	data			0.4697986577181208
RT_MANIFEST	0xc2f8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T21:06:17.981329+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49704	147.185.221.24	2708	TCP
2024-11-23T21:08:01.442600+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49900	147.185.221.24	2708	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 21:06:03.290201902 CET	49704	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:03.416819096 CET	2708	49704	147.185.221.24	192.168.2.5
Nov 23, 2024 21:06:03.416951895 CET	49704	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:03.941726923 CET	49704	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:04.065387011 CET	2708	49704	147.185.221.24	192.168.2.5
Nov 23, 2024 21:06:17.981328964 CET	49704	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:18.100950003 CET	2708	49704	147.185.221.24	192.168.2.5
Nov 23, 2024 21:06:25.351547956 CET	2708	49704	147.185.221.24	192.168.2.5
Nov 23, 2024 21:06:25.351711035 CET	49704	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:27.583025932 CET	49704	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:27.585110903 CET	49728	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:27.703007936 CET	2708	49704	147.185.221.24	192.168.2.5
Nov 23, 2024 21:06:27.705015898 CET	2708	49728	147.185.221.24	192.168.2.5
Nov 23, 2024 21:06:27.705100060 CET	49728	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:27.946312904 CET	49728	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:28.065948963 CET	2708	49728	147.185.221.24	192.168.2.5
Nov 23, 2024 21:06:40.289624929 CET	49728	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:40.409691095 CET	2708	49728	147.185.221.24	192.168.2.5
Nov 23, 2024 21:06:49.673983097 CET	2708	49728	147.185.221.24	192.168.2.5
Nov 23, 2024 21:06:49.674133062 CET	49728	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:51.020622015 CET	49728	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:51.022573948 CET	49779	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:51.144402981 CET	2708	49728	147.185.221.24	192.168.2.5
Nov 23, 2024 21:06:51.146369934 CET	2708	49779	147.185.221.24	192.168.2.5
Nov 23, 2024 21:06:51.146667957 CET	49779	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:51.179342985 CET	49779	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:06:51.312382936 CET	2708	49779	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:05.070900917 CET	49779	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:05.196266890 CET	2708	49779	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:07.337701082 CET	49779	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:07.457329035 CET	2708	49779	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:07.457402945 CET	49779	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:07.577027082 CET	2708	49779	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:07.577151060 CET	49779	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:07.696661949 CET	2708	49779	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:10.926907063 CET	49779	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:11.046412945 CET	2708	49779	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:12.474215031 CET	49779	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:12.598948002 CET	2708	49779	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:12.599035025 CET	49779	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:12.719820976 CET	2708	49779	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:13.071554899 CET	2708	49779	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:13.072629929 CET	49779	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:17.599595070 CET	49779	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:17.601110935 CET	49840	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:17.719114065 CET	2708	49779	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:17.732533932 CET	2708	49840	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:17.732712984 CET	49840	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:17.951981068 CET	49840	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:18.076667070 CET	2708	49840	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:18.076745033 CET	49840	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:18.196289062 CET	2708	49840	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:25.930515051 CET	49840	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:26.056885958 CET	2708	49840	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:38.398597002 CET	49840	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:38.518275976 CET	2708	49840	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:39.145967007 CET	49840	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:39.265575886 CET	2708	49840	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:39.265666008 CET	49840	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:39.386452913 CET	2708	49840	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:39.386533022 CET	49840	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:39.509349108 CET	2708	49840	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:39.509440899 CET	49840	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:39.629053116 CET	2708	49840	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:39.629121065 CET	49840	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:39.706125021 CET	2708	49840	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:39.706191063 CET	49840	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:39.749377966 CET	2708	49840	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:39.827049017 CET	2708	49840	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:44.666541100 CET	49900	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:44.786714077 CET	2708	49900	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:44.789189100 CET	49900	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:44.981362104 CET	49900	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:45.101031065 CET	2708	49900	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:45.101087093 CET	49900	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:45.223243952 CET	2708	49900	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:45.223323107 CET	49900	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:45.348905087 CET	2708	49900	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:45.348961115 CET	49900	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:45.469485998 CET	2708	49900	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:45.469538927 CET	49900	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:45.589162111 CET	2708	49900	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:52.820444107 CET	49900	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:52.940076113 CET	2708	49900	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:55.458300114 CET	49900	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:55.584616899 CET	2708	49900	147.185.221.24	192.168.2.5
Nov 23, 2024 21:07:55.584695101 CET	49900	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:07:55.704118967 CET	2708	49900	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:00.911984921 CET	49900	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:01.031903982 CET	2708	49900	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:01.442600012 CET	49900	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:01.562160969 CET	2708	49900	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:06.737849951 CET	2708	49900	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:06.737905979 CET	49900	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:10.598783970 CET	49900	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:10.601248980 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:10.721796989 CET	2708	49900	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:10.724858046 CET	2708	49956	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:10.724956036 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:10.765263081 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:10.983211994 CET	2708	49956	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:10.983279943 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:11.102993011 CET	2708	49956	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:11.105724096 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:11.225327969 CET	2708	49956	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:11.240631104 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:11.441591978 CET	2708	49956	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:16.864583015 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:17.083189011 CET	2708	49956	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:17.083254099 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:17.203941107 CET	2708	49956	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:18.630577087 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:18.755294085 CET	2708	49956	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:24.552196980 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:24.973700047 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:25.114257097 CET	2708	49956	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:25.477101088 CET	2708	49956	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:27.552246094 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:27.719805002 CET	2708	49956	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:29.552105904 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:29.671763897 CET	2708	49956	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:32.816634893 CET	2708	49956	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:32.818825960 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:34.551950932 CET	49956	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:34.554214001 CET	49983	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:34.701811075 CET	2708	49956	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:34.701848984 CET	2708	49983	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:34.701958895 CET	49983	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:34.829484940 CET	49983	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:35.027793884 CET	2708	49983	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:35.192991018 CET	49983	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:35.319356918 CET	2708	49983	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:45.522259951 CET	49983	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:45.641762972 CET	2708	49983	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:46.083487034 CET	49983	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:46.209012032 CET	2708	49983	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:47.463423014 CET	49983	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:47.589190960 CET	2708	49983	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:55.958446026 CET	49983	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:56.078779936 CET	2708	49983	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:56.318110943 CET	49983	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:56.437810898 CET	2708	49983	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:56.437901974 CET	49983	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:08:56.557427883 CET	2708	49983	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:56.676302910 CET	2708	49983	147.185.221.24	192.168.2.5
Nov 23, 2024 21:08:56.676369905 CET	49983	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:09:01.383081913 CET	49983	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:09:01.386010885 CET	49984	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:09:01.515825033 CET	2708	49983	147.185.221.24	192.168.2.5
Nov 23, 2024 21:09:01.515847921 CET	2708	49984	147.185.221.24	192.168.2.5
Nov 23, 2024 21:09:01.516074896 CET	49984	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:09:23.480103970 CET	2708	49984	147.185.221.24	192.168.2.5
Nov 23, 2024 21:09:23.481282949 CET	49984	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:09:30.381970882 CET	49984	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:09:30.382411003 CET	49984	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:09:30.383614063 CET	49996	2708	192.168.2.5	147.185.221.24
Nov 23, 2024 21:09:30.502722025 CET	2708	49984	147.185.221.24	192.168.2.5
Nov 23, 2024 21:09:30.503129959 CET	2708	49984	147.185.221.24	192.168.2.5
Nov 23, 2024 21:09:30.504551888 CET	2708	49996	147.185.221.24	192.168.2.5
Nov 23, 2024 21:09:30.504614115 CET	49996	2708	192.168.2.5	147.185.221.24

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 21:06:02.845118046 CET	51859	53	192.168.2.5	1.1.1.1
Nov 23, 2024 21:06:03.183206081 CET	53	51859	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 21:06:02.845118046 CET	192.168.2.5	1.1.1.1	0x6458	Standard query (0)	sales-mathematical.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 21:06:03.183206081 CET	1.1.1.1	192.168.2.5	0x6458	No error (0)	sales-mathematical.gl.at.ply.gg		147.185.221.24	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	15:05:57
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\1LFcs1ZJy2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\1LFcs1ZJy2.exe"
Imagebase:	0x940000
File size:	35'840 bytes
MD5 hash:	96C63C560697E1E6DF07CF6DB078500C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2014444732.0000000000942000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2014444732.0000000000942000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:06:01
Start date:	23/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0x7ff687000000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:06:01
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:06:02
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\XClient.exe
Imagebase:	0x5d0000
File size:	35'840 bytes
MD5 hash:	96C63C560697E1E6DF07CF6DB078500C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:06:11
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0x700000
File size:	35'840 bytes
MD5 hash:	96C63C560697E1E6DF07CF6DB078500C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:06:19
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0x2c0000
File size:	35'840 bytes
MD5 hash:	96C63C560697E1E6DF07CF6DB078500C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:07:01
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\XClient.exe
Imagebase:	0x230000
File size:	35'840 bytes
MD5 hash:	96C63C560697E1E6DF07CF6DB078500C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:08:00
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\XClient.exe
Imagebase:	0xc70000
File size:	35'840 bytes
MD5 hash:	96C63C560697E1E6DF07CF6DB078500C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:09:00
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\XClient.exe
Imagebase:	0xe0000
File size:	35'840 bytes
MD5 hash:	96C63C560697E1E6DF07CF6DB078500C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:09:01
Start date:	23/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6512 -s 2088
Imagebase:	0x7ff74d130000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:10:01
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\XClient.exe
Imagebase:	0x460000
File size:	35'840 bytes
MD5 hash:	96C63C560697E1E6DF07CF6DB078500C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FF848F40E79 Relevance: 2.0, Strings: 1, Instructions: 737COMMON

Download Yara Rule

Strings

SAL_^, xrefs: 00007FF848F410D1

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID: SAL_^
API String ID: 0-3687847113
Opcode ID: 41e86c06fd837a119134063f1fc2da3bc4ffc8d8c95d9aed13c13d7dd60b0ba5
Instruction ID: 036ce2812b1ce5e09b78bf66250ba67dc8b38d1ff52829ab3fe61a10ff6e8ace
Opcode Fuzzy Hash: 41e86c06fd837a119134063f1fc2da3bc4ffc8d8c95d9aed13c13d7dd60b0ba5
Instruction Fuzzy Hash: 4E32D630B2DA199FE794FB3884566B977E2FF98B80F44057AD40EC32D6DE2CA8418745

Function 00007FF848F47146 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf62255443d84859a3e6b78f6008ecce34b69fd3d82605f367c03fa9edf38610
Instruction ID: c6ed77001788e3009448b8da755038ae418978734691fb7cdd486a7000724d20
Opcode Fuzzy Hash: bf62255443d84859a3e6b78f6008ecce34b69fd3d82605f367c03fa9edf38610
Instruction Fuzzy Hash: 65F1933090CA8D8FEBA8EF28C8557F977D1FF64750F04426AE84DC7291DB3899458B81

Function 00007FF848F47EF2 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c49f918e7519976e9ea2829eaf1b9b6f6dd10da51068a5f5b251bd15a2132b7
Instruction ID: 801296054baad5569a1c3b6b864b359f3413ccb4e54b6f5e708db6365a62f5ef
Opcode Fuzzy Hash: 4c49f918e7519976e9ea2829eaf1b9b6f6dd10da51068a5f5b251bd15a2132b7
Instruction Fuzzy Hash: D6E1B33091CA8E8FEBA8EF28C8557E977D1FB64750F44426ED84DC7291CF78A9448B81

Function 00007FF848F41799 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1065c26dd48701c1aa9440e1cd49d308c3a1668fda68d4949506bdc899d6bdcc
Instruction ID: cabe55deae986b1c9fcf3a6031a3cddeefabf2ca66b49e6bde59e924744f1287
Opcode Fuzzy Hash: 1065c26dd48701c1aa9440e1cd49d308c3a1668fda68d4949506bdc899d6bdcc
Instruction Fuzzy Hash: 4F511F20A1E6C95FD786AB385868276BFD1EFA7655F1804FBE08DC71D3DE084886C306

Function 00007FF848F487D1 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF848F48833

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: a585110e4b6b6640b5367cfbc408e2da891de492ef3e61b42fd1c53881b57e24
Instruction ID: 2776f9a7090e13675590ae77043ca89fbdf0df1237c4c0a62c52a4c4c6e8e5b9
Opcode Fuzzy Hash: a585110e4b6b6640b5367cfbc408e2da891de492ef3e61b42fd1c53881b57e24
Instruction Fuzzy Hash: AE112232D1C2994FEB44BB6488192FDBBA0EF69750F55017BC809F32C2DB2CA8409385

Function 00007FF848F424D9 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

SAL_^, xrefs: 00007FF848F424F6

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID: SAL_^
API String ID: 0-3687847113
Opcode ID: 17d2e22e25b6ce432b92cdf35e6d130c2657a0d78d2f356b5a8d9f9647b0057e
Instruction ID: ca413071ef5fef81bec02883473fbd64855d999dc1e5a188dc8feafe53e1fe7e
Opcode Fuzzy Hash: 17d2e22e25b6ce432b92cdf35e6d130c2657a0d78d2f356b5a8d9f9647b0057e
Instruction Fuzzy Hash: C4F0AF30E1D2024BF364F778841267D25A2AFE4BA0F540579E00DD62C7DF3CA8024249

Function 00007FF848F42EF5 Relevance: .5, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4eaab3f1ce4f3ca80b2dcb49d837283b021953d79c977313478de7d710c06ea
Instruction ID: 4bdccdae191be6b8429689b65fdc9d1a22bdca7cdc7feb7436f93536fc960f32
Opcode Fuzzy Hash: d4eaab3f1ce4f3ca80b2dcb49d837283b021953d79c977313478de7d710c06ea
Instruction Fuzzy Hash: 43C14732F1D9894FE399A73C1419279ABE1FFA5B90F4801BAD04DD32CBDE2C98068345

Function 00007FF848F48DD5 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c53c5bcaa41629ae922ffe5766f5ddbe3dc375b860f5d54977689cf9a014b57d
Instruction ID: 75de3e4727e19dbe5c0dad3936354185cf9f4fd2939bc3d07c25f67b4f86e147
Opcode Fuzzy Hash: c53c5bcaa41629ae922ffe5766f5ddbe3dc375b860f5d54977689cf9a014b57d
Instruction Fuzzy Hash: 2EC12630E2D94A9FE755FB3888562B87BE1FF54B90F4401BAD00DD31D2DF28A8468385

Function 00007FF848F406F8 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef7e5b3c1924c1462b3c6f6d91bb6a02fdd77a54274a63905c42e3de3d90d52
Instruction ID: 9b397e9ef794d3d08cbbdfa5c55f7e7652e17b5c242efbdf52341588fed4f328
Opcode Fuzzy Hash: fef7e5b3c1924c1462b3c6f6d91bb6a02fdd77a54274a63905c42e3de3d90d52
Instruction Fuzzy Hash: 89A10431F1D9094FE798B72C54597BAAAE2FFA8790F54067AD00ED33C6DE2C58024385

Function 00007FF848F47B06 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6f6e1c2be6b0c0aa44e209d7873e9b9111b672c322be36c7e6441061759754
Instruction ID: bb26a9ec45b97f6465e7f3f468c6b04e5200b4ea39824df4a40bd196f2bb7c4b
Opcode Fuzzy Hash: 9f6f6e1c2be6b0c0aa44e209d7873e9b9111b672c322be36c7e6441061759754
Instruction Fuzzy Hash: 46B1C43050CA8D4FEB68EF28D8557E93BE1EF65350F04426EE84DC7292CF7899458B86

Function 00007FF848F433E5 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13314ec6342419083b91c2dedd9910f301c4b8419f21e9dbcbde4654ceb1aba
Instruction ID: 98d75ce9ae6eb3d2025da1cee807513a3e8cbfacc4f6d0bd6bb2c72c341763d9
Opcode Fuzzy Hash: b13314ec6342419083b91c2dedd9910f301c4b8419f21e9dbcbde4654ceb1aba
Instruction Fuzzy Hash: 5391C72072E905DFE644B76C9856776B3D3FFA8744F6406B6D008D32D7DE2CA8418366

Function 00007FF848F40700 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5a70afbff72c4117c912ca0b7a4b1d99e6dba84d14b461875e9eecb3fd2cd2
Instruction ID: cf021bc585d7256619c1cd6f07b07cd2906bd1902f02f5cc1bfb4699b95b52d4
Opcode Fuzzy Hash: 1f5a70afbff72c4117c912ca0b7a4b1d99e6dba84d14b461875e9eecb3fd2cd2
Instruction Fuzzy Hash: 3D81A53072A905DBE684B76C945677AB2D3FFA8B44F640676E00DD32D6DE2CB8418362

Function 00007FF848F4929D Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee6a0ea1d79ce400af74fd2e70905ffad2476672ba92746c8f5dc3c31f50bb9
Instruction ID: a6550bfadc7d4e932eeee063cc93323e460188e9ff65414ab3666063ba544404
Opcode Fuzzy Hash: eee6a0ea1d79ce400af74fd2e70905ffad2476672ba92746c8f5dc3c31f50bb9
Instruction Fuzzy Hash: 8E71E431B1C9494FDB95EB28D859AF9B7E1FFA9750F1401BAD00DD36E2CE28A841C741

