File name:

49JGH_XClient.exe

Full analysis: https://app.any.run/tasks/a135f61c-8a8a-4293-a6ef-58fb9d2244a2
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 09:52:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xworm
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

A37220180D076713983EB3DC6DDDF548

SHA1:

2A7C58A85D4FA7BF142800B0DB3E146E296505CA

SHA256:

F7465F6839046106D6282E55BFD1B8957F6A2528C186172BE1AB971377E7BCC2

SSDEEP:

1536:jfF8UfiI12xFJ9vom6kO789XTaHIVRe5SkxT0jnS+Gr:TF3iI1sFJ9v5O7UXmHYRe5/R0jnS+Gr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • 49JGH_XClient.exe (PID: 6312)

    • XWORM has been detected (YARA)

      • 49JGH_XClient.exe (PID: 6312)

    • XWORM has been detected (SURICATA)

      • 49JGH_XClient.exe (PID: 6312)

    • Connects to the CnC server

      • 49JGH_XClient.exe (PID: 6312)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 49JGH_XClient.exe (PID: 6312)

    • Connects to unusual port

      • 49JGH_XClient.exe (PID: 6312)

    • Executing commands from a ".bat" file

      • 49JGH_XClient.exe (PID: 6312)

    • Starts CMD.EXE for commands execution

      • 49JGH_XClient.exe (PID: 6312)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6796)

    • Contacting a server suspected of hosting an CnC

      • 49JGH_XClient.exe (PID: 6312)

  • INFO

    • Creates files or folders in the user directory

      • 49JGH_XClient.exe (PID: 6312)

    • Reads the computer name

      • 49JGH_XClient.exe (PID: 6312)

    • Checks supported languages

      • 49JGH_XClient.exe (PID: 6312)

    • Reads the machine GUID from the registry

      • 49JGH_XClient.exe (PID: 6312)

    • Creates files in the program directory

      • 49JGH_XClient.exe (PID: 6312)

    • Create files in a temporary directory

      • 49JGH_XClient.exe (PID: 6312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
OriginalFileName: XClient.exe
LegalCopyright:
InternalName: XClient.exe
FileVersion: 1.0.0.0
FileDescription:
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0xb07e
UninitializedDataSize: -
InitializedDataSize: 192000
CodeSize: 37376
LinkerVersion: 11
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2024:12:14 09:47:04+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
114
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XWORM 49jgh_xclient.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6312"C:\Users\admin\Desktop\49JGH_XClient.exe" C:\Users\admin\Desktop\49JGH_XClient.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\49jgh_xclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6796C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmpD67.tmp.bat""C:\Windows\System32\cmd.exe49JGH_XClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
6804\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6856timeout 3 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
737
Read events
736
Write events
1
Delete events
0

Modification events

(PID) Process:(6312) 49JGH_XClient.exeKey:HKEY_CURRENT_USER\SOFTWARE\3C54740F7CC0F23B53E5
Operation:writeName:9BCF8DFC92BC643B9414A446DA4632050DE1B7577FEDF4F7711D3B4B3D46E06D
Value:
004A00001F8B0800000000000400ED7C0B781CD595E6A9EAEAAAEA6E754BDDB264D9964CFB99B6250BCB2F24C0603D6C59C1B265CBEF10E45677496ADCEA92AB5BB605C1B44298849713969009842C78C8CCC42161434862203040483281845D1212200C3810F230C94C18B293DDC010B3FFB9B7FA213F8664BEFDE6DBEFDB695BA7EE79DC73CF3DE7DC73EF2DB5DDBBFB13E421220D3FEFBE4BF400C9CF1A7AEF4F1E3FA1731E0AD1577D4FCF7940D9F0F49CAD23A96C74CCB1879DF8683411CF64EC5C74D08A3AE399682A13EDDAD41F1DB593567330E89FEFEAE85B4BB441F150FBEFBAAD82DE57686E34A0F4117500D1254DDF0310750725AA126D55DA4D547AD26392CE1F0FADB99645F96FE9597C88CF57078836B993F9B4E70C93BC8BA8E24FF0C5691FD86796A126F0F5657873CE3A98C3B3628D941573554F53B1A7D9C93A09726D838D62A25D53E5A0624DB363A5ED846BEB5DAEAEF5A7C9759C6AE68901F95C2FBA7869EB4AA2CF2F22525CFE3B979572E24FF9CC5663D389FC8B17921AAB438316FF4D76069E7928D4B233B9C551CBCEE296875BF5DCC2ACB4C5D54B15111B8886E91077B01BC0F437925EE4A982C72AECD9A7F23C82C74AED734EE56982C7C3D8D1124FA50BC1F30A1EA0362D3607CC80D134C7C1F063CF80A6C6E68264CF03C82269FD1566DE2BD4890EC531022452157AF402792EA97946166FCF222A7A6C017AE74050F30653E1A985EC29A2427F43F4370AFDA7D26341E810F4AF4F3BA9D700C9BE8F6D8AB1FB4CB6FDA43E732AD5E70EB3480E43B330DF1D24F232CC66F8C1F7E43182A6E5A15DF3E661A716D2F2213C0EB14E7B3187F090AFD83C3E6B41AC915D4486DD84676C095363CD80C7896D56C4E252A8B58D66C167CAF5B5F94AF4AEBD3C1FE6609FCB7655B37A1E303F8D2D845D06B5C2DF3EB6AB6E7A7D76294B41915623BB4DBF693554E5235335B04094BE4B64B7082B4BF832C625E1104FF210CF31B69CE3B88259D3854D31A4BAFF70CA1F5BC58CF338B61135D6CAB37360FAD821B62ED6065CBFB11DE38B6689185162E7E37116D60567611D0A155AB10B19D471DA484B797AB5021E4ED5229AB51CCDD5DC87D9F645682D3C5E23FD1FA4D80CEE59F0FC62E9F7F7D3F373941AF63BFBF42D45F8013925427052F1EB4DBAECE77A47B52F16F95E7B52AD30DB788D1E0A0BB79F5482BEB607594C5875333A576B61ADED4626B1F7ED356CFD7CCEEB768E0877938C0E1EB42C4C61117EF4F786BD4DABDC88FEE9337E79159722A165FAE52F1E9BFE5C2917A8719A34C635D2EE14F3A5D6AF52C14CC931EC2E9121C2BEB5AC9FD5C1243DAC370D1F8247B426433C1A6B0FD5314BBF884D5907D10579A667BBD1AC36C24669F2F67AD65998CF99A63EBDDCD4B9720E251B5E3C6D3A448D3E37AEC73BFF8C9CA89539516D4E490A8578CDB7D7CBBA8C04A4A7E1C957F1032524734425140AAE315C0F620D62647785FB493FC30A5F5C58DFA800B3A40E2FDD4262DF810E3979BF1A9BC789814AA4078CC3A9580F880E948EC5DECF1A9959A19BB5E6E1940C8C6ED41A85B69858CD74FB129E9A4074E1EE5A5D78ED58ADBD414CBA82F42643B77BB9CF4B675D16A4D4F39EE1232B53D8C615BAF243545398FF774009B2EDB24EC9E1ED8D454BEC4DE565EFCC4E7113ABAF94631DEF5D2B4916D8CDE59215649E51D2779A64907C678A0E26B582C48E31232AE343D8E1666C2BB4F751E8EA42FB33143A5A8AE193E815623FB47E03ADE8D271A2D8965219B5FB79F67ADB35540872C03997035A0C748579E640070D5FADAF105CA32CE8A707DA908136A6043AB655CCBB828C26C370C34