analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

/zup1hxedkf8iypru/XWorm_V5.6.rar

Full analysis: https://app.any.run/tasks/b38bf4c4-d4af-4584-b64c-c06b5eca559a
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: June 29, 2024, 20:28:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
xworm
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines (323)
MD5:

E6B923AABCFB9616CFBE1B438C90881C

SHA1:

85E64E4BC4E40F1201BEA1FC37333346268D0A06

SHA256:

3B1AEBB823B75747816E3D9D8D6CEACBE891BFA7BF09F29286DFC9A53F345C08

SSDEEP:

48:0K9ow919lXtLsy4/o6ce0DH3GUANz/7p5LclJfecONkJSI8MJOLrPGjpSXhLEP:3J3LsZ/oxb3rARmJfBONejcmYXhY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XWORM has been detected (YARA)

      • Xworm V5.6.exe (PID: 3312)
      • XClient.exe (PID: 2684)

    • Drops the executable file immediately after the start

      • vbc.exe (PID: 2812)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 2512)

    • Reads the Internet Settings

      • Xworm V5.6.exe (PID: 3312)

    • The process executes VB scripts

      • Xworm V5.6.exe (PID: 3312)

    • Executable content was dropped or overwritten

      • vbc.exe (PID: 2812)

  • INFO

    • Checks supported languages

      • wmpnscfg.exe (PID: 3700)
      • Xworm V5.6.exe (PID: 3312)
      • vbc.exe (PID: 2812)
      • cvtres.exe (PID: 1384)
      • XClient.exe (PID: 2684)
      • XClient.exe (PID: 3576)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3700)
      • Xworm V5.6.exe (PID: 3312)
      • XClient.exe (PID: 2684)
      • XClient.exe (PID: 3576)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3700)
      • Xworm V5.6.exe (PID: 3312)
      • XClient.exe (PID: 2684)
      • XClient.exe (PID: 3576)

    • Application launched itself

      • iexplore.exe (PID: 3412)
      • iexplore.exe (PID: 3384)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 2512)
      • iexplore.exe (PID: 3384)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3384)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2512)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2512)
      • iexplore.exe (PID: 3384)

    • Reads the machine GUID from the registry

      • Xworm V5.6.exe (PID: 3312)
      • vbc.exe (PID: 2812)
      • cvtres.exe (PID: 1384)
      • XClient.exe (PID: 2684)
      • XClient.exe (PID: 3576)

    • Reads Environment values

      • Xworm V5.6.exe (PID: 3312)

    • Reads Microsoft Office registry keys

      • Xworm V5.6.exe (PID: 3312)

    • Create files in a temporary directory

      • Xworm V5.6.exe (PID: 3312)
      • vbc.exe (PID: 2812)
      • cvtres.exe (PID: 1384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(2684) XClient.exe
C2127.0.0.1:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
Mutexp0809SkTTnRAuS7u
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

Title: Please read
Author: Espen Braastad
Description: Convenient file sharing. Registration is not required. Large files are supported.
Viewport: width=device-width, initial-scale=1, shrink-to-fit=no
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe wmpnscfg.exe no specs iexplore.exe iexplore.exe winrar.exe #XWORM xworm v5.6.exe no specs vbc.exe cvtres.exe no specs #XWORM xclient.exe no specs xclient.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3384"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\XWorm_V5.6.rar.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3700"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3412"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3384 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2100"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3384 CREDAT:333057 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2512"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\XWorm_V5.6.rar"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3312"C:\Users\admin\Desktop\XWorm V5.6\Xworm V5.6.exe" C:\Users\admin\Desktop\XWorm V5.6\Xworm V5.6.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
XWorm
Version:
5.6.0.0
Modules
Images
c:\users\admin\desktop\xworm v5.6\xworm v5.6.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2812"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\admin\AppData\Local\Temp\0xddhw0t.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Xworm V5.6.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
14.8.3761.0
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES1470.tmp" "C:\Users\admin\AppData\Local\Temp\vbc8AF9113C2DB9482E838231A4EAE37084.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exevbc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.10.25028.0 built by: VCTOOLSD15RTM
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
2684"C:\Users\admin\Desktop\XWorm V5.6\XClient.exe" C:\Users\admin\Desktop\XWorm V5.6\XClient.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\xworm v5.6\xclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
XWorm
(PID) Process(2684) XClient.exe
C2127.0.0.1:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
Mutexp0809SkTTnRAuS7u
3576"C:\Users\admin\Desktop\XWorm V5.6\XClient.exe" C:\Users\admin\Desktop\XWorm V5.6\XClient.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\xworm v5.6\xclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
45 220
Read events
44 931
Write events
239
Delete events
50