Function 00007FF848F405A0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95cf2d2e0d81e56908ac32a94ce12b5204d476b53a85c053c835982fdb81c2ff
Instruction ID: 658ab298d90fda340dde4296bcffbbba1938726a353e042d64031dc6c9975eba
Opcode Fuzzy Hash: 95cf2d2e0d81e56908ac32a94ce12b5204d476b53a85c053c835982fdb81c2ff
Instruction Fuzzy Hash: C261F132E1D80A4FE794F76C98162B977E2EBD9A91F04017AD80DD32D7DE286C428395

Function 00007FF848F413C8 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e30c8006b519a790c582fcfb13ecfe0ef6e2bfac1a0264c431a757ef4fd2cdb
Instruction ID: 858376071f541c3b6113afa20bbe787c3afac58dd787b5ac7a317b689ba84e2f
Opcode Fuzzy Hash: 8e30c8006b519a790c582fcfb13ecfe0ef6e2bfac1a0264c431a757ef4fd2cdb
Instruction Fuzzy Hash: 70613931F2DE4A4FE798FB2C5459279ABD1FFA8A90F08427AD00DD32D6DF28A8454345

Function 00007FF848F492F0 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e6c16a2b95dae1d59f1f04d4c5283db1ae9f6c6b9d11e62e1aa1b5753255d4
Instruction ID: 0aae0411e015c7ae8407c1a3fecb9e6a655f1297b2c3b2277705cb62dfe040dd
Opcode Fuzzy Hash: b5e6c16a2b95dae1d59f1f04d4c5283db1ae9f6c6b9d11e62e1aa1b5753255d4
Instruction Fuzzy Hash: F961A331F1C9198FEB98EB68D459ABDB7E1FF98750F14057AD00ED32E6CE24A8418741

Function 00007FF848F44980 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13f34aca52afb1342292035d0da11f14503853ce72658a344ec540eb919c1c9
Instruction ID: 467dcc369a78edd74643e9dfa926188b5b15a2840b44be6284141723986819cf
Opcode Fuzzy Hash: d13f34aca52afb1342292035d0da11f14503853ce72658a344ec540eb919c1c9
Instruction Fuzzy Hash: F361243190D6498FE708EF6898466B87BE0FF66364F0842BFD048E72D3DB68A446C755

Function 00007FF848F488AD Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47498e83d07550feef736a8f053614be10cdb63c76fb75369d2423847fa2ad0
Instruction ID: ae5ef28118f048882d4d48ea1074b56424b1f812e9e726306571718bf43cab40
Opcode Fuzzy Hash: b47498e83d07550feef736a8f053614be10cdb63c76fb75369d2423847fa2ad0
Instruction Fuzzy Hash: 61517030918A0C8FDB58EF68D8457E9BBF1FF99310F10426AD44DD3296DB74A946CB81

Function 00007FF848F48FB5 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d3861be45b5b767b84efb3a2444ad3265ac16fce98b2b688dabb42970a6ed8
Instruction ID: 815ffa94c10946c7615cd1228f3e4b20c1dad01e49ceadae9afc74bbb617816e
Opcode Fuzzy Hash: 53d3861be45b5b767b84efb3a2444ad3265ac16fce98b2b688dabb42970a6ed8
Instruction Fuzzy Hash: CE61A230E1D9099FEB95FB28D4556B877E2FF98B54F4001BAE00DD32D6DF28A8418744

Function 00007FF848F4445C Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79340b1fcf9d7cf0ceff5d9366512c5315c04578631d869a7e122f198f122ef
Instruction ID: b5d261e2766e0dd4f90d9939596f03994383fdd936839f640015ee9d94cbb027
Opcode Fuzzy Hash: d79340b1fcf9d7cf0ceff5d9366512c5315c04578631d869a7e122f198f122ef
Instruction Fuzzy Hash: 1D516171908A1C8FDB58EF58D845BE9BBF1FB59310F0082AAD44DE3252DF34A9858F91

Function 00007FF848F45B05 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1bd9d7510bdcb41654155b2542517ef0a1bfdd8f71221890b74edb284e94718
Instruction ID: e6da29a5227d58c0d33758a04fa32c6a3803b96e2ea822f46691ea9da4948883
Opcode Fuzzy Hash: d1bd9d7510bdcb41654155b2542517ef0a1bfdd8f71221890b74edb284e94718
Instruction Fuzzy Hash: D7516230A18A0C8FDB58EF68D8457EDBBF1FF98310F10416AD44DD3256DB74A8468B81

Function 00007FF848F42928 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d7eeb0cd19cbe049d89b36eb14c173cac0a25fdc59c3acef2167afab914a33
Instruction ID: 10db858bea6c43d5208766afd5abfcb730ef1ed09004a2ee7a093ffd757d330e
Opcode Fuzzy Hash: 24d7eeb0cd19cbe049d89b36eb14c173cac0a25fdc59c3acef2167afab914a33
Instruction Fuzzy Hash: 58518730D0D6864FE75AE77448162A5BFE0EF667A0F1802FAC059D31D3DE6CA842C755

Function 00007FF848F40720 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50fc7c6d584edb5a42009fd7b23d88851a60501b01437a424702d6539db314c6
Instruction ID: 4cc8e93081cb08a4cdbaec2a755e6780be373b61f53ccd7fd50e01760e1ccf8c
Opcode Fuzzy Hash: 50fc7c6d584edb5a42009fd7b23d88851a60501b01437a424702d6539db314c6
Instruction Fuzzy Hash: 3C515430B189099FEB99FB68D8556BCB3E2FF98B44F404576E00EE32D6DF24A8418744

Function 00007FF848F4900F Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcca606e045677b25dfe190f8e8c3677fe99e899e581abe99a86b45160ab7e8
Instruction ID: c75a0816a74eb854dc637da0207d0f0737bfe271d2901b93eea3f9dd998a764e
Opcode Fuzzy Hash: 5bcca606e045677b25dfe190f8e8c3677fe99e899e581abe99a86b45160ab7e8
Instruction Fuzzy Hash: D451A330B1D9499FEB56FB28D8556A87BE1FF99B44F0401B7D009E32E7DE286842C741

Function 00007FF848F42685 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46f5f23f8cc592be40d47056fd34d2083bf139c5d627dc37f5857461bfb1095
Instruction ID: 791a5b8c6596b691304764a0fe6f462875b828bfae72e14c486df5ba74b7988b
Opcode Fuzzy Hash: e46f5f23f8cc592be40d47056fd34d2083bf139c5d627dc37f5857461bfb1095
Instruction Fuzzy Hash: C5419D74908A1DCFEB98EB68D45AAA977E1FB24711F14017ED00AD36A2CB35A842CB45

Function 00007FF848F40BFE Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000084fcc2011faed0069f5ab37134df06d4333d2b049f47013f4f7823ff61ed
Instruction ID: a8533b5ec55d2feec805ca9d7388cbd6c6aacae9d3981fd2cccf37cd5633b871
Opcode Fuzzy Hash: 000084fcc2011faed0069f5ab37134df06d4333d2b049f47013f4f7823ff61ed
Instruction Fuzzy Hash: 35411731B1EA8A5FE395B77C981A2753BD2EFD6AA0F0800BBD44DC3297DD199C428351

Function 00007FF848F40760 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365dc9dedc83bf57e0a4f54c27b42c6abf6e57b0ecfec660576e099d50caf0c8
Instruction ID: 0ea800e584fa8c249500bfde5a523ca48be35dd1df2f322344ffe0479b7df328
Opcode Fuzzy Hash: 365dc9dedc83bf57e0a4f54c27b42c6abf6e57b0ecfec660576e099d50caf0c8
Instruction Fuzzy Hash: D3419D74908A1DCFEB98EF58D45ABA977E0FB24751F14017ED00AD36A2CB35A842CB45

Function 00007FF848F48C11 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7809b490afc4f87e441daf65b5c44b79ef684a7476407bb4fe23b41209616bc3
Instruction ID: bc7e2066484911c39cddff7c9ee8600c7f1adbefb8ff196c00d3d933c6e1f3b7
Opcode Fuzzy Hash: 7809b490afc4f87e441daf65b5c44b79ef684a7476407bb4fe23b41209616bc3
Instruction Fuzzy Hash: 1841CF71A1990D8FEB84FB7894596BCBBF1FFA9750F4401BAD40DE3292DF2898428750

Function 00007FF848F495CD Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1909c7fad024767ee169548539f51aba8965ff7375620f53d8c071558258f5b5
Instruction ID: 1ac068663041c497791042cf917381c620132e52d76df6937eb03fd36578a61e
Opcode Fuzzy Hash: 1909c7fad024767ee169548539f51aba8965ff7375620f53d8c071558258f5b5
Instruction Fuzzy Hash: E641E130B1E6C95FDB52E77858686B56FE0DF67651F1800BBE088C21A3ED185846C342