D54CC79ED9488D3F46A6FEBEA77F928EBC67E31D9B715621FA64F1FA55A9E73872CC9DB78ADD6885D88F7472FBD84A345A5BB1E623C372E71875842D4EB9ADAD8769907B5B7078CD83231F1E8AB2D3F7864E5C566F4BE6D038756CE34A39533CF572F7896D7334962F3BE564BE54360CD63A17B2FF885CBE16E177C8A0BD67AC1AC7872E6D3DC7DE7BA1F3CD5BCB7D1A55C70174B2C14120F7CE99B3F6AAE64CE4F9FFB973F36B7B456826C38D86CC66A63D8DAFD6D77B230177EC3D95CA23ECAD4D7043551A2FE8CA94F0BEA9525EA0B4C3D26A8D794A8FF93A94704F586125507A1F50641FDCB1235CAD47141BDB3443D8FA9035CCC63E7705EF80EEDE41CD925A218D69AEA7CD11A70A767777379133C9CF0749C915A17157BF12652D68FEBF78CB05774AC3D43C77FE6A0CB0469FD39B7F5E9B7C73EC03B7A9D7C662F6564864B9C299FBCA8D0E1FEF7EC106BE1715AAF2F082E7705F999FD200B5C26CADB0C49AAADAD9DCE074C9D1A7713CB0D884D857BEE11F53B6CD6868D259EBA46A5F6509CBBCF65FD8D4BA83636C802BEB0CFB90F1EE51E0977AC24CB2DE04CB5782C2C8AE30DEEDAF053D87FA62A51D813D8AB0F23811EC14F83BB27542FF510D61D9F9971E61CE2855E5B81E21C34AB351FBCAF55EB8DEF33C2FAEDF63078AA8C2D9F0EB037628182E16F0C53589FFE1C0727EC6D79765AF1AC1D162B90F58E705F3B45EE419CF80C2CF99132FEE565FC594B35E20B62B55C9BD9BD6CD94CB17956A0AACCB4D35C2CCCDAD8A8A88E466D362312CB37FD45778F65E3C3DE5A9F6DB364D8EB3F3E93907666582B5495B20A23C694F5A3891A7AB834CA7D64E30E594BD89E4BE5BE1A2E54441515708CCBB83048143932A60B43823EB5166C7B1F137DB6E3D6345F93E1734794C5CF3FB5D0E98BA50DF3A9A64D8EABE2F4BE6E63C90644816AD8866C964DC8E6C436629887F8282F0AB08D52EEB7F78BF25B671F104FFB20DBA4C23D61AD368CB3853D21069FED668E97C2DE7FEB7C1FA4F3BBA941EE1DFF6E1BAEF8BF6703CEBA24CE35C81D3ED5ABB78BF37C8070124769E303F987F088FAA30B297B95DC696387445CC0BA5A4AE4C51235ED493C4DFBC385C51E8DD2F7C9BE866D8868CF54176E84B18F005C851B9716D1628BDDD2D4B436AC5D398B8F7EEEE172B9CFBE1672A062816957A22E6985F639B25DCF3E6AE475EEB3FF42A40CDFD0FCC797942787F0C82993C97E94DDE5BAA52C5F97D2ED4F15F6BB107DF7399A53885392CB2BFB488B35F16552B73FC6BE8A5D27DC0DEB1790AE66AF1751A873A3A0632DC76E280F4021DB0FE12EE0F75C9EBD89DDE97C8D37FD28D7F5E9D9C36E49B73FCE1E35FFCA3D43541BB5287146C48C7D42E82B5EBBAAFD11BFB87755FBA4EEEA801E0E202DEC9B59506C4E72BBFE2FECCB80BC7B2CE49A770BB7985A76F9F29DFD5EE6FBF3EE65C743140EA042040AC7CC50D8046AC43E2902F5121DAF72DD5451748F3CAF2C96E7B09914584075EC7F95EEA68F352A6E1DF9103D7A816C636AF4D206A54AC6C843284E54C7318A28276B90D0AA8A70AFE1F430AE9CCB67A42BE164EDC50AE3CA79029BC358D09CFE9C6FFA73222370220A6B22B739A422FBAA7535ACD7F13D4D5FC853F2620E5E774A61F75D03AF2995D652CD6E59EB385FB2C89719625DFF3B03EEADC522F046F4D3026E220944C00D37E0BED8B91CCE5BD9F54B7931F9B1759565670071781FB633999ED5A5FCACA070C5A9F919F6877D67CD1EDF7B648F71F6EC31FEFCECF1C1D5BE52F6E8ECF9D3B327784AF6201EED49991D1F93F713BA55E605C95C2262F68FF1D3A610B989245EF9ADE6BB18683D6574FEE0A4427C8CDAADC8F79F72AFE76AC1594AE1E8B73F5B3FE9579B16D4061AA7A9868D63A95F8F476F5148D9ED37A6EF0C18AA8D239EFF5CB5F1D5C27E1EE13CE1FC503DE2201DFB3415376C7E77C545A85EF063B7D129EFE31A98FE4C55A19A1679158533