Modification events

(PID) Process:(3384) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3384) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3384) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31115874
(PID) Process:(3384) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
192963500
(PID) Process:(3384) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31115875
(PID) Process:(3384) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3384) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3384) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3384) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3384) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
99
Suspicious files
146
Text files
72
Unknown types
1

Dropped files

PID
Process
Filename
Type
2100iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2A574FE5ED373E64D2C53AE9D706AAADbinary
MD5:1E1287F63A03919751C3CC99E3686130
SHA256:A495291EB0E85CBAC963E9AB4A83CA7C3D960AABD6353CCBC61BF6FCEC9DC96B
3384iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:8F16E7DFEE3E01E81F8DE8572E67DB9D
SHA256:684C6D5007A179A28044AD83EE5F01E7D3A414894F4CAF2F2CC064E406C22210
2100iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:DC95D29813202B1D7300715EE77205B3
SHA256:F7349F8EBE735BCD10E66952704BA8DE310B49D7A06865B3F1748AD0CD59FA99
3384iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3384iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF0FC4DDDE341A14A2.TMPbinary
MD5:50A18A6A6B2B9EC87B0560396E0FEBBA
SHA256:EE4C3D293A61459990673C580FC35A158A21DC2364C036D660C73EE2343BC300
3384iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].pngimage
MD5:DA2306B75B2F0AAF430C2772BF44EA9A
SHA256:6EEBE71C5972EC8A118FF61E9A7251135CE99C42D721C53A377A74A11CAECD6F
2100iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1XILVN52.txttext
MD5:7C0C3255D822EB9BE957185B509D7465
SHA256:7C8730752E8A552569F70661FB13E2E05360C84094D4B4C24D2FDCB92D8939FB
2100iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2A574FE5ED373E64D2C53AE9D706AAADbinary
MD5:A64840285FC52EAB5A5C5EAD43C98F10
SHA256:987D5A655A30F4FCB9F62742174760C1639E97526B21FF7AE37CD44B49819616
3384iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3384iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
34
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3384
iexplore.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6c72811d6b728ea8
unknown
unknown
3384
iexplore.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2d103265274fbd0f
unknown
unknown
2100
iexplore.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
unknown
1060
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?613a32b2f4f73039
unknown
unknown
3384
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
3384
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
2100
iexplore.exe
GET
200
184.24.77.53:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgMew4vt7kgbQynoKEkqmaqCZw%3D%3D
unknown
unknown
3384
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
3384
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
3384
iexplore.exe
92.123.104.65:443
www.bing.com
Akamai International B.V.
DE
unknown
3384
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
3384
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2100
iexplore.exe
88.99.137.18:443
filebin.net
Hetzner Online GmbH
DE
unknown
2100
iexplore.exe
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
2100
iexplore.exe
184.24.77.53:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 92.123.104.5
  • 92.123.104.14
  • 92.123.104.67
  • 92.123.104.10
  • 92.123.104.64
  • 92.123.104.8
  • 92.123.104.11
  • 92.123.104.65
  • 92.123.104.9
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
filebin.net
  • 88.99.137.18
unknown
x1.c.lencr.org
  • 69.192.161.44
whitelisted
r3.o.lencr.org
  • 184.24.77.53
  • 184.24.77.46
  • 184.24.77.45
  • 184.24.77.47
  • 184.24.77.57
shared
s3.filebin.net
  • 88.99.137.18
unknown
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.164
  • 23.48.23.143
  • 23.48.23.176
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
/zup1hxedkf8iypru/XWorm_V5.6.rar