File name:

xWormClient.exe

Full analysis: https://app.any.run/tasks/29569bed-bd8f-4d8f-8c77-de878853f525
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Analysis date: April 15, 2025, 17:33:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pyinstaller
api-base64
python
loader
upx
havoc
backdoor
framework
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

5EEB3A1F1BD4BFD02F1A58625D20B72D

SHA1:

9E9C368D5A68922CE486318AD21E3A01D4A7B3D1

SHA256:

0C5FF0AA181B189C7C924BC44B008AF4C4AECC7B1E9B15A2A18711C062C4EBAF

SSDEEP:

196608:iDnlLhOK0xcdlJHUqGtgoijF5u9VP6ioePsR3MaT4eXfHz5oZI:mb0xcd0qGtDPtvPm3MaT4eP9oZI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • roblox.exe (PID: 4040)
    • Connects to the CnC server

      • roblox.exe (PID: 4040)
    • HAVOC has been detected (SURICATA)

      • roblox.exe (PID: 4040)
  • SUSPICIOUS

    • Process drops legitimate windows executable

      • xWormClient.exe (PID: 7304)
      • Gui.exe (PID: 7608)
    • Executable content was dropped or overwritten

      • xWormClient.exe (PID: 7304)
      • xWormClient.exe (PID: 7324)
      • Gui.exe (PID: 7608)
      • xWormConnection.exe (PID: 7508)
      • roblox.exe (PID: 4040)
    • Process drops python dynamic module

      • xWormClient.exe (PID: 7304)
      • Gui.exe (PID: 7608)
    • Application launched itself

      • xWormClient.exe (PID: 7304)
      • xWormConnection.exe (PID: 7408)
      • Gui.exe (PID: 7608)
    • The process drops C-runtime libraries

      • xWormClient.exe (PID: 7304)
      • Gui.exe (PID: 7608)
    • Starts CMD.EXE for commands execution

      • xWormClient.exe (PID: 7324)
    • Reads security settings of Internet Explorer

      • xWormConnection.exe (PID: 7408)
      • xWormConnection.exe (PID: 7508)
    • There is functionality for taking screenshot (YARA)

      • Gui.exe (PID: 7608)
      • xWormClient.exe (PID: 7304)
      • xWormClient.exe (PID: 7324)
      • Gui.exe (PID: 8072)
    • Process requests binary or script from the Internet

      • Gui.exe (PID: 8072)
      • xWormConnection.exe (PID: 7508)
    • Loads Python modules

      • Gui.exe (PID: 8072)
    • Potential Corporate Privacy Violation

      • Gui.exe (PID: 8072)
      • xWormConnection.exe (PID: 7508)
    • Contacting a server suspected of hosting an CnC

      • roblox.exe (PID: 4040)
  • INFO

    • The sample compiled with english language support

      • xWormClient.exe (PID: 7304)
      • Gui.exe (PID: 7608)
    • Checks supported languages

      • xWormClient.exe (PID: 7304)
      • xWormClient.exe (PID: 7324)
      • xWormConnection.exe (PID: 7508)
      • xWormConnection.exe (PID: 7408)
      • Gui.exe (PID: 8072)
      • roblox.exe (PID: 4040)
    • Reads the computer name

      • xWormClient.exe (PID: 7304)
      • xWormConnection.exe (PID: 7408)
      • xWormConnection.exe (PID: 7508)
      • Gui.exe (PID: 8072)
      • roblox.exe (PID: 4040)
    • Create files in a temporary directory

      • xWormClient.exe (PID: 7304)
      • Gui.exe (PID: 7608)
    • Reads the machine GUID from the registry

      • xWormClient.exe (PID: 7324)
      • xWormConnection.exe (PID: 7508)
      • roblox.exe (PID: 4040)
    • Creates files in the program directory

      • xWormClient.exe (PID: 7324)
      • roblox.exe (PID: 4040)
      • xWormConnection.exe (PID: 7508)
    • Process checks computer location settings

      • xWormConnection.exe (PID: 7408)
      • xWormConnection.exe (PID: 7508)
    • PyInstaller has been detected (YARA)

      • xWormClient.exe (PID: 7304)
      • xWormClient.exe (PID: 7324)
      • Gui.exe (PID: 7608)
      • Gui.exe (PID: 8072)
    • Potential library load (Base64 Encoded 'LoadLibrary')

      • xWormClient.exe (PID: 7324)
    • Potential access to remote process (Base64 Encoded 'OpenProcess')

      • xWormClient.exe (PID: 7324)
    • UPX packer has been detected

      • xWormClient.exe (PID: 7324)
    • Potential dynamic function import (Base64 Encoded 'GetProcAddress')

      • xWormClient.exe (PID: 7324)
    • Checks proxy server information

      • Gui.exe (PID: 8072)
      • slui.exe (PID: 8152)
      • xWormConnection.exe (PID: 7508)
      • roblox.exe (PID: 4040)
    • Disables trace logs

      • xWormConnection.exe (PID: 7508)
    • Creates files or folders in the user directory