Function 00007FF848F404C8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178a11b6eac00a1b4551d07bf8d356567a9f5a2f7035f8892d1f3c7c3ca5e78d
Instruction ID: 45db89c291f570e7fb11a2753758a13f258e693defd2d76b6b52587327ece8a7
Opcode Fuzzy Hash: 178a11b6eac00a1b4551d07bf8d356567a9f5a2f7035f8892d1f3c7c3ca5e78d
Instruction Fuzzy Hash: E131C231B1D9595FE798EB2C945A279A6C2EBA8791F1405BEE00EC32D7CE289C418341

Function 00007FF848F406F0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b292709c7402750b8d5eee38be0b072e4ccd0ed07c2fc3d8792b71a4b9ec9f
Instruction ID: 254ccba9d29c262a0585edb518445cffc60aa45665f99ae62ab0a2374650ab86
Opcode Fuzzy Hash: b3b292709c7402750b8d5eee38be0b072e4ccd0ed07c2fc3d8792b71a4b9ec9f
Instruction Fuzzy Hash: 8A417130E0C90A8FDB98FB6894556B9B7E1FFA8750F54017AD41ED32C2DF78A8418745

Function 00007FF848F40A91 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd1b9e3a7e75bd1ed4e965a9ff749770ce848f4a7acfb5beffb93ff6277974c
Instruction ID: ec24669de3141e4db7dcfaca0efbae7b7630877eb64f783d8cebc47e81119e25
Opcode Fuzzy Hash: 5cd1b9e3a7e75bd1ed4e965a9ff749770ce848f4a7acfb5beffb93ff6277974c
Instruction Fuzzy Hash: 7F310020F2D9499FE784B7B8980A3B977D2EFA8A81F040276E40CD32D3DE1858018392

Function 00007FF848F41B3D Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48e08ce3c95df3940fc1efb43a5cf55364c9b0f0f98baa4ed8cad231f8a4f64
Instruction ID: 975b126e92b3cd9f59b96a936011f139ce5968d2bf9e601ba399db5b101308d7
Opcode Fuzzy Hash: f48e08ce3c95df3940fc1efb43a5cf55364c9b0f0f98baa4ed8cad231f8a4f64
Instruction Fuzzy Hash: 9A312671D0E9964FE359A77858191B87FE0FF21B81F0400BBC04C971DBEF286889839A

Function 00007FF848F40AB0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6b7ddeabf176a2fb1c764107f7913c34fe17827d7c89bbb6207cdfd3966a24
Instruction ID: 258e913885b9c02eddcebc935cf8b0d934462326ac454b3937cfac12f5a110cd
Opcode Fuzzy Hash: ea6b7ddeabf176a2fb1c764107f7913c34fe17827d7c89bbb6207cdfd3966a24
Instruction Fuzzy Hash: 4C31D321F2980A9BE784B7BC585A3BDA6D2FFE8B85F10013AE40DD32D7DE1858414796

Function 00007FF848F40949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abdd98a623d6577d41c834cfc38c7ace4cb0cc10acff9210d67a34e175f0424
Instruction ID: f4c3abba76322313e36b3b2bd9c9c2ff9ea06b8675eb12f5c50f4e9d33202dba
Opcode Fuzzy Hash: 8abdd98a623d6577d41c834cfc38c7ace4cb0cc10acff9210d67a34e175f0424
Instruction Fuzzy Hash: 05319F30A1AA0A9FEB84FB6884666EE7BB1FFA8740F540579D109D33C6DE3C68418754

Function 00007FF848F49A85 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362721c35ea4039f1bf3332458783a425ce6e07a1c491da3eff0fab7ac567fd2
Instruction ID: c27c60c9fbe758d0cfd7ee2ebacf822089634f2d336d12c9b0f8a0dbcc89f164
Opcode Fuzzy Hash: 362721c35ea4039f1bf3332458783a425ce6e07a1c491da3eff0fab7ac567fd2
Instruction Fuzzy Hash: B031903190D7488FDB59DBA8D849AEABBF0FF56320F0481AFD089D3552D764A80ACB51

Function 00007FF848F48AD9 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28251cabb933802c6d4b66b6799c86b77c6f740d86f10314b69c6e3948c42fd2
Instruction ID: f4b166aefa2aba9817ab4e86cbaca680638dad336ed4ed02f7ae68bc40823c07
Opcode Fuzzy Hash: 28251cabb933802c6d4b66b6799c86b77c6f740d86f10314b69c6e3948c42fd2
Instruction Fuzzy Hash: 8431053061DA899FEB46FB38C8965687BE0FF5AB54B4402E6D048C72D6DB28A845C781

Function 00007FF848F499A9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1799f55c7c57135a052c7516d5d8574480017528e340335ed1f8ef8205a3b46d
Instruction ID: 6d56a4752725c585242704e13a961cae2e4a9ca175f6de8b754f8c5ecc431246
Opcode Fuzzy Hash: 1799f55c7c57135a052c7516d5d8574480017528e340335ed1f8ef8205a3b46d
Instruction Fuzzy Hash: 64213230B4C58A0FE746EB7888166F57BE1FF9AA50F0441B6D08AD31E2CE2C9842C751

Function 00007FF848F49891 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29103e69557e238ec9be1bffa7fd00f8924aae91f922eac1627e28a78ddee0e9
Instruction ID: 79cb05388f151d4ba4caba99e17b7e67b1a058a63e4d43f227467a72f1f4ef84
Opcode Fuzzy Hash: 29103e69557e238ec9be1bffa7fd00f8924aae91f922eac1627e28a78ddee0e9
Instruction Fuzzy Hash: A721A120B2E9599EE745F3AC58163A976D2FB64B90F5406BAE008D32D3DE1C680083A6

Function 00007FF848F41D68 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd5257b29ba59e4fb71c226019aa308c2d9d8bbd78b27a4f48261299cba6746
Instruction ID: 22b6862188a354b852bb0264efafc0903db37f9cf93fe101d7b3e13fec809c10
Opcode Fuzzy Hash: ebd5257b29ba59e4fb71c226019aa308c2d9d8bbd78b27a4f48261299cba6746
Instruction Fuzzy Hash: 3411E472D0D96D4FE745ABB8681A1FD7BF0FF55B51F00017BD008D2196EE2599888385

Function 00007FF848F40765 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd150ad3cd528bcf8ec7062e40de4da5c7818df1224a75e03e3027a3336086a5
Instruction ID: 8260fdc2924cde168f60dcbac749b037d1d26b4fe8284934e7f17458cfb5d10e
Opcode Fuzzy Hash: bd150ad3cd528bcf8ec7062e40de4da5c7818df1224a75e03e3027a3336086a5
Instruction Fuzzy Hash: 8D11DA20B2E9159FE745F76C98167BA76D1FF54B94F5402B6E00CD32C3DE2C68008395

Function 00007FF848F40770 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea67194dc724e16b20ed56c705a72e1c97de22ee53fd08ed73df8c44f28bc65
Instruction ID: 952452bbf9a591270bfa6b0fe542d401b9705ac761c2637ac8a0c2cfd66900a3
Opcode Fuzzy Hash: aea67194dc724e16b20ed56c705a72e1c97de22ee53fd08ed73df8c44f28bc65
Instruction Fuzzy Hash: A011B920B2E9199BF745F76C54167B972D1FF58B94F6006B5E00DD32C3DE2C68008395

Function 00007FF848F41DBD Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8047683556e374ffb8e32876e27d043c046762776954e0b8543c029f93aa4c2
Instruction ID: 311cbb11f8ba52dbbeb42e6bd6f17109ad0b4198ce2e6ccd2f047eec5e340598
Opcode Fuzzy Hash: a8047683556e374ffb8e32876e27d043c046762776954e0b8543c029f93aa4c2
Instruction Fuzzy Hash: E011E172E0995D4FDB41FBB898691FDBBF0FF65B61F00017BD008D2296EA259A448781

Function 00007FF848F48650 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cbc3ceb3ee559259019e967fb64650e20b3069a249079351e54588002eb89cc
Instruction ID: 3ab2cd1410c99ab70176d5065990f0612abb8ea6b63d47128f335d8323321762
Opcode Fuzzy Hash: 4cbc3ceb3ee559259019e967fb64650e20b3069a249079351e54588002eb89cc
Instruction Fuzzy Hash: 3A11E131E1C9894FEB82F76854165A8BBA0FF69B90F0402B3D408D32C2DE286C4547D6

Function 00007FF848F41951 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8a88d468b488d135c2614fa72ad5d635d0de854928b3f3e56ce2fb0a16b671
Instruction ID: 2467f95a3e11e40469cfe174130af7c89a4d69299f7b571a79cf5cb6ccd553a2
Opcode Fuzzy Hash: 2c8a88d468b488d135c2614fa72ad5d635d0de854928b3f3e56ce2fb0a16b671
Instruction Fuzzy Hash: 7101F725D0CA954FE355B73C68250717FE0DFA6A90F0806ABE888D61D7DA085A848396