801ABB9DCADED3F1F964B6A0DFE8C5A8D34E2A01A3C98C61368DFE462FA9427021794ED6305BBC7E5C2416A27BB6C0AE40E788FE57DEC169F859CE68E34653EAAA309BA6C5E0BEC680641BF67F95A5D8107AB714B4A9D93BB9EAB3C8E2E62C42ADE7F975C1E2659E1CEE68B3F8D52726DFD1FFFE0EC57D83CAF3D9BFA27969F3F2A5CB5BDA98E2251C55E85B98FA3CACD2A5383DFC08178E79FD39279519CEB2848645FD7D8ED1B67E7A668E1BAFEE6D3DFCDAF715E0DF358077A4EDC152DC951D0D7FD5E0831E7A5B59CE1B218FBE878A777D42D21297A43BDD735F97F407BFFBE4F76E62B2AADBF6B9325EF789E1C4EF08E4EBE9C70C39339D66787756E8F41702FEB3E770A0921EE0179DD4A22DF3E9F48E80A35E866D026E11F0A0A0376811F4BACDC3F05B82728B36A6FBE961CF2771BB4A78EE34FCA469771A215AE2391108D11BFE2F0674FAA27618EDF55A4B4588F668EB159DA221C30CD1313FCBBC2A287F5099D240E3D0F0B79EC3A64ECFC2369D0E79D8CE2BFC0701AFF635F8FCB4DA6362DCBDCAC5BA4E9B7D86E9A7CDA1E7833AFDCCF821727091FE3D3D425F52BF07EE118CA2D30BA18B4119F3ED829DCF1B8F83E2284EA54EAFF818AE329D4AC8FBB8D7B501860FFB7701FE6D7017343CABB2860F0B784BE5328CBE5E8CFE0BE80CD11CA5A5C24FAFEB87037EBAA3F2F9A09F7EA7327C59657BBEECE5195D1A6CA9A8A58F9AADC1103D88B64E3B88B55D62B0E5BFAD60C913B01CFED499B246F4DD2F46FCB490FC747027FC6606D763EB794A615F1D0A30FD4DCC2E423F0C7D4FAFA5598156F4BA4AD0EF05BD5BD9E5E7981E5359739F5E89993EEB67FD0B54F6C01C93E71E1270A5CA1E7833C8B3DEA9B2077E6FB2F7468D48458486FDEC87B6007B7B2EF4730EA5442615D6CAAFCC6D953D45EC9FFCDB2A7BD1E6ECAEA2F785B6557E109847A4E42D15D7557C10F9690A5E43705BE5B5C8D280E03D56C99226AA1F579A7BCC7B4CC62A85D673828CE1242578978418ABC49D82B1BFAF60AC862B1A44BFE867AC163587FB7DD327B145026BAB646C3A350B499CE589B165E405F6624062CB05D6E4F2CE272FD6ED6F05564717921FBCBF07F6346AEFC502BB5F60B381F14AEB169251978704012F4A1DA8E273FD33B5167ACB371730E85F0C78817F9916A66EF37CC01ACF4580FF5BE9D46AA1B91BF083026A951B00DF0A31FC3531FC3B013F23E027944D803FA72D80AB8C1D80B67F37E06B7499B60A92098CC27073FE4E1A42719A55F99A67157D9952AC9946359D4E7A8700D520C399819F22B3F6051DB4FB2B99F20301E32186DFF731DC27DAE79A435A5F54D492BA26AC5085764EC1060516AE5B167814D88D02AB365FF1EFD714FABC8B3D6F5E09EC5B2E76BF3F0FEC15177B2A702DB0775C6CBFFF7A605D7324F647F5E3C03EE0623ECFADC092734AE3A974C59C922D2A7D4460B5E6ADA13B3495EE70FB550519BB7F4ABF57A7F4FB47D98FF6F88E68537906ED995BEA679CC2FBC85CD9AF2DC4BC17E649EC84F70B9A41EF2C90585CB94F3369CD42893DA63C84CAFD8E8BDDA13C8A3CD762123B5F67EC0FB1D278FE29E3F9A96291941C824E7907C9536DF472F5981628620B2A1FD52AA9AA494ADEE07B42AB2CF2BE137A4AAB72B1EAE843A167B51A1A71256FA62A75067DCCC55E41759F499F77B1EF07FF419B45AD4B24F604B07A7AD8C50602FFA035D09A6689B5039B3DC5EA73DCF1C2D1DB7D3FD34AD803E6EB5A94BE25FA85C931DFD4E6D38973A596059E3F680BA6688995CD4FF1C6E8C61629F98CCF0BAC6E99C4B6A915DE45F4CE721177FA577D9AB7915AC519FF3B6A4BF02B9E26DAE96255AAA12CA131815D43BF56677897D08D2EEF01FDEBB4843EB7425A16526683F7B4C0147A9B167A9BE9F91525CBCEA59F0BCC63FE4AD9046CC1CA725EF91CCEA5F35796627B2EAD5B29FB0570DE9B2AB9B438DB3F069BBD256C5DE52AEF3261C70FBD0CEF25DEEF5F622DF44DE237E30F139F081E5098FBB28FE10AD1FE855E6A7F43E15EAFEAE2BCC0EFB7E92D83E9DF9633AC60EE964AE60E8BB7ED2341D69914DABA0DE6F69BCC6549CDA59F0896F4F309E754A802768A513E296C3E216CFE4761F3577883A00F083DCDFCAB573A2EB897096D7FA34EA517C6BA47C81B6A092A549ADDBA909891681F0EB1B65F55F8A829A020A2ECE119807EEC144D812AD46B866D02B60BD823E066017701D6505CB45302EE13700270265D0718A52342E75101EF13F049C085F4AA907C5D50DE14F066016F13B042C06902D60B38DFA573264D13B05EC0F9023E48B1E05EFA017D52DD07F8F1CA097A0BF257D37DCA3DCA4DE453B8EF83809FA130E011C83325ACFC26A4D3E38A3FF0DF68867299FA757A5279587D08943FF81FC56D8365E6003E0358A72B805EC03795EBFD2FA37D51E867F496D21B3C01F821F30DC02381DFE33EF37BEFBFE28A5313529416658E61000E850CE54DE5013DA08455B6618E72C25BA5CC515EF6B6288B9481CA56705FD4572B73D40F78748CFB396F07E8073DDD808DC626A5A76879BFC236EF16DA1C6591FAEBE001E8F9A17115E063CAB54A9BD03047D926A068ABDC0E2B27430CBFEABB17921F56EE57DAD51654E61EF549EF3165B37A4DE8694551BFA0BFA0C4D5CFFB7E0AF895CA9F017256A4D46DF432B560F413CA3E95E184DAE5FBAD92527799BF07BCD7FBB632895EEF2AD7A9D586AAB2553E35A55EAF57A9B7A9CF54D4AA9B958F0697007E071E3EA2EEA136F5887ABCE262C0C7F51E95FD3C0038A458EA518C35AAEE0225072829C72B6E409BBDB14B091AD887455C5232A6EA1BFAE7D4C7D5CB2B0700EBD57B0047035F51F729BB8C07D0DE84769B88429B88C2047AFD489D542E515F067D6788E90FF90CE5272ACBFC446599492561FE527D5D5DAEFF0B24DB95B70157E14430213CF01395E3DBA27CA572AE87294D1ECE99559E37D52F545EE0B90E94359E9B15F6DBCDCA1BC67ACF5BEAD3FE4D9E9FA82F78B77B143580AC48A99FD113A05F175AE589AB0742777A16A957058F0236C2860789ABF183C455F841E27AAB785E509EF4AC10A7960BE96BDE4D387F3DEA7D1B6DF680493BA9465B4477D33EA31927C821D4E06AB20167D161C079F497808DF405C0E5025E20289D389537D32582D22FE007E8BB8009FA1DE05E7AD7BB06D5BF465B435752B7DE49599C9D3B45BB07637DD848084A425052A07CCAC80BF96BE806016F119065AE03F76EE32EC1BD5B70EF063DA5DF4DF788F6FD02B2FC5168D38DC784E41382FE0424EFD19F10F427057C45705F137A5E13BD5E137A5E13F23EE56E3A665CA308AEC2148FCA167AD4CF50A5314FB4E7A93CDF4E95B97B74A6ECD159675EB4F3A27D9768DF25DA8F89F663A2FD8A8064308CBA90B96B447B8F0B85BC68BF9FB6A24A5E06AF7E943E459FA727B02A07144BF98472A7F2B0D2A0AE50D7AA9BD443EACDC8D5936ACA7385E7739E7B3DC73CDFF03CE6F99147439DF6E20F9FA70C443A2C6EB66FF85763877BDDEC003CE6EF067C29B001F00AFF66C006CF76C0DB42977AF9B6C0F0374ADCAB622FF188EF477901599F8A1F9F781B1F10BF1708F2EFC40155FC540286F85503CEFDD5F43563236E0A2B91759DF41DCF4B9EDF787EE7216D9DB29A2E57B173291713CE1D78821BE2CD662D3D14E2ED691BDDEEE3E70E7AC0E4E78090236592FE18E4E735B40EB8962F7D574B7EBEE9A3D2B7E178B7D3960881A93479FFF297D12A707B3E55AE42FB9E7E7ADFD660A1CD1D3E5BC16F28347EAD8C7B951F330E628709E22615C2B9A986983B977E299EB678F2EFA17F49E729FFC3739EF27BBEEEC497D2FC9E2D6D4B5A6860437C7430199F3F3020D0AD2DD46967F8AB72DBE3E9716B0F28238E154FF6C787AC4D83975B895C9F63EF4F252D07AC6D59CB59BE8CC6E563ABDD93C9F173190D5BB9816D5BD7B5D285BD76723C6D5D4417F639A9FDF19CD5333A96B646AD4C2E9E4BD9992E2B174FA5B317517F078D7475527727F5747551E7B62DFD9BB60CF4AFDFB4A3676337AD87ADD4B7A967E3D6F6BE1E5480FEBE0DD4BF817A5DB99E8DEB3651FF4436678D36F76CA23EECF51DFDD4DB8F4CDE4997ACDD45039D693B3BEE58982375A5B26376D61A18E8C96473F14C022DEAC4047353499824CFB52B9E8BD36836613BE9D4206DB1D2563C6BAD4F26A8DBCAF1A3379570ECAC3D946BDE9ECA8EC7D31DF16C0A7526411DD6702AB3057E73DD475B52976792712BDD1BCFC487ADA4F0101C9DC120C052D9F2366C4C14D1FE894C62C4B133A92B9897A4911D19102D809103009DF6E858DCB17AADDC889D746752988718049616F1A435141F4F97F054A1C1D38967473AEDA4455974EAE506AB76AC6C167192786A6CC47244B31F9E48E444739D638FF68C624EAC443678D85E74E4365B5A68F748E7C707D3166D19CFE452A3D6D689316B7D3C934C8BEE8CB13E9732221F5B30543C338CD6BA14C00E2795B336A432EE38AE1212E92A5A885DCE4ED86981B85AA9DF4EEC759BC2F5700332424CB6D0C65CED71276115F0CEF89878B68F8DA5530991AF88EF14BCDFCAE5F81DA2A07396598504A3B5C954CE763A1CFB8098703F12DEB55D38163371BAAD8CE5809C6CCFE59CD4E03858DDE3A9326CBD951EBBC49A38603BE522855E1CAD12B9CB1A1C1F1EB69C8D768697E599986C4789768A812506CC4336A7A6D0DAB3596B74303DB135952B276356C86A2729577999E1281092B6313E7A26354E3C698DC69DBD25D6D6B883C0AC73208FF9EE3D7D62D099B432A7EBE2A4D86E399CA62566EF44B7638F8F75DA694ED429AC42BF2E2B9B7052635399323422B658EDF183A2953DBD33722C399EC89DCEE8B4C7269CD4F0C8195958AA998912C35D03829E4B0DA6D2A95C1957E44AC704BBC6160FCE5B91E5226B650BE92DABB244FBE3FB11D84C124BC64AA1E996218970FF7E94114A0C8A076BE1E5D9313E34643945922B5E4E65C0AD4D43D487742F145B59DA98B03693B093659C2E277E006833D78332B23BE166375CCCE1E5CEAB67D50AF93A9E275B8EBAF5ADC8741B98B7DB9A3A222436D878F4668751B78765F20825702997B8425BF6169475E97140685C67A7B1AFF5C57323C2573B5249B7B5C1CA0CA3295DE2226389140D6EDF8BE8A24077C6D3E9C178622F21B133D921DB195D97CA603B48A3EA506FDCC98EC4D367DE2C9A7B27FA2D677F2A61659BB17D5A0EBA15E6C4A6DA19EC955C68D3EE36DB9C4CA7511247ED9C850CDE9BB3C704A50F994EDDBB53639898151FA55E4838132EC273E88B6369515A3E0EC8871C078FD1510BFE48B4A7876D64DDC828B1634AD8A09DCBD9A3D4D3E94C8CE5ECE21C8B15139B1A0DF62700113DDBC62E99215E081CDCFE846359191130D912C63829ACFE099772C6E9366376A9E10CF5A5C7914234D2832D9138CAA251DCEE9BCB7629A1BAAC3AA30A94636C515FEAA095DE34C6053465978D9C194A0D8F4F2576A7EDC1783A75C514E2166BC82D2862ADF4D9D99440D61E4C58635230E164786553F2C0DA833927DE9319B249EC8B5C921302757718D18663C4EAB19C02DA39EE646D89EDB61C9B3A52B9D1F818F5A72D6B4C4C71AB3D3635034ADEC57C29EE506FD74A192B37B70A67361A65FF4C3DC781C61BC6694477A19CCEE89DD8610D1692F6146EFF989548C5D37225913B3177E108DBB79452062E71E4A1D1E256311649ABCB96D9C09BA4D804DDCE6C6741A9C8602B27080CE1258471BFE5E45CE182FDC88262B313A9E9B867BBB58E6363542B37051F91DEA7760419E755B49A13128A472FAA163FDBD7F60F745909E163C73D769570E6C2CC29DC12BE0D33EECB39D4EDC4C74652896CB184A5E2C3193B9B63124FA0C31ECF24B367291B5D9670BF2C54A570D094E09CA5EF94038C2B794A8516A5C81E7B0F4585189D4DCB59F96E1264DDD58D22783AAD4868768A2C791640E1E61201ABE4C1322BF7CAF6749AF7C92CAF06D9C8AC4BC787B3EED94FB69307E4734872DC5F018BADD13DCB115764B789E56E39164EC86BF761D245FB77A432491C9B9AD7A108CACE185B2EC02CC92CE47A94A544C7382A271A63EEFA44C190C939824DA1786276533A5B3811C894CF9E96EA5992A5CB76B2C5D3397C9228345DF3365AB9663967610D224DA2EEB1B968635439013E58537B3229D7B02B6A65F0E3527A27DCB541EE414A1E28DCBB0ACA3F73D229946C399CBB590EE528CD80B1F5161F86481C89C81E1B587B90732F9543A5C071077513602499E8484BF12E7943A11EB1AD220518599BD99FC20D886F8DB4D79A184C0E58FBB93D6A634B74DB7D768A61C1537C5B722FAEB9B8937383C26200ED830CD763A9E10684C2503CCFF03F10E3C227EEBFF244E058C30EAF43E931B7ECBA0876B18CEB4A4A1E2CE5328A5ABBE3C42728392176091CE10B43F45B8971E4EA44B32CCFC35C02266406B9A7440E0807735D7C34056C33F20EF2ECBA9E8CB5CFC54A298A00212540229AD3473824D030A52843CDB4857072C3FD7F9C1C4A8836195BA88B9690C26F00027DD4431BA99B2E26AAE9878403D934FE74E179001A285C4EDD466344D33BD1B2A109C741C1B3F027E3EA6D749F3BA19BE55290D80BDA25908179E12E61C35E48B04E68F35C8A9153344A71D86CD1B97439A896F86EE397C736ADDB3E396DE391B7B39FBBFBE3D7C6488B2A8AE98992E245231C6634C440F54655251412D47623AAA11D0AE935912E2552211FA67CC4E5638D6680A345A99AB8653288335863189EC8556AE42A2FA96A7DBD414A2415CEFFC01BA548FEC7060F82A71782F94913BCFC4FF097FBD5B101F5753A0C88E45FD60DB53E92BF4927C66E82BD210DCD90477C675633C3F9DBC2F9CF825311F528E1FCEBE1FC3F85F36F42C40C8979983A514324FF472F11C328415AC0DB60557D7D3D149A900ED55745F548FE4883D734C393C1C8A4AFBED2F0A9A6CA9F48FE3AB620AA9890C0441BBCE8E117CEF21A18963B418F5F5AFCD74CAF17F3BA091646F2B736781BBC40781813A3C29D98BD8A7166F8A39AE90E1962D19B8A7F4386AE96BAAA3C671E831BF5F55546A02114F2D5A975AAEA85176FF2930642087A96E8E431432155D5EBD8ED75C299A6C9EE0B4FB6A1B7CAFEF386547D0668A1F0640F3A7084BD8479847482CF1ABC9506A67A147E3B6AF247954E3C8AE83478D993939B911E10F7180A278AE8A1B3A530183DBF042938A181BD23E607B5FCF4C196C864383CB90B8E71C5212D86362352C37D91FCD722F907C5B4751EA4C1CB7E0D4F5A22711E34A31EA699903722F94744F01F89E41F0F6F804B110C76664AE4D3E391C9D160545778069C2693FB30901949C18D75F38CA0E8766B24FF6D4C2C927F12DEBEA95E2DA413E837F9E03F81DF26ED1E458BE350AFE991C90943D026107476CDB7D971F5552A6721662855623878A64ADAB913160B43EBE61BA1FAF291A78CFA882AE38F81EAB094549F8974F29870B48A865A8F86586129AFA1CE8681B3C95BA5D06CD2FCCA6CC282ABC63254C5C2AC2603CF513CDD875ACD52D5C4A101061F1EBBE2D2ED3356BC729DF9E58B07AE0EFFD87FBE26BE29E52E76F769BACFB8FB5CE3D12357C105F94934EAB8719DAA239F546EDEACEA7E0FE2C8ED5B55BD5ED54D48AD67F4AF3D7AB84F43F254303019C419AC617095589F9372954F32A5CE246F7D48D41E413C026F724691565767D6D561FDD7E91CE5A321088A189BE0A95EAF8F135BA40D92BD2ABC81A975A629A51F314DE23A711B562C91296975064A01D3E0741F963545524695027FC2A34B1545A99ACDEFCAEBEAAAC23BB158D0F069264FC3E469983C0D93A761F2344C9E0637EBB41842612AEE3FA09ECDBF7FDDAAD6EEC0F6B4D1CE142F37D85171EC512027BF9116512838F52222BE83838D42A148F14D48F49B47A3D1654B972D13DF879CBFAC6DE8BCF3E2CBE24BAC44EBD0921589958925AD