File name:

LDPlayer.exe

Full analysis: https://app.any.run/tasks/bb7c4dfe-5b9b-4f74-af2f-6e0734a6a4f0
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: April 22, 2025, 17:26:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xworm
netreactor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 4 sections
MD5:

1A4E78E980FF926C63582263B0A7C990

SHA1:

B71E562F4BE7450920EC670239A4907AD20BE98B

SHA256:

5E4F831F1FDB5D1D2A3CC9B8EBC735BA0B89618713FC5C5B6DCAA2D6EDE45A2D

SSDEEP:

3072:c24n3BzwEkIkb5S94o1OeJC0CPHGy0A907zr4koCRHZvgRS71qQAeiWyJeG:mwWIy4oUoC0Qj0uE/4koY5VkdW4eG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • LDPlayer.exe (PID: 5504)

    • Changes the autorun value in the registry

      • LDPlayer.exe (PID: 5504)

    • Create files in the Startup directory

      • LDPlayer.exe (PID: 5504)

    • XWORM has been detected (YARA)

      • LDPlayer.exe (PID: 5504)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • LDPlayer.exe (PID: 4880)
      • LDPlayer.exe (PID: 5504)

    • Starts a Microsoft application from unusual location

      • LDPlayer.exe (PID: 4880)
      • LDPlayer.exe (PID: 5504)

    • Application launched itself

      • LDPlayer.exe (PID: 4880)
      • LDPlayer.exe (PID: 3332)

    • Executes application which crashes

      • LDPlayer.exe (PID: 4880)
      • LDPlayer.exe (PID: 3332)

    • Executable content was dropped or overwritten

      • LDPlayer.exe (PID: 5504)

    • Reads security settings of Internet Explorer

      • LDPlayer.exe (PID: 5504)

    • The process executes via Task Scheduler

      • LDPlayer.exe (PID: 3332)

  • INFO

    • Checks supported languages

      • LDPlayer.exe (PID: 4880)
      • LDPlayer.exe (PID: 5504)
      • LDPlayer.exe (PID: 3332)
      • LDPlayer.exe (PID: 6700)

    • The sample compiled with english language support

      • LDPlayer.exe (PID: 4880)
      • LDPlayer.exe (PID: 5504)

    • Reads the computer name

      • LDPlayer.exe (PID: 4880)
      • LDPlayer.exe (PID: 5504)
      • LDPlayer.exe (PID: 3332)
      • LDPlayer.exe (PID: 6700)

    • Reads the machine GUID from the registry

      • LDPlayer.exe (PID: 5504)
      • LDPlayer.exe (PID: 6700)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6876)
      • LDPlayer.exe (PID: 5504)
      • WerFault.exe (PID: 2148)

    • Process checks computer location settings

      • LDPlayer.exe (PID: 5504)

    • .NET Reactor protector has been detected

      • LDPlayer.exe (PID: 5504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (81)
.dll | Win32 Dynamic Link Library (generic) (7.2)
.exe | Win32 Executable (generic) (4.9)
.exe | Win16/32 Executable Delphi generic (2.2)
.exe | Generic Win/DOS Executable (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2045:12:11 00:33:48+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 17408
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0x623e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 10.0.19041.3636
ProductVersionNumber: 10.0.19041.3636
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Remote Access Dialer
FileVersion: 10.0.19041.3636 (WinBuild.160101.0800)
InternalName: rasdlui.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: rasdlui.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.3636
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
13
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start ldplayer.exe conhost.exe no specs #XWORM ldplayer.exe werfault.exe no specs sppextcomobj.exe no specs slui.exe no specs schtasks.exe no specs conhost.exe no specs svchost.exe ldplayer.exe conhost.exe no specs ldplayer.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
744"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "LDPlayer" /tr "C:\Users\admin\AppData\Roaming\LDPlayer.exe"C:\Windows\SysWOW64\schtasks.exeLDPlayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1196\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2148C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3332 -s 872C:\Windows\SysWOW64\WerFault.exeLDPlayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3100"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3332"C:\Users\admin\AppData\Roaming\LDPlayer.exe"C:\Users\admin\AppData\Roaming\LDPlayer.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Remote Access Dialer
Exit code:
3221226505
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\roaming\ldplayer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4880"C:\Users\admin\AppData\Local\Temp\LDPlayer.exe" C:\Users\admin\AppData\Local\Temp\LDPlayer.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Remote Access Dialer
Exit code:
3221226505
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\ldplayer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4980C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
5504"C:\Users\admin\AppData\Local\Temp\LDPlayer.exe"C:\Users\admin\AppData\Local\Temp\LDPlayer.exe
LDPlayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Remote Access Dialer
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\ldplayer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5588\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeLDPlayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 427
Read events
4 426
Write events
1
Delete events
0