Function 00007FF848F42311 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21528bdf9c0170c8726aade1d7bf0f0354cbad346b71a1ebbba8a82d0d6e3dc1
Instruction ID: 7a8b9dc8de04a9dde7f19e954bb82e9c66ceeefa5ce92c699718e0aaa99fc6a7
Opcode Fuzzy Hash: 21528bdf9c0170c8726aade1d7bf0f0354cbad346b71a1ebbba8a82d0d6e3dc1
Instruction Fuzzy Hash: F1F0D43189E7D95FD7036BB058255A67FB4AF53500F4E41DBE488CB0E3D72866198362

Function 00007FF848F41DE0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060f13bbff407fd1d03691ab1896e8607816458926d3a9251dd934599e8e40e8
Instruction ID: 3f4845ce8c261c8a139b6e47e2238794ec1eaa9e76a84ecc1d26251332bbc2b0
Opcode Fuzzy Hash: 060f13bbff407fd1d03691ab1896e8607816458926d3a9251dd934599e8e40e8
Instruction Fuzzy Hash: BBF0AF31E1491E8FDB40FBA8984A1FEBBF0FF58741F000227E009D2295EE349A448BC1

Function 00007FF848F4260D Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33682d19fef1ba13a1f60ba28f2b4a059f08656c0773c6bc6989d5d3b485ef95
Instruction ID: 0fdd50c116204be6734993e56739787dec550fca5a0bdbc3bbf6d25dac00d1cc
Opcode Fuzzy Hash: 33682d19fef1ba13a1f60ba28f2b4a059f08656c0773c6bc6989d5d3b485ef95
Instruction Fuzzy Hash: B201F420E0D6564FF799B77844692782B81EFA4B80F5400BAD00AD32C7EF2CA802C356

Function 00007FF848F40775 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24d0b1c67631f147c2e5a2f4a706d9faad0b83db02364420e260b674622d3d9
Instruction ID: 13a3f2fe7aa33782dec44e769ca4a37b4f3cebb99e441a33276f01292a329ba4
Opcode Fuzzy Hash: e24d0b1c67631f147c2e5a2f4a706d9faad0b83db02364420e260b674622d3d9
Instruction Fuzzy Hash: 0BB09210F6E44648D509B7B908420E8BBA09BEA5A0FE404B2D888500D39A4D289646A6

Function 00007FF848F424A0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152914556.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_1LFcs1ZJy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5db550849b09e0ded0442fffbbf82b30129ba6ef9ab1371ac793b4fcee9e34
Instruction ID: b92799fae024b699e5b55edfd038a42a666029f9b591c7c091e308b9b7b2b454
Opcode Fuzzy Hash: 3d5db550849b09e0ded0442fffbbf82b30129ba6ef9ab1371ac793b4fcee9e34
Instruction Fuzzy Hash: 39A00218C9B84F05E88832BE1D870A474509BD9554FC51561EC0CA05CBE98E15E9029B

Analysis Process: XClient.exePID: 5628, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F10E79 Relevance: .7, Instructions: 738COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2107150933.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7696797e021d1185dcfa46adf97517b1baaefedfbdefd72d5dabd26af83dd513
Instruction ID: 28b3091f5d9d84778828f46efec3df057fdcfac6fb8dd4cf1cc7a6488808b507
Opcode Fuzzy Hash: 7696797e021d1185dcfa46adf97517b1baaefedfbdefd72d5dabd26af83dd513
Instruction Fuzzy Hash: BA32C330B2DA095FE798FB2884997BAB7E2FF98750F440579D40EC32C6DE28AC418755

Function 00007FF848F11799 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2107150933.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169a64e1693d5ba38bf88312c012c8729513a59f30b2e7d45f83707df6fd38fb
Instruction ID: 578007a7befc9ffa78e1c0782b1324c8d1f179df91c29f8be87e9d32b367cfee
Opcode Fuzzy Hash: 169a64e1693d5ba38bf88312c012c8729513a59f30b2e7d45f83707df6fd38fb
Instruction Fuzzy Hash: BD510F20A1E6C95FD786AB385868276BFD1EF97355F1800FAE089C72D3CE084C86C346

Function 00007FF848F10BFE Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2107150933.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276229fe438fb35ecd9b2bdec88f867f03a86f47f78d2d79779e19b2dd034a5f
Instruction ID: d661345e05ca28d1dc901792f782aab74ea49394e134884f2d92b6b4db2cce11
Opcode Fuzzy Hash: 276229fe438fb35ecd9b2bdec88f867f03a86f47f78d2d79779e19b2dd034a5f
Instruction Fuzzy Hash: 18712332E0D99A0FE395B76C98162BA7BE2EFC5360F0400BAD44DC32D7DE286C468754

Function 00007FF848F104C8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2107150933.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47df32be34ea8045c946e2fc8599de693a7a3cdccc0474fdaacb641dcc455985
Instruction ID: f20f418dc7d1264ab82f3da847b3e863c63ec7f91ac636a5cfe05ca1cd6bf57e
Opcode Fuzzy Hash: 47df32be34ea8045c946e2fc8599de693a7a3cdccc0474fdaacb641dcc455985
Instruction Fuzzy Hash: 2731D231B1D9491FE798EB2C946A279B7C2EF98795F1405BEE00EC32D7CE289C428341

Function 00007FF848F10A91 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2107150933.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96334e865c372718ba5cb16de3e5130f16c7c6b39126d347f734591d4738e7c1
Instruction ID: 8a449788e096acb1e0495988ac50277cf71fd05de553eb2ab5b9dc39108e321f
Opcode Fuzzy Hash: 96334e865c372718ba5cb16de3e5130f16c7c6b39126d347f734591d4738e7c1
Instruction Fuzzy Hash: 6F31CE21F2D95A9FE784B7B898593B966D2FF98785F040276E40CC32C3DE1C6C018392

Function 00007FF848F10949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2107150933.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7066cf32c442da2e71e3c8682d194a5771d020b48122f972641ced617985ab0
Instruction ID: 2cbd127c3a79185c54cd1a6f2e1c3663970488841d917a44a3e2da628b87e71c
Opcode Fuzzy Hash: b7066cf32c442da2e71e3c8682d194a5771d020b48122f972641ced617985ab0
Instruction Fuzzy Hash: 8531BF30A1AA1E9FEB44FB6884656EE7BB1FF98340F540479D409D33C6CE3C68418B54

Function 00007FF848F11951 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2107150933.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77738536a3df2814e02cc9af40a6b3f9ffdc2ec94d485c238c10453689d4a539
Instruction ID: a1d09707df8bb9198e53fbf10262394e598069321e3910d59ad05cd71fd3d8e0
Opcode Fuzzy Hash: 77738536a3df2814e02cc9af40a6b3f9ffdc2ec94d485c238c10453689d4a539
Instruction Fuzzy Hash: 6F01F76590CB854FE355B73C68250727FE1CF96791F4805ABE488C61D7DA085E848396

Non-executed Functions

Function 00007FF848F106FA Relevance: 5.2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

Strings

O_^$, xrefs: 00007FF848F1077A
O_^ , xrefs: 00007FF848F1076A
O_^", xrefs: 00007FF848F10772
=O_^, xrefs: 00007FF848F10701

Memory Dump Source

Source File: 00000004.00000002.2107150933.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID: =O_^$O_^ $O_^"$O_^$
API String ID: 0-3793307974
Opcode ID: b58b2ab62899fb2867eee47f8e7df4c07e5043f133ac92ad80fdd963fd67dbe0
Instruction ID: 8ecb4c2a61874bd4f4137f7be211f146cf6aa78a80a33207e3cd41c6d0671296
Opcode Fuzzy Hash: b58b2ab62899fb2867eee47f8e7df4c07e5043f133ac92ad80fdd963fd67dbe0
Instruction Fuzzy Hash: 65514A7690F66A5FE341B76C68A11EA3F60EF80359B4401B2D48DCF3C3DE2C28468669

Analysis Process: XClient.exePID: 6984, Parent PID: 1028COMMON

Executed Functions

Function 00007FF848F10E79 Relevance: .7, Instructions: 738COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2186567211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719da61505701b56f3f14fd256926ad252aad37d3bc5c0488538468e6fb7d6ab
Instruction ID: d676673011789f37127940fd4d33fb6501bc6289d0e76b6209f24ad49bd52a29
Opcode Fuzzy Hash: 719da61505701b56f3f14fd256926ad252aad37d3bc5c0488538468e6fb7d6ab
Instruction Fuzzy Hash: CD328E30A2DA195FE798FB2884596B9B7E2FF98780F440979D40EC32C7DF2CA8418755

