File name:

xWormClient.exe

Full analysis: https://app.any.run/tasks/29569bed-bd8f-4d8f-8c77-de878853f525
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Analysis date: April 15, 2025, 17:33:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pyinstaller
api-base64
python
loader
upx
havoc
backdoor
framework
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

5EEB3A1F1BD4BFD02F1A58625D20B72D

SHA1:

9E9C368D5A68922CE486318AD21E3A01D4A7B3D1

SHA256:

0C5FF0AA181B189C7C924BC44B008AF4C4AECC7B1E9B15A2A18711C062C4EBAF

SSDEEP:

196608:iDnlLhOK0xcdlJHUqGtgoijF5u9VP6ioePsR3MaT4eXfHz5oZI:mb0xcd0qGtDPtvPm3MaT4eP9oZI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • roblox.exe (PID: 4040)
    • Connects to the CnC server

      • roblox.exe (PID: 4040)
    • HAVOC has been detected (SURICATA)

      • roblox.exe (PID: 4040)
  • SUSPICIOUS

    • Process drops python dynamic module

      • xWormClient.exe (PID: 7304)
      • Gui.exe (PID: 7608)
    • Executable content was dropped or overwritten

      • xWormClient.exe (PID: 7304)
      • xWormClient.exe (PID: 7324)
      • Gui.exe (PID: 7608)
      • xWormConnection.exe (PID: 7508)
      • roblox.exe (PID: 4040)
    • Process drops legitimate windows executable

      • xWormClient.exe (PID: 7304)
      • Gui.exe (PID: 7608)
    • Application launched itself

      • xWormClient.exe (PID: 7304)
      • xWormConnection.exe (PID: 7408)
      • Gui.exe (PID: 7608)
    • The process drops C-runtime libraries

      • xWormClient.exe (PID: 7304)
      • Gui.exe (PID: 7608)
    • Starts CMD.EXE for commands execution

      • xWormClient.exe (PID: 7324)
    • Reads security settings of Internet Explorer

      • xWormConnection.exe (PID: 7408)
      • xWormConnection.exe (PID: 7508)
    • There is functionality for taking screenshot (YARA)

      • xWormClient.exe (PID: 7304)
      • xWormClient.exe (PID: 7324)
      • Gui.exe (PID: 7608)
      • Gui.exe (PID: 8072)
    • Loads Python modules

      • Gui.exe (PID: 8072)
    • Process requests binary or script from the Internet

      • Gui.exe (PID: 8072)
      • xWormConnection.exe (PID: 7508)
    • Potential Corporate Privacy Violation

      • Gui.exe (PID: 8072)
      • xWormConnection.exe (PID: 7508)
    • Contacting a server suspected of hosting an CnC

      • roblox.exe (PID: 4040)
  • INFO

    • Reads the computer name

      • xWormClient.exe (PID: 7304)
      • xWormConnection.exe (PID: 7408)
      • xWormConnection.exe (PID: 7508)
      • Gui.exe (PID: 8072)
      • roblox.exe (PID: 4040)
    • Checks supported languages

      • xWormClient.exe (PID: 7304)
      • xWormClient.exe (PID: 7324)
      • xWormConnection.exe (PID: 7508)
      • Gui.exe (PID: 8072)
      • roblox.exe (PID: 4040)
      • xWormConnection.exe (PID: 7408)
    • The sample compiled with english language support

      • xWormClient.exe (PID: 7304)
      • Gui.exe (PID: 7608)
    • Create files in a temporary directory

      • xWormClient.exe (PID: 7304)
      • Gui.exe (PID: 7608)
    • Reads the machine GUID from the registry

      • xWormClient.exe (PID: 7324)
      • xWormConnection.exe (PID: 7508)
      • roblox.exe (PID: 4040)
    • Creates files in the program directory

      • xWormClient.exe (PID: 7324)
      • xWormConnection.exe (PID: 7508)
      • roblox.exe (PID: 4040)
    • PyInstaller has been detected (YARA)

      • xWormClient.exe (PID: 7304)
      • xWormClient.exe (PID: 7324)
      • Gui.exe (PID: 7608)
      • Gui.exe (PID: 8072)
    • Potential access to remote process (Base64 Encoded 'OpenProcess')

      • xWormClient.exe (PID: 7324)
    • Potential dynamic function import (Base64 Encoded 'GetProcAddress')

      • xWormClient.exe (PID: 7324)
    • Potential library load (Base64 Encoded 'LoadLibrary')

      • xWormClient.exe (PID: 7324)
    • UPX packer has been detected

      • xWormClient.exe (PID: 7324)
    • Checks proxy server information

      • Gui.exe (PID: 8072)
      • slui.exe (PID: 8152)
      • xWormConnection.exe (PID: 7508)
      • roblox.exe (PID: 4040)
    • Reads the software policy settings

      • slui.exe (PID: 8152)
    • Disables trace logs

      • xWormConnection.exe (PID: 7508)
    • Process checks computer location settings

      • xWormConnection.exe (PID: 7508)
      • xWormConnection.exe (PID: 7408)
    • Creates files or folders in the user directory