Modification events

(PID) Process:(5504) LDPlayer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:LDPlayer
Value:
C:\Users\admin\AppData\Roaming\LDPlayer.exe
Executable files
1
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6876WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LDPlayer.exe_5c86e3c174864ba411262ccfc48bcbfa2e6ab92_6036108b_09dea3e2-4cbb-45c3-8514-01c4630ac701\Report.wer
MD5:
SHA256:
6876WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\LDPlayer.exe.4880.dmp
MD5:
SHA256:
2148WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LDPlayer.exe_5c86e3c174864ba411262ccfc48bcbfa2e6ab92_6036108b_7d6b56e2-7baa-4d5a-8ef0-a06b78fc5d66\Report.wer
MD5:
SHA256:
2148WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\LDPlayer.exe.3332.dmp
MD5:
SHA256:
5504LDPlayer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LDPlayer.lnkbinary
MD5:29FAC1725418D810314DAA66EF11F187
SHA256:40C4A3C4F59F6A83F3F6EDCE1A946605FEEACD619F22EC2FDCA63C005A826171
6876WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC1BC.tmp.WERInternalMetadata.xmlbinary
MD5:D6089C286705E115D4B8A4BE6336B3A5
SHA256:523D25D5186E0240CD793D89E93C601CFD353E97F329067B899555760E3B4085
2148WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7E66.tmp.xmlxml
MD5:D9C270B2A452CF30DF213B5E0977CBB1
SHA256:5792F0925739E7CEE27C64A71D11A767710AA3D21AE4DAEDE66AE43FB9E6CB51
6876WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC064.tmp.dmpbinary
MD5:54D7AC8BB38EE41DC602CEE938AB5166
SHA256:4FF5BE6EE59C9A10808BF531118A30652E4DB054C369C3E75A3F93773B6C6591
6876WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC1FC.tmp.xmlxml
MD5:D4D14E89666C37E4C8B207789C980C7C
SHA256:EE611CD9650A8AA3E9369EBA8C3F596AE8D6B3869B89D33519446F0A6D51CD34
2148WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7D7A.tmp.dmpbinary
MD5:1790534FB5743C2F9974B67185BCB836
SHA256:A26F21FD7AB3412AC1E370DED708F1101DFC620BBD89CCC9CD1B64A7906EE42E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
21
DNS requests
15
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.174:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.174:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1128
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1128
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.174:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.174:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.174
  • 23.48.23.167
  • 23.48.23.173
  • 23.48.23.158
  • 23.48.23.168
  • 23.48.23.162
  • 23.48.23.166
  • 23.48.23.169
  • 23.48.23.164
whitelisted
google.com
  • 216.58.212.142
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.219.150.101
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.132
  • 20.190.160.22
  • 40.126.32.138
  • 20.190.160.20
  • 20.190.160.3
  • 20.190.160.128
  • 20.190.160.65
  • 20.190.160.5
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
uptimebot.kozow.com
malicious
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.kozow .com Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LDPlayer.exe