Function 00007FF848F11799 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2186567211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466c43c97471f152d69e25c3ea394eac58db16b1a31e84c3a5add5e612f939cf
Instruction ID: c41b2c0a2a74ae92d24e39108c0a0bf476d8d4b6a70eb6b7607d2d5d82a4f28f
Opcode Fuzzy Hash: 466c43c97471f152d69e25c3ea394eac58db16b1a31e84c3a5add5e612f939cf
Instruction Fuzzy Hash: F4510F20A1E6C95FD786AB385868275BFD1EF97355F1804FAE089C72D3CE084C86C346

Function 00007FF848F10BFE Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2186567211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6243849ba20b6a0b4336898a21030a94c98b843420ef2db548a555f9fa65e2d1
Instruction ID: 3f9d9e9eb32427aa1d6f42e95a3bef57604e155699c98ae28d66c62e678c81aa
Opcode Fuzzy Hash: 6243849ba20b6a0b4336898a21030a94c98b843420ef2db548a555f9fa65e2d1
Instruction Fuzzy Hash: 34712431E0D95A0FE395B76C98162B97BE2EFC9351F0400BAD44DC32D7DE286C468390

Function 00007FF848F104C8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2186567211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca694bfbee166bdf5a2681d6cef01a6fb634cef24fd1d4cae8b386c80a7150b
Instruction ID: 75c0e933c5af39a07fdd6695fcf9ac52851fe2359c36167eeeb7e7cc27566e99
Opcode Fuzzy Hash: 9ca694bfbee166bdf5a2681d6cef01a6fb634cef24fd1d4cae8b386c80a7150b
Instruction Fuzzy Hash: 6531D231B1D9491FE798EB2C946A279B7C2EF98791F1405BEE00EC32D7CE289C428341

Function 00007FF848F10A91 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2186567211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96334e865c372718ba5cb16de3e5130f16c7c6b39126d347f734591d4738e7c1
Instruction ID: 8a449788e096acb1e0495988ac50277cf71fd05de553eb2ab5b9dc39108e321f
Opcode Fuzzy Hash: 96334e865c372718ba5cb16de3e5130f16c7c6b39126d347f734591d4738e7c1
Instruction Fuzzy Hash: 6F31CE21F2D95A9FE784B7B898593B966D2FF98785F040276E40CC32C3DE1C6C018392

Function 00007FF848F10949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2186567211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c26b856aa4940c85d420673a15f76edf57eaa77974432de9b3110f67ddeda
Instruction ID: d809fd4732561de7797507865e3b6dda15aa76ec6537329b1a9930b60dd586eb
Opcode Fuzzy Hash: 598c26b856aa4940c85d420673a15f76edf57eaa77974432de9b3110f67ddeda
Instruction Fuzzy Hash: C2318F30A1AA1A9FEB45FB6884656EA7BB1FF98340F500879D009D33C7DF2CA8458764

Function 00007FF848F11951 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2186567211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abcd7a9fd4ac4973e40eaf4d184396d7f64ff4ed45d89c376fd0b235a4302702
Instruction ID: 4f06cb42fa73577cc0c97bd524cfa82c3f5e81bb49928ea0c4d870d446528695
Opcode Fuzzy Hash: abcd7a9fd4ac4973e40eaf4d184396d7f64ff4ed45d89c376fd0b235a4302702
Instruction Fuzzy Hash: 0901F26590CA854FE356BB3C6825071BFE1CF96791F4805ABE488C61E7DA089E8483A6

Non-executed Functions

Function 00007FF848F106FA Relevance: 5.2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

Strings

O_^$, xrefs: 00007FF848F1077A
O_^ , xrefs: 00007FF848F1076A
=O_^, xrefs: 00007FF848F10701
O_^", xrefs: 00007FF848F10772

Memory Dump Source

Source File: 00000005.00000002.2186567211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID: =O_^$O_^ $O_^"$O_^$
API String ID: 0-3793307974
Opcode ID: 603156bc5ba9a3d17d4e28b10512c77b8b8d8f7f0a414e8c59787db80b9d2c61
Instruction ID: 89c5b5717ba1291ea283467a53a313eca63eb73bc0930532ca81bda9419e4bcc
Opcode Fuzzy Hash: 603156bc5ba9a3d17d4e28b10512c77b8b8d8f7f0a414e8c59787db80b9d2c61
Instruction Fuzzy Hash: E7514B7690F5665FE341B76C68A10E63F60EF80359B4405B2D08DCF3C3DF1CA84A86A9

Analysis Process: XClient.exePID: 7064, Parent PID: 1028COMMON

Executed Functions

Function 00007FF848F10E79 Relevance: .7, Instructions: 738COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2268228342.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3f27f432bb045b72969e879d0634b49fee71607be93e65fedfde0e7780219b
Instruction ID: cf6923ee8f7ac563df18f3ecfdcd7754981bfa043d6dba77b16793faedbf64e9
Opcode Fuzzy Hash: ad3f27f432bb045b72969e879d0634b49fee71607be93e65fedfde0e7780219b
Instruction Fuzzy Hash: D332B130B2DA095FE798FB6884997B9B7E2FF98784F440579D40EC32C6DE28AC418745

Function 00007FF848F11799 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2268228342.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9b999661f0176053eea81b05614b0f37f49c01169ed26bdf5fdebd927e6ced
Instruction ID: 15404f5fdca1caf6f5f475ddd7c65383caf06716a5fcdc3090c2632f73adbe7e
Opcode Fuzzy Hash: 6b9b999661f0176053eea81b05614b0f37f49c01169ed26bdf5fdebd927e6ced
Instruction Fuzzy Hash: 43510F20A1E6C95FD786AB785868275BFD1EF97355F1800FAE089C72D3DE084C86C346

Function 00007FF848F10BFE Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2268228342.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c233ca9b5a1fb7e89b409138ca937c261b834e1bbbe1e07585c5116bdff298
Instruction ID: c8ec52201817c7f186098e4553620dc2c3827191d32cdc69aa67c3785751d351
Opcode Fuzzy Hash: f1c233ca9b5a1fb7e89b409138ca937c261b834e1bbbe1e07585c5116bdff298
Instruction Fuzzy Hash: 4E712232E0D99A0FE395B76C98562B97BE2EFC6360F0401BAD44DC32D7DE286C468750

Function 00007FF848F104C8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2268228342.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8c77c26f1a6fe90fa58b14f0c092baa1587fda324a55ae24daec894ec237a4
Instruction ID: 8aa0b64b89c3055c1acf9b2b35853ff950c06c3a72d90b06133590ea671d589e
Opcode Fuzzy Hash: 1d8c77c26f1a6fe90fa58b14f0c092baa1587fda324a55ae24daec894ec237a4
Instruction Fuzzy Hash: A731D231B1D9491FE798EB2C946A279B7C2EF98795F1405BEE00EC32D7DE289C428341

Function 00007FF848F10A91 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2268228342.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96334e865c372718ba5cb16de3e5130f16c7c6b39126d347f734591d4738e7c1
Instruction ID: 8a449788e096acb1e0495988ac50277cf71fd05de553eb2ab5b9dc39108e321f
Opcode Fuzzy Hash: 96334e865c372718ba5cb16de3e5130f16c7c6b39126d347f734591d4738e7c1
Instruction Fuzzy Hash: 6F31CE21F2D95A9FE784B7B898593B966D2FF98785F040276E40CC32C3DE1C6C018392

Function 00007FF848F10949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2268228342.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a4d3f7b47b1c7f3f2a0f5cf8227db354e9b308200c91f3a1d6e19367937f18
Instruction ID: b5dd64072e78a51dc59ac9500c132c0084502cfb9003b5fa9001acd28fadc6d8
Opcode Fuzzy Hash: c7a4d3f7b47b1c7f3f2a0f5cf8227db354e9b308200c91f3a1d6e19367937f18
Instruction Fuzzy Hash: B0318F30A19A1A9FEB44FBA884A56EA7BB1FF98344F500479D009D3386DE2C69518B54

Function 00007FF848F11951 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2268228342.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dab4091e2cc1dbba8ad07ecd10a634eacc1702df774ca8c22647cad964e19dd
Instruction ID: a44126d44c708466074f1562d833c08fb2533d8ab487d39e1d75b1626c6de4af
Opcode Fuzzy Hash: 4dab4091e2cc1dbba8ad07ecd10a634eacc1702df774ca8c22647cad964e19dd
Instruction Fuzzy Hash: 4F01426190CA850FE346BB3C2864071BFE0CF92794F4805BBE488C61E7EA085E848392

Non-executed Functions

Function 00007FF848F106FA Relevance: 5.2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

Strings

O_^$, xrefs: 00007FF848F1077A
O_^ , xrefs: 00007FF848F1076A
=O_^, xrefs: 00007FF848F10701
O_^", xrefs: 00007FF848F10772

