File name:

XwormRCE.zip

Full analysis: https://app.any.run/tasks/b7ded2bc-43ac-4540-bd87-7f81eb14fbbf
Verdict: Malicious activity
Analysis date: March 23, 2025, 21:05:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
ssh
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

B42457EA6689557133BCD7AD17192B9A

SHA1:

8FFA9D5C1EAA462C6A671FBB148BE65D073716FD

SHA256:

4AC20696C22BB9DA3EF8AC36D44D85C4DF52255DB6AAC1328AD4E6602A5CEC30

SSDEEP:

3072:3QOrht7VnjlFg9JlHCl6fJrhoUeNNd7kht7VnjlFg9JlHCl6fJri5oFZaw:XJjA93Cl6fJrhKNNyJjA93Cl6fJrrZL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 5024)

  • SUSPICIOUS

    • Connects to SSH

      • Parser.exe (PID: 8084)

    • Potential Corporate Privacy Violation

      • Parser.exe (PID: 8084)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 8016)

    • Connects to unusual port

      • Parser.exe (PID: 8084)

  • INFO

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 8168)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 7964)
      • BackgroundTransferHost.exe (PID: 4892)
      • BackgroundTransferHost.exe (PID: 8168)
      • BackgroundTransferHost.exe (PID: 4724)
      • BackgroundTransferHost.exe (PID: 7620)
      • notepad.exe (PID: 7180)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 8168)
      • slui.exe (PID: 7264)
      • slui.exe (PID: 7888)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 8168)
      • slui.exe (PID: 7888)

    • Manual execution by a user

      • WormExploit.exe (PID: 5228)
      • Parser.exe (PID: 8084)
      • notepad.exe (PID: 7180)
      • WormExploit.exe (PID: 7248)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5024)

    • Checks supported languages

      • WormExploit.exe (PID: 5228)
      • Parser.exe (PID: 8084)
      • WormExploit.exe (PID: 7248)
      • ShellExperienceHost.exe (PID: 8016)

    • Reads the computer name

      • WormExploit.exe (PID: 5228)
      • Parser.exe (PID: 8084)
      • WormExploit.exe (PID: 7248)
      • ShellExperienceHost.exe (PID: 8016)

    • Reads the machine GUID from the registry

      • Parser.exe (PID: 8084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:03:23 22:15:46
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: XwormRCE/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
18
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs rundll32.exe no specs wormexploit.exe no specs conhost.exe no specs parser.exe conhost.exe no specs notepad.exe no specs slui.exe wormexploit.exe no specs conhost.exe no specs shellexperiencehost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3008C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4724"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
4892"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
5024"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\XwormRCE.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5228"C:\Users\admin\Desktop\XwormRCE\WormExploit.exe" C:\Users\admin\Desktop\XwormRCE\WormExploit.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WormExploit
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\xwormrce\wormexploit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7180"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\XwormRCE\Hosts.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7232C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7240\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWormExploit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7248"C:\Users\admin\Desktop\XwormRCE\WormExploit.exe" C:\Users\admin\Desktop\XwormRCE\WormExploit.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WormExploit
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\xwormrce\wormexploit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7264"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5 936
Read events
5 911
Write events
25
Delete events
0

Modification events

(PID) Process:(5024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\XwormRCE.zip
(PID) Process:(5024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7964) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7964) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
2
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
8168BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D
MD5:
SHA256:
8168BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\71058d02-f5c6-42cf-97e1-f0d4285de567.down_data
MD5:
SHA256:
5024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5024.25851\XwormRCE\Hosts.txttext
MD5:4017F359961D2DBFC8CF78ADF39E6935
SHA256:C091A12783952DBB0CA2D533A51BD85599B30C4C3B723F0ADA25C70E0E91F8D5
8168BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:747297EA5B378448F256CE8D328E83D6
SHA256:DE600E6D8A8D160E1D0B32BBE68B964C7291A92EF89396C58CAD382AACA8E82A
5024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5024.25851\XwormRCE\WormExploit.exeexecutable
MD5:F58D26874C31720F73427619E91B422B
SHA256:661F61CCAA12D2618F19C3ACFDC370B481CECD1AFA491B4CCD8FF6AAEF85DFA7
5024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5024.25851\XwormRCE\Keys.txttext
MD5:DADEFDFD3DF5BA731438E7569F826962
SHA256:D642578EED80496DBEDB64D1836A8319CA9AFDA202737D5B08211C6CB8E94EB1
8168BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\71058d02-f5c6-42cf-97e1-f0d4285de567.b1d3888b-f14a-4aac-a91b-cee231381551.down_metabinary
MD5:C92735A563C290F1216AE1DC36376612
SHA256:4177FCC682CC2DECBE78BDDACE376BF2688866791A0C927EC4E8081020D2B83E
8168BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\65093322-698a-4706-a894-0a5b4bd00631.b1d3888b-f14a-4aac-a91b-cee231381551.down_metabinary
MD5:C92735A563C290F1216AE1DC36376612
SHA256:4177FCC682CC2DECBE78BDDACE376BF2688866791A0C927EC4E8081020D2B83E
8168BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\65093322-698a-4706-a894-0a5b4bd00631.up_meta_securebinary
MD5:9FFCC53D52E78FAAA92953DCD79716E6
SHA256:32D8EC87D102895ABF523CEFA7A381C3CE57218622C9FD369BC14341F95327E9
5024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5024.25851\XwormRCE\Link.txttext
MD5:D91C5D75432012A1E599EBDFCDFF083C
SHA256:4AC9C91EE87E2978E5A2FA58B6BE229BC20BF69C64402A35ED867E44FA1A549D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
191
DNS requests
22
Threats
33

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8168
BackgroundTransferHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7344
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7892
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6808
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.178
  • 23.48.23.168
  • 23.48.23.169
  • 23.48.23.179
  • 23.48.23.183
  • 23.48.23.176
  • 23.48.23.174
  • 23.48.23.185
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.31.131
  • 40.126.31.2
  • 40.126.31.129
  • 40.126.31.130
  • 20.190.159.0
  • 20.190.159.130
  • 20.190.159.129
  • 20.190.159.131
whitelisted
ocsp.digicert.com
  • 23.54.109.203
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
www.bing.com
  • 92.123.104.31
  • 92.123.104.32
  • 92.123.104.33
  • 92.123.104.34
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted

Threats

PID
Process
Class
Message
8084
Parser.exe
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
8084
Parser.exe
Generic Protocol Command Decode
SURICATA SSH invalid banner
8084
Parser.exe
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
8084
Parser.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected
8084
Parser.exe
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
8084
Parser.exe
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
8084
Parser.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected on a non-standard port number
8084
Parser.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected on a non-standard port number
8084
Parser.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected
8084
Parser.exe
Generic Protocol Command Decode
SURICATA SSH invalid banner
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
XwormRCE.zip