      • roblox.exe (PID: 4040)
    • Reads the software policy settings

      • slui.exe (PID: 8152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:15 08:17:15+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 173568
InitializedDataSize: 116224
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
17
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start xwormclient.exe xwormclient.exe cmd.exe no specs conhost.exe no specs xwormconnection.exe no specs xwormconnection.exe cmd.exe no specs conhost.exe no specs gui.exe gui.exe slui.exe #HAVOC roblox.exe ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4040"C:\ProgramData\roblox.exe" C:\ProgramData\roblox.exe
xWormConnection.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\programdata\roblox.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6620"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7304"C:\Users\admin\Desktop\xWormClient.exe" C:\Users\admin\Desktop\xWormClient.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\xwormclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7324"C:\Users\admin\Desktop\xWormClient.exe" C:\Users\admin\Desktop\xWormClient.exe
xWormClient.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\xwormclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7352C:\WINDOWS\system32\cmd.exe /c "C:\programdata\xWormConnection.exe"C:\Windows\System32\cmd.exexWormClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
7360\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7408C:\programdata\xWormConnection.exeC:\ProgramData\xWormConnection.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
csharp_defenderbypass denmesi sonra sil ise yaramazsa
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\programdata\xwormconnection.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 459
Read events
2 443
Write events
16
Delete events
0

Modification events

(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:writeName:C:\ProgramData
Value:
0
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7508) xWormConnection.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
124
Suspicious files
4
Text files
933
Unknown types
0

Dropped files

PID
Process
Filename
Type
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\_hashlib.pydexecutable
MD5:244AC279950597392F9A9133A976F20B
SHA256:0E39DD9B6F307F6C43F25444492B7913039EA86C84E82715863FB2BF6C1CF4F4
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:2DB5666D3600A4ABCE86BE0099C6B881
SHA256:46079C0A1B660FC187AAFD760707F369D0B60D424D878C57685545A3FCE95819
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:624401F31A706B1AE2245EB19264DC7F
SHA256:58A8D69DF60ECBEE776CD9A74B2A32B14BF2B0BD92D527EC5F19502A0D3EB8E9
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-namedpipe-l1-1-0.dllexecutable
MD5:B3F887142F40CB176B59E58458F8C46D
SHA256:8E015CDF2561450ED9A0773BE1159463163C19EAB2B6976155117D16C36519DA
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\_lzma.pydexecutable
MD5:9C52741FCDEE40F2B8A44E7CC0431BC3
SHA256:63C20B51C3A15603A37169EBD48EC55D7F3EDB6AAE287B9B140A13806932B8EC
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\_bz2.pydexecutable
MD5:FF52C3B3EF7549A1D89070E8649F8ED2
SHA256:69D181C25797E994A9961C9F40DC57D04F8391C4FD83D412D23162FB4BEB4FD7
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:721B60B85094851C06D572F0BD5D88CD
SHA256:DAC867476CAA42FF8DF8F5DFE869FFD56A18DADEE17D47889AFB69ED6519AFBF
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-handle-l1-1-0.dllexecutable
MD5:D1DF480505F2D23C0B5C53DF2E0E2A1A
SHA256:0B3DFB8554EAD94D5DA7859A12DB353942406F9D1DFE3FAC3D48663C233EA99D
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-heap-l1-1-0.dllexecutable
MD5:73433EBFC9A47ED16EA544DDD308EAF8
SHA256:C43075B1D2386A8A262DE628C93A65350E52EAE82582B27F879708364B978E29
7304xWormClient.exeC:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:5A72A803DF2B425D5AAFF21F0F064011
SHA256:629E52BA4E2DCA91B10EF7729A1722888E01284EED7DDA6030D0A1EC46C94086
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
88
TCP/UDP connections
123
DNS requests
23
Threats
88

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7904
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4040
roblox.exe
POST
172.232.216.95:80
http://ozmo54.a.pinggy.link/Collector/2.0/settings/
unknown
4040
roblox.exe
POST
172.232.216.95:80
http://ozmo54.a.pinggy.link/Collector/2.0/settings/
unknown
4040
roblox.exe
POST
172.232.216.95:80
http://ozmo54.a.pinggy.link/Collector/2.0/settings/
unknown
4040
roblox.exe
POST
172.232.216.95:80
http://ozmo54.a.pinggy.link/Collector/2.0/settings/
unknown
4040
roblox.exe
POST
172.232.216.95:80
http://ozmo54.a.pinggy.link/Collector/2.0/settings/
unknown
4040
roblox.exe
POST
172.232.216.95:80
http://ozmo54.a.pinggy.link/Collector/2.0/settings/
unknown
4040
roblox.exe
POST
172.232.216.95:80
http://ozmo54.a.pinggy.link/Collector/2.0/settings/
unknown
4040
roblox.exe
POST
172.232.216.95:80
http://ozmo54.a.pinggy.link/Collector/2.0/settings/
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.153:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7904
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7904
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.48.23.153
  • 23.48.23.145
  • 23.48.23.191
  • 23.48.23.140
  • 23.48.23.137
  • 23.48.23.181
  • 23.48.23.177
  • 23.48.23.176
  • 23.48.23.138
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.67
  • 20.190.160.64
  • 40.126.32.140
  • 40.126.32.136
  • 40.126.32.138
  • 20.190.160.4
  • 20.190.160.131
  • 20.190.160.130
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
canarytokens.com
  • 52.18.63.80
malicious

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Python Suspicious User Agent
Potential Corporate Privacy Violation
INFO [ANY.RUN] Request to Canary Token Service Has Been Detected
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Malware Command and Control Activity Detected
ET MALWARE Havoc Demon CnC Request
Malware Command and Control Activity Detected
ET MALWARE Havoc Demon CnC Request
Malware Command and Control Activity Detected
ET MALWARE Havoc Demon CnC Request
Malware Command and Control Activity Detected
ET MALWARE Havoc Demon CnC Request
Malware Command and Control Activity Detected
ET MALWARE Havoc Demon CnC Request
Malware Command and Control Activity Detected
ET MALWARE Havoc Demon CnC Request
No debug info