Memory Dump Source

Source File: 00000007.00000002.2268228342.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848f10000_XClient.jbxd

Similarity

API ID:
String ID: =O_^$O_^ $O_^"$O_^$
API String ID: 0-3793307974
Opcode ID: 805f4f41ef5713cc7bc0ddc6e4ee416464689fae91815ffce4cd3a5e2e9192dd
Instruction ID: 7e2fb7b07c38ca9805a22175581d84957e35b3a0b54fe8e9da54167675ba6d09
Opcode Fuzzy Hash: 805f4f41ef5713cc7bc0ddc6e4ee416464689fae91815ffce4cd3a5e2e9192dd
Instruction Fuzzy Hash: D1514D7690F56A5FD341BBAC68E10E63FA0EF8035CB4401B2D08D8F393EE1C69568699

Analysis Process: XClient.exePID: 4268, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F30E79 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2692660418.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8ede0551809b197d36eafdf4a13b57ae357965a64a481e45fa705c7a5e6a93
Instruction ID: d18233336b27712b4ab7b8cf95ca72106683c237e39afe8557dbab37c938653f
Opcode Fuzzy Hash: da8ede0551809b197d36eafdf4a13b57ae357965a64a481e45fa705c7a5e6a93
Instruction Fuzzy Hash: F732B630F2EA495FE798FB288455679BBE2FF98740F44057AE40EC32C6DF28A8418755

Function 00007FF848F31799 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2692660418.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729ca24da48e138afb470f4a1ac16dbc2ab08595f61cbf11628ca3a1fafeeb61
Instruction ID: 57fa81e78abbfb03704aceabf1f50f363079270456a22d0c0702b4c7a033eb43
Opcode Fuzzy Hash: 729ca24da48e138afb470f4a1ac16dbc2ab08595f61cbf11628ca3a1fafeeb61
Instruction Fuzzy Hash: 89511D20A1E6C95FD786AB385868276BFE1EF97255F1804FBE089C71D3CE085886C346

Function 00007FF848F30BFE Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2692660418.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ecd2e1b60f0de69cab74b6a3ad227997643d26a7a5ee44b64b19e2e72d119b
Instruction ID: 28b9e83626794e6dc5342f3da51c8bb60ad913b4e894eaecdd17544ba70974f1
Opcode Fuzzy Hash: 99ecd2e1b60f0de69cab74b6a3ad227997643d26a7a5ee44b64b19e2e72d119b
Instruction Fuzzy Hash: F0713532E0D94A4FE795F76C98162B97BE2EF856A0F0401BBD44DC32D7DE286C028354

Function 00007FF848F304C8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2692660418.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b1d51ec670a7f92aa913b85061c49c275223161c76379244f694d0ba37669e
Instruction ID: dabe30d77cd0ea1a6aefcfbaeac665cc1ea32a9772868b82b3b1d11e7a2be306
Opcode Fuzzy Hash: d7b1d51ec670a7f92aa913b85061c49c275223161c76379244f694d0ba37669e
Instruction Fuzzy Hash: 9E31E531B1D9491FE798EB2C945A279B7C2EF98781F1405BEE00EC32D7CE289C418345

Function 00007FF848F30A91 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2692660418.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ef27bd9ee17efac574b98b615254b0a4f3d015c07993158203348b652a881e
Instruction ID: 40d21ccabfbf382fc8f4da4dba057f0790988a5c50d9165cb9fde04baea290fa
Opcode Fuzzy Hash: d9ef27bd9ee17efac574b98b615254b0a4f3d015c07993158203348b652a881e
Instruction Fuzzy Hash: 21318F21F2E9495FEB84B7B898593B967D2EF98695F040277E40DC32C7DE1858018792

Function 00007FF848F30949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2692660418.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1dea851790cb077f269079833a952fc6bed343d83dd70fb9ab164a2ca482d7f
Instruction ID: 28531111dd77ba99c7755d3e377572ae4484c5d1c464856eb0dd31c7ffbd0081
Opcode Fuzzy Hash: d1dea851790cb077f269079833a952fc6bed343d83dd70fb9ab164a2ca482d7f
Instruction Fuzzy Hash: B2316030E1AA0E9FEB44FB6884696AE7BB1FF98340F50057AD009D3286DF2CA941C754

Function 00007FF848F31951 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2692660418.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a360551ad57c84db55e7f760369ff516f102181323ab44b3b8747951d8c84c3
Instruction ID: d0056258e3c040fe83e91ba0606adb3dd5b1d4dfc85878a6025b2954e405eef0
Opcode Fuzzy Hash: 6a360551ad57c84db55e7f760369ff516f102181323ab44b3b8747951d8c84c3
Instruction Fuzzy Hash: 51012B25D0EB854FE355B73C68650717FE1CFD6691F0805BBE488C71D7DA085A848396

Non-executed Functions

Function 00007FF848F306FA Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

M_^", xrefs: 00007FF848F30772
M_^$, xrefs: 00007FF848F3077A
M_^ , xrefs: 00007FF848F3076A
=M_^, xrefs: 00007FF848F30701

Memory Dump Source

Source File: 00000009.00000002.2692660418.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID: =M_^$M_^ $M_^"$M_^$
API String ID: 0-2187069029
Opcode ID: 25298ec93bae1849456557bce7f4b306eae9c6260da59a3871d52c8706c79ba0
Instruction ID: c795616d1256d95f55742133b05faab3d5f3fb7cec1794c1e7483187108c0631
Opcode Fuzzy Hash: 25298ec93bae1849456557bce7f4b306eae9c6260da59a3871d52c8706c79ba0
Instruction Fuzzy Hash: 37513B76D0F15A9FE345B76C68A51EA3FB0EF90258B4442B3D08DCB2C3EE1C6406C699

Analysis Process: XClient.exePID: 1876, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F30E79 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3284639984.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3afa34d739bfde0c410c4882b86e2c90a30daa47b951adba2a1b1bd916a2ea
Instruction ID: daabb2a044839118f55043645dde961af5001cdfa4b21e7e4df1ac385738d13c
Opcode Fuzzy Hash: 6a3afa34d739bfde0c410c4882b86e2c90a30daa47b951adba2a1b1bd916a2ea
Instruction Fuzzy Hash: AA32B630B2DA095FE795FB3888596B9B7E2FF98740F44057AE40DC32D6DE28A8418745

Function 00007FF848F31799 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3284639984.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95f476d95be7e3c5b713fe1e037641d315e8a796bca60ada9f02a0c6970eace
Instruction ID: e4de065a4764be12853e500fb76a63f22996980418473a1a8edf089f8bbf4198
Opcode Fuzzy Hash: e95f476d95be7e3c5b713fe1e037641d315e8a796bca60ada9f02a0c6970eace
Instruction Fuzzy Hash: 1E511D20A1E6C95FD786AB385868276BFE1EF97255F1804FBE089C71D3CE085886C306

Function 00007FF848F30BFE Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3284639984.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ddd74e8ae94585b649627724b8e90d74aa9f68d03fd172813a6eabf7cf1ee3
Instruction ID: bf6c8166886ae159c25ae903171ff13dc7f23c1e21b3e2e7b5f445dac1ca6d8d
Opcode Fuzzy Hash: 11ddd74e8ae94585b649627724b8e90d74aa9f68d03fd172813a6eabf7cf1ee3
Instruction Fuzzy Hash: C2712532E0D94A4FE795F76C98562B9BBE2EF852A0F0401BBD44DC32D7CE2868428355

Function 00007FF848F304C8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3284639984.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930be8d84008eb3e98cfea86fa125608e8a997a5c15aa8fcf779d423d783e297
Instruction ID: 2e41199c9a0ea2469d0dcefb623a980d9a57da4636235ec2cb73dfdd78277a04
Opcode Fuzzy Hash: 930be8d84008eb3e98cfea86fa125608e8a997a5c15aa8fcf779d423d783e297
Instruction Fuzzy Hash: 4931E531B1D9491FE798EB2C945A279B7C2EF98781F1505BEE00EC32D7CE289C418345

Function 00007FF848F30A91 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3284639984.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ef27bd9ee17efac574b98b615254b0a4f3d015c07993158203348b652a881e
Instruction ID: 40d21ccabfbf382fc8f4da4dba057f0790988a5c50d9165cb9fde04baea290fa
Opcode Fuzzy Hash: d9ef27bd9ee17efac574b98b615254b0a4f3d015c07993158203348b652a881e
Instruction Fuzzy Hash: 21318F21F2E9495FEB84B7B898593B967D2EF98695F040277E40DC32C7DE1858018792

Function 00007FF848F30949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3284639984.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c4a9c90c14f5b7039ddd442654559653e6f73c8b7550fb2c0a4498280538b0
Instruction ID: 83ea796d0f7e550bf8f9bc83e3e7fa0afaa2e16d0a6561d94f6be0354dafee75
Opcode Fuzzy Hash: d6c4a9c90c14f5b7039ddd442654559653e6f73c8b7550fb2c0a4498280538b0
Instruction Fuzzy Hash: 47319530A1A60A9FEB45FB68C8596FEBBB1FF98340F50047AD009D32D6DE3CA9418754

Function 00007FF848F31951 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3284639984.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8bd3a8a6ece5ec0e2b080aa1bf8c4929c83e10ae3b0e336ccbfe9630a20746
Instruction ID: e7da1c40290046f5b63b14e329fe1d0fa708392cbe2eeafa4c853eba677ca9ba
Opcode Fuzzy Hash: ce8bd3a8a6ece5ec0e2b080aa1bf8c4929c83e10ae3b0e336ccbfe9630a20746
Instruction Fuzzy Hash: 89012B25D0DB854FE356B73C6869071BFE1CFD6691F0805BBE488C71D7D9085A848356

Non-executed Functions

Function 00007FF848F306FA Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

=M_^, xrefs: 00007FF848F30701
M_^", xrefs: 00007FF848F30772
M_^$, xrefs: 00007FF848F3077A
M_^ , xrefs: 00007FF848F3076A

Memory Dump Source

Source File: 0000000A.00000002.3284639984.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f30000_XClient.jbxd

Similarity

API ID:
String ID: =M_^$M_^ $M_^"$M_^$
API String ID: 0-2187069029
Opcode ID: 290480e126c0db1d8eaad38b532bb56426f02e47307b5a0ee87ea4e3e7714c8a
Instruction ID: 17d0d9a2df7bab86cdcafdc4630aa4b6d8d0ea575bc5133bf95d6b890199503a
Opcode Fuzzy Hash: 290480e126c0db1d8eaad38b532bb56426f02e47307b5a0ee87ea4e3e7714c8a
Instruction Fuzzy Hash: 9E516B7690E15A9FD342B72CA8A50FA7FA0EF90358F4502B7D08CCB2D7DE1C64068699

Analysis Process: XClient.exePID: 1248, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F00E79 Relevance: .7, Instructions: 738COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3883707780.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff848f00000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd65ea694a50d76bfd238d340ce8e2bfa3aed76016d9a94b4cec0eacbaaaefe
Instruction ID: b94c7a15c899b3b32c3ee905768eaf88c6987fe254704b705a926f74b123a35b
Opcode Fuzzy Hash: bdd65ea694a50d76bfd238d340ce8e2bfa3aed76016d9a94b4cec0eacbaaaefe
Instruction Fuzzy Hash: 5032D370B2DA495FE798FB2894697B9B7E2FFD9340F440579D40EC32C2DE28A8418746

Function 00007FF848F01799 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3883707780.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff848f00000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdee1e29921ff5dfdc23d8a608bbbb24fc524a1a3848c77a5a504f38cfe64c0
Instruction ID: d69152928b2494999a639688e753b16c6eed93d0bc82b9abb9c16c8c9f1135a3
Opcode Fuzzy Hash: 7cdee1e29921ff5dfdc23d8a608bbbb24fc524a1a3848c77a5a504f38cfe64c0
Instruction Fuzzy Hash: 01510F20A1E6C95FD786AB785868276BFD1EF97255F1804FBE08DC71D3EE084886C346

Function 00007FF848F00BFE Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3883707780.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff848f00000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f616614a311ae3f94239887af73ab435ebc245f048200be6148bc62671f15d
Instruction ID: 8bee901a506d081af1aff252cd86c82f755aa61e7ac49878ab70ce4459f95e62
Opcode Fuzzy Hash: c5f616614a311ae3f94239887af73ab435ebc245f048200be6148bc62671f15d
Instruction Fuzzy Hash: 49714731E0D98A1FE755F77CA8552B97BE2EFC6260F0400BAD44DC32D7DE2868428355

Function 00007FF848F004C8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3883707780.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff848f00000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54ec0b11c1e070b8b545e64b4d4486b7fe751a785484b34790fc13075d80a8f
Instruction ID: 93cf516cff9fd86e140777a7032680f80e5016b3fea56f9374d522f4375db95a
Opcode Fuzzy Hash: d54ec0b11c1e070b8b545e64b4d4486b7fe751a785484b34790fc13075d80a8f
Instruction Fuzzy Hash: 7031D231B1D9491FE798EB2C946A279B7C2EFA9791F1405BEE00EC32D7DE289C418341

Function 00007FF848F00A91 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3883707780.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff848f00000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c05e11e69d240af0b4f9db87716fca074ca22209e41a2efd444e66797a60876
Instruction ID: e12bff121e55053a2d5b61affb95eeea994355d7c9558c8ca5ee70759f1a2bf1
Opcode Fuzzy Hash: 2c05e11e69d240af0b4f9db87716fca074ca22209e41a2efd444e66797a60876
Instruction Fuzzy Hash: 60319021F2D9495FE784B7BC98593BA67D2EF99795F140276E40DC32C3EE2C58018352

Function 00007FF848F00949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3883707780.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff848f00000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f47b0e8805bb83cc0decb5d89c8c0372b9ab4571b44d3135d4f511ac2c3d85e
Instruction ID: 27a7493126d3870e945c8a1a418cff2b8087e38c6c6f6a937b7e74861a700990
Opcode Fuzzy Hash: 2f47b0e8805bb83cc0decb5d89c8c0372b9ab4571b44d3135d4f511ac2c3d85e
Instruction Fuzzy Hash: 90318D70A1AA4A9FEB44FB6898696BA7BB1FF98340F500479D009D33C6DE2C68418755

Function 00007FF848F01951 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3883707780.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff848f00000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac5357596b6f0918aed85ee06d0804cdfe1723299e8a721e5ba212cd406c369
Instruction ID: b8be6b5c2984d00df89fd27189e127c7605a62958cfbc2adf7ae364a325e4691
Opcode Fuzzy Hash: cac5357596b6f0918aed85ee06d0804cdfe1723299e8a721e5ba212cd406c369
Instruction Fuzzy Hash: 3301422590CA850FE346BB3C2824431BFE0CFD2690F0805BBE488C61E7EA089A848392

Analysis Process: XClient.exePID: 612, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F20E79 Relevance: .7, Instructions: 738COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4481647171.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848f20000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7133e1729d28cb0bcf992021614017915ebd17ceeec242f500896602997536
Instruction ID: 751f9e5ed85c1220c4412038f18eb57b5c579d3025ba1d3cc878465119ddee52
Opcode Fuzzy Hash: bb7133e1729d28cb0bcf992021614017915ebd17ceeec242f500896602997536
Instruction Fuzzy Hash: 8E32D131B2DA095FE798FB6894596B9B7E2FF88780F440579E00EC32C2DF2CA8418755

Function 00007FF848F20BFE Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4481647171.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848f20000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64e2071a0dcc725c4672d1208bc8fb3115aaf548c05ce985794d87031914a3e
Instruction ID: 2893067eea70e904639613bb93d7cfb9961532eaa0d843e98934e0dee2eb67d7
Opcode Fuzzy Hash: c64e2071a0dcc725c4672d1208bc8fb3115aaf548c05ce985794d87031914a3e
Instruction Fuzzy Hash: 05712532E0D98A0FE795F77CA8562B97BE2EF85250F0401BAD44DC32D7CE296C428395

Function 00007FF848F20A91 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4481647171.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848f20000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09173bfc01047ce8aa106ea66cd424729509895e5021eca6309022eb62f1e9c9
Instruction ID: c2791c9d14612099e121fc3819a99892d6a38af8020fd6c77ab647c6bb24d41a
Opcode Fuzzy Hash: 09173bfc01047ce8aa106ea66cd424729509895e5021eca6309022eb62f1e9c9
Instruction Fuzzy Hash: 2831B221F2D9595FE784B7BC98593B967D2FF98795F04027AE40DC32C3DE1858018792

Function 00007FF848F2093A Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4481647171.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848f20000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a229548a8955a6b03728a168ea85ff29d572bc49c13150dd54c0906c21f61443
Instruction ID: 85fd1ee9268e2db6ab0f674b32dfca3bb6ca40cba935815d1f4d918344c820c3
Opcode Fuzzy Hash: a229548a8955a6b03728a168ea85ff29d572bc49c13150dd54c0906c21f61443
Instruction Fuzzy Hash: 5841CC30A1EA4A9FEB44FB7898696EA7BB1FF98340F540479D009D72C6CF2D6845C760

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1LFcs1ZJy2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1LFcs1ZJy2.exe_73fc80f9f32ec3627adb6e84ef30b754d077e0_089bc09d_1781eaf7-9379-4f4a-b314-2a9ae27ff6a7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6EFF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70C5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7104.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

C:\Users\user\AppData\Roaming\XClient.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
1LFcs1ZJy2.exe