Malware analysis XBinder v2.exe Malicious activity | ANY.RUN

Add for printing

File name:	XBinder v2.exe
Full analysis:	https://app.any.run/tasks/3a568089-a273-4f58-951f-31e207ffe8e4
Verdict:	Malicious activity
Analysis date:	August 25, 2024, 20:55:33
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	xor-url generic ip-check
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5:	A98358EB7F4953AA6D60015CCD8506CE
SHA1:	D9BE0C9D6D968C1BAEF11027A7ACE6A0E869E75A
SHA256:	21E0CC9EF715CC2147B9EC481B3FB876DBAE8A4491367B478513128D7F7B8555
SSDEEP:	24576:yxxxSxWxx7xxxxbfWfkNmePfTwjBZMt7+NI+6Vrw7id7:t8NmePfM66+d7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- XORed URL has been found (YARA)
  - XBinder v2.exe (PID: 6828)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - XBinder v2.exe (PID: 6828)
  - XBinderOutput.exe (PID: 6408)
- Executable content was dropped or overwritten
  - vbc.exe (PID: 6324)
- Drops the executable file immediately after the start
  - vbc.exe (PID: 6324)
  - XBinder v2.exe (PID: 6828)
- Reads the date of Windows installation
  - XBinderOutput.exe (PID: 6408)
- There is functionality for capture public ip (YARA)
  - XBinder v2.exe (PID: 6828)
INFO
- Reads the computer name
  - XBinder v2.exe (PID: 6828)
  - XBinderOutput.exe (PID: 6408)
- Checks supported languages
  - XBinder v2.exe (PID: 6828)
  - vbc.exe (PID: 6324)
  - cvtres.exe (PID: 6532)
  - XBinderOutput.exe (PID: 6408)
- Reads the machine GUID from the registry
  - XBinder v2.exe (PID: 6828)
  - XBinderOutput.exe (PID: 6408)
  - vbc.exe (PID: 6324)
- Create files in a temporary directory
  - XBinder v2.exe (PID: 6828)
  - cvtres.exe (PID: 6532)
  - vbc.exe (PID: 6324)
  - XBinderOutput.exe (PID: 6408)
- Manual execution by a user
  - XBinderOutput.exe (PID: 6408)
- Reads Microsoft Office registry keys
  - XBinderOutput.exe (PID: 6408)
- Process checks computer location settings
  - XBinderOutput.exe (PID: 6408)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2022:09:15 00:32:03+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	48
CodeSize:	3605504
InitializedDataSize:	106496
UninitializedDataSize:	-
EntryPoint:	0x0000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	2.0.0.0
ProductVersionNumber:	2.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	XCoder
CompanyName:	-
FileDescription:	XBinder
FileVersion:	2.0.0.0
InternalName:	XBinder.exe
LegalCopyright:	Copyright © 2022
LegalTrademarks:	-
OriginalFileName:	XBinder.exe
ProductName:	XBinder
ProductVersion:	2.0.0.0
AssemblyVersion:	2.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

141

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

5048

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "0C37A25C-40E9-45B8-B9EE-E6D85C4D6483" "ED11DA3B-8D07-4B44-B275-267EDAEDE2F1" "6392"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

WINWORD.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll

6304

"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\AppData\Local\Temp\sometimesrecommended.jpg"

C:\Windows\System32\mspaint.exe

—

XBinderOutput.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Paint

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6324

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\admin\AppData\Local\Temp\3gmu5hb4.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

XBinder v2.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Visual Basic Command Line Compiler

Exit code:

Version:

14.8.9037.0

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\vbc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6392

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\standardthomas.rtf" /o ""

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

XBinderOutput.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Word

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6408

"C:\Users\admin\Desktop\XBinderOutput.exe"

C:\Users\admin\Desktop\XBinderOutput.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\xbinderoutput.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

6496

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

vbc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES525E.tmp" "C:\Users\admin\AppData\Local\Temp\vbc8F6EE870AE294ACE9E3F175216A3E2E.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

—

vbc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft® Resource File To COFF Object Conversion Utility

Exit code:

Version:

14.32.31326.0

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6708

"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\AppData\Local\Temp\thursdaycash.png"

C:\Windows\System32\mspaint.exe

—

XBinderOutput.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Paint

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6828

"C:\Users\admin\Desktop\XBinder v2.exe"

C:\Users\admin\Desktop\XBinder v2.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

XBinder

Version:

2.0.0.0

Modules

Images
c:\users\admin\desktop\xbinder v2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