      • roblox.exe (PID: 4040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:15 08:17:15+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 173568
InitializedDataSize: 116224
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
17
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start xwormclient.exe xwormclient.exe cmd.exe no specs conhost.exe no specs xwormconnection.exe no specs xwormconnection.exe cmd.exe no specs conhost.exe no specs gui.exe gui.exe slui.exe #HAVOC roblox.exe ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4040"C:\ProgramData\roblox.exe" C:\ProgramData\roblox.exe
xWormConnection.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\programdata\roblox.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6620"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7304"C:\Users\admin\Desktop\xWormClient.exe" C:\Users\admin\Desktop\xWormClient.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\xwormclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7324"C:\Users\admin\Desktop\xWormClient.exe" C:\Users\admin\Desktop\xWormClient.exe
xWormClient.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\xwormclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7352C:\WINDOWS\system32\cmd.exe /c "C:\programdata\xWormConnection.exe"C:\Windows\System32\cmd.exexWormClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
7360\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7408C:\programdata\xWormConnection.exeC:\ProgramData\xWormConnection.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
csharp_defenderbypass denmesi sonra sil ise yaramazsa
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\programdata\xwormconnection.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 459
Read events
2 443
Write events
16
Delete events
0

Modification events

(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:writeName:C:\ProgramData
Value:
0
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
124
Suspicious files
4
Text files
933
Unknown types
0

Dropped files

PID
Process
Filename
Type
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\VCRUNTIME140.dllexecutable
MD5:F34EB034AA4A9735218686590CBA2E8B
SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\_bz2.pydexecutable
MD5:FF52C3B3EF7549A1D89070E8649F8ED2
SHA256:69D181C25797E994A9961C9F40DC57D04F8391C4FD83D412D23162FB4BEB4FD7
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\_hashlib.pydexecutable
MD5:244AC279950597392F9A9133A976F20B
SHA256:0E39DD9B6F307F6C43F25444492B7913039EA86C84E82715863FB2BF6C1CF4F4
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\_decimal.pydexecutable
MD5:A9E4C6C68E20518E4301A865A6387C4A
SHA256:23D9216D09ABE0DCF7F9D31DB37239F2BCDCDA1954EBE0E8FE094C905F071C1C
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\_lzma.pydexecutable
MD5:9C52741FCDEE40F2B8A44E7CC0431BC3
SHA256:63C20B51C3A15603A37169EBD48EC55D7F3EDB6AAE287B9B140A13806932B8EC
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:557405C47613DE66B111D0E2B01F2FDB
SHA256:913EAAA7997A6AEE53574CFFB83F9C9C1700B1D8B46744A5E12D76A1E53376FD
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:07EBE4D5CEF3301CCF07430F4C3E32D8
SHA256:8F8B79150E850ACC92FD6AAB614F6E3759BEA875134A62087D5DD65581E3001F
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\_socket.pydexecutable
MD5:02330613585155BAA15B57E33B6A1753
SHA256:5E850AA502E15B8DC02DD44095E112BB97AA9BE12D21E73025AF323413C03F81
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:624401F31A706B1AE2245EB19264DC7F
SHA256:58A8D69DF60ECBEE776CD9A74B2A32B14BF2B0BD92D527EC5F19502A0D3EB8E9
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:0F7D418C05128246AFA335A1FB400CB9
SHA256:5C9BC70586AD538B0DF1FCF5D6F1F3527450AE16935AA34BD7EB494B4F1B2DB9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
88
TCP/UDP connections
123
DNS requests
23
Threats
88

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7904
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7904
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7508
xWormConnection.exe
GET
200
193.38.34.5:80
http://freegifts.com.tr/apps/roblox.exe
unknown
4040
roblox.exe
POST
172.232.216.95:80
http://ozmo54.a.pinggy.link/Collector/2.0/settings/
unknown
4040
roblox.exe
POST
172.232.216.95:80
http://ozmo54.a.pinggy.link/Collector/2.0/settings/
unknown
4040
roblox.exe
POST
172.232.216.95:80
http://ozmo54.a.pinggy.link/Collector/2.0/settings/
unknown
4040
roblox.exe
POST
172.232.216.95:80
http://ozmo54.a.pinggy.link/Collector/2.0/settings/
unknown
4040
roblox.exe
POST
172.232.216.95:80
http://ozmo54.a.pinggy.link/Collector/2.0/settings/
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.153:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7904
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7904
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.48.23.153
  • 23.48.23.145
  • 23.48.23.191
  • 23.48.23.140
  • 23.48.23.137
  • 23.48.23.181
  • 23.48.23.177
  • 23.48.23.176
  • 23.48.23.138
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.67
  • 20.190.160.64
  • 40.126.32.140
  • 40.126.32.136
  • 40.126.32.138
  • 20.190.160.4
  • 20.190.160.131
  • 20.190.160.130
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
canarytokens.com
  • 52.18.63.80
malicious

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Python Suspicious User Agent
Potential Corporate Privacy Violation
INFO [ANY.RUN] Request to Canary Token Service Has Been Detected
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Malware Command and Control Activity Detected
ET MALWARE Havoc Demon CnC Request
Malware Command and Control Activity Detected
ET MALWARE Havoc Demon CnC Request
Malware Command and Control Activity Detected
ET MALWARE Havoc Demon CnC Request
Malware Command and Control Activity Detected
ET MALWARE Havoc Demon CnC Request
Malware Command and Control Activity Detected
ET MALWARE Havoc Demon CnC Request
Malware Command and Control Activity Detected
ET MALWARE Havoc Demon CnC Request
No debug info