6D6D8925CB56B5C407E3ADAB922DD679E21B95464BF352FE43D4ADD0CCE68D6BB716DF0E35B96F1056F317FD606A685A91C5EFDFD2F1097EEF54C57DA2454E748559F8A6539D42FEDE89ADD628447396D9521CA95DA1E5A71E529BB7E24A9B6DC659D1CE0CA727F81D62B2C0EC184FF14DC76C5955D0B05BA14B4E3D2DF7E7C69329BB59BE71832677EF96375CCB2912FA53FC9A935F68B92FF96CC707CD2DAE6A5371BF1018576845E1286A0D36175F2014DE7C62083B3EB63E971B93A7B3023D72FA9BEEEA33BD1027C2320DE0505EBC3851B5422110CAEFD32246A0895B5941A0FCF651D0523C4E13FF33D1FFFED41B7FC751B8193FE9D37C5D68F1BB73CB698A165EBE37450B215F213DDD14756FD1AB33D638EED9E9A668DFF8208CC3696BABBDD7CAAC1E449AAD4CAC5CD5D2B67C85B5B4B56DDEE983C9E37681003BCBFF3F80BEF62EFECB36BF345022FF2F6E47E98C9F1303E5184E924E573ADD1B4F65E42F112C4BBCABE1CFBB0BA0A3EA8C4AFEF3F3FFD1477E37BBAEF0BF6C94D1798D2C3D039D3FFC7F47EC04E7C2B2FF3FE3420F7F75693B4EE603806B71FEEFC7097F13CEF803E2A4BF4EFEAF1BF488F6C64972BF5F53AEF36217E3DF3C9EF2DF6288EF2E2BD01AC7D97D1D4EF6699CD37B70F21F12FF7A8268BEE8B515DC38A859F0E384CB15B81957C397B53BC4F77AFA4177C40D65F80C9A0E0A99A5C53F2B68D0FDBE3CFBA31332A3F8C3778E1C655DCD73CB786362FC09CC362EE44AF6F377530BE3C99B4842D83136C54EBE338D02CB15A5F6A22D6E2BB0C32CD3B11D3F0E7F2BA0D8B70577AEA5C51F1E93BFF3DA236C65D90C6C4A975976F6B19A2929EE5C1C67D6B141DC8AB877A7E04F08CB876984F8FF33399D16A5A3F889D232D8B18CF83B668B858F4A7A64A492C2028EE9DEA23709523CE626575FCAB5BB30EFCC9F65FF85C2EF7DE2C697C44D340189F2D8FC5BFE5E21FC3DB5EFA95E3FD5E7ADA24F3B24B242F320AC988027DEABDF7FE8678FFC370AE67FF8C0FFF9F97FE1F37F0074BE5D46004A0000
Executable files
1
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
631249JGH_XClient.exeC:\ProgramData\SecurityHealthSystray.exeexecutable
MD5:A37220180D076713983EB3DC6DDDF548
SHA256:F7465F6839046106D6282E55BFD1B8957F6A2528C186172BE1AB971377E7BCC2
631249JGH_XClient.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnkbinary
MD5:03CC5263074E6B2E289B35DCC19BF3E5
SHA256:0437974681A3702A68140B013663B0ABB87173F480969D1201DDF9975EF4E0AD
631249JGH_XClient.exeC:\Users\admin\AppData\Local\Temp\tmpD67.tmp.battext
MD5:11D58A2B3B79443FC6B3DEEE46FF1382
SHA256:082B04BEE1FA56B5ABDA0FCB1A8E85E10B74838916AC754AF99886B1D5BB8383
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
23
DNS requests
5
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
204
2.19.80.89:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.19.80.89:443
www.bing.com
Akamai International B.V.
DE
whitelisted
6312
49JGH_XClient.exe
154.216.18.30:5050
Shenzhen Katherine Heng Technology Information Co., Ltd.
HK
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 172.217.23.110
whitelisted
www.bing.com
  • 2.19.80.89
  • 2.19.80.27
whitelisted
self.events.data.microsoft.com
  • 20.52.64.201
whitelisted

Threats

PID
Process
Class
Message
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
25 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
49JGH_XClient.exe