39 416

Read events

39 049

Write events

341

Delete events

Modification events


(PID) Process:	(6828) XBinder v2.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\XBinder
Operation:	write	Name:	License
Value:
(PID) Process:	(6828) XBinder v2.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:	write	Name:	5
Value: 5800420069006E006400650072002000760032002E00650078006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000
(PID) Process:	(6828) XBinder v2.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	NodeSlots
Value: 020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:	(6828) XBinder v2.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	MRUListEx
Value: 0400000000000000030000000E0000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:	(6828) XBinder v2.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4
Operation:	write	Name:	MRUListEx
Value: 010000000000000004000000050000000200000003000000FFFFFFFF
(PID) Process:	(6828) XBinder v2.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell
Operation:	write	Name:	SniffedFolderType
Value: Generic
(PID) Process:	(6828) XBinder v2.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	GlobalAssocChangedCounter
Value: 93
(PID) Process:	(6828) XBinder v2.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6828) XBinder v2.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6828) XBinder v2.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6828	XBinder v2.exe	C:\Users\admin\AppData\Local\Temp\3gmu5hb4.cmdline		text
		MD5:2BF947473DB170D5FAC181D2E8D03C72	SHA256:DBA73391D135591595E6827B2EDFF675450A1502AEEBF9C288530E30782B4059
6408	XBinderOutput.exe	C:\Users\admin\AppData\Local\Temp\sometimesrecommended.jpg		image
		MD5:4CEDFE171B794CE90E3D841D236D68E2	SHA256:B9A3592465EC35883F065F4BC721F0D8478E576CF512DEAA2A1A98207816AC21
6324	vbc.exe	C:\Users\admin\AppData\Local\Temp\3gmu5hb4.out		text
		MD5:AC585A7FA071C11FB6A6CAEDF27AE63B	SHA256:EE171874E8387DAD7AD6A0F7DA76879B4F3FA99C6D592AF5D519BA510EE89777
6324	vbc.exe	C:\Users\admin\AppData\Local\Temp\vbc578843A5761847F18A5BE1B29D14AEBF.TMP		binary
		MD5:D343A1E04F223DE18D3851A66C4DC953	SHA256:D8B69FF0240575C7D41D28DC1C2C0EA79D74B189E4E89810038B4C129B466FCB
6408	XBinderOutput.exe	C:\Users\admin\AppData\Local\Temp\standardthomas.rtf		text
		MD5:E0FF4306451FD48C1EEBF92A9C72D03E	SHA256:2584EF737C6693C2D34931EE5C486E43C3D7D4299350C06D7850241A45B27FB7
6408	XBinderOutput.exe	C:\Users\admin\AppData\Local\Temp\thursdaycash.png		image
		MD5:99AEA552030535D531D2823D294542A8	SHA256:1106FDEB28ED26259E11B190F9FF26D88F955E323A0F47251303EB9C41002CC0
6532	cvtres.exe	C:\Users\admin\AppData\Local\Temp\RES525E.tmp		o
		MD5:BEB2DEC94487E411CC9572F505284EF4	SHA256:249D11354871BF694DDC33D2BF90ED7B318FDA33EFDF36C6E125C34B85013E7F
6324	vbc.exe	C:\Users\admin\Desktop\XBinderOutput.exe		executable
		MD5:007BCC8229A3850582B50CACB60DA24C	SHA256:2E8FC5CF1F85AD8D4A13253F9DA9533427A7F21A0EBEE15A182FE8F76E085065
6392	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0228F5C5-6F95-44E7-AEA4-63B8F6F293B9		xml
		MD5:E5467195F81B548552DB9FC52D225D6C	SHA256:69B7AD1E3FCEA383D285C147FCC97872906D79980E2B7F352EDDC7A3756A0EE1
6392	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		binary
		MD5:61E8A78D4F887294D8951D474A01F333	SHA256:E9FBB8CCD697313371E8A99149164BCFECF33ABDB6574484B2E17FAB3F6D5220

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3276	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6392	WINWORD.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	whitelisted
—	—	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3584	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3244	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3260	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3276	svchost.exe	20.190.159.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3276	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
6356	SIHClient.exe	40.127.169.103:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6356	SIHClient.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6356	SIHClient.exe	13.95.31.18:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
google.com	216.58.212.142	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
login.live.com	20.190.159.68 20.190.159.2 40.126.31.71 40.126.31.73 20.190.159.73 20.190.159.23 20.190.159.4 20.190.159.71	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	40.127.169.103	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
officeclient.microsoft.com	52.109.89.18	whitelisted
omex.cdn.office.net	23.48.23.62 23.48.23.30 23.48.23.66 23.48.23.18 23.48.23.43	whitelisted

Threats

No threats detected

Add for printing

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

XBinder v2.exe

A98358EB7F4953AA6D60015CCD8506CE

D9BE0C9D6D968C1BAEF11027A7ACE6A0E869E75A

21E0CC9EF715CC2147B9EC481B3FB876DBAE8A4491367B478513128D7F7B8555

24576:yxxxSxWxx7xxxxbfWfkNmePfTwjBZMt7+NI+6Vrw7id7:t8NmePfM66+d7

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

XORed URL has been found (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Drops the executable file immediately after the start

Reads the date of Windows installation

There is functionality for capture public ip (YARA)

INFO

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

Create files in a temporary directory

Manual execution by a user

Reads Microsoft Office registry keys

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings