File name:

dump.dll

Full analysis: https://app.any.run/tasks/4e1b1832-4a08-4265-a251-029167580351
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: December 27, 2024, 19:05:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
xworm
telegram
remote
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (DLL) (console) x86-64, for MS Windows, 8 sections
MD5:

C944FB9DE1412B7D4A82842480839503

SHA1:

245B8BCCC840F37098328E35E54B0C6ADD05A786

SHA256:

63DBB1DBA4F55C7E742C1144C76F5A9B4C9AAC6138B6BEC0EDD985605D3D9062

SSDEEP:

49152:uH/LfjREtJ2uba9+lnCRlK9HbGqjhezPQOS+yLYhdGwkDCTL:uzfjREtJ2uba9+lnS49HbGqlyPQtHe0O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • WinRaR.exe (PID: 5472)
      • installer.exe (PID: 3772)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6228)
      • powershell.exe (PID: 6196)
      • powershell.exe (PID: 7104)
      • powershell.exe (PID: 6936)
      • powershell.exe (PID: 6780)
      • powershell.exe (PID: 4420)
      • powershell.exe (PID: 7120)
      • powershell.exe (PID: 5652)

    • Changes powershell execution policy (Bypass)

      • installer.exe (PID: 3772)
      • WinRaR.exe (PID: 5472)

    • Adds process to the Windows Defender exclusion list

      • WinRaR.exe (PID: 5472)
      • installer.exe (PID: 3772)

    • XWORM has been detected (YARA)

      • WinRaR.exe (PID: 5472)

    • Uses Task Scheduler to run other applications

      • installer.exe (PID: 3772)
      • WinRaR.exe (PID: 5472)

    • Changes the autorun value in the registry

      • WinRaR.exe (PID: 5472)

    • XWORM has been detected

      • installer.exe (PID: 3772)

    • XWORM has been detected (SURICATA)

      • installer.exe (PID: 3772)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Nursultan installer alpha.exe (PID: 3848)
      • WinRaR.exe (PID: 5472)
      • installer.exe (PID: 3772)

    • Start notepad (likely ransomware note)

      • Nursultan installer alpha.exe (PID: 3848)

    • Executable content was dropped or overwritten

      • Nursultan installer alpha.exe (PID: 3848)
      • installer.exe (PID: 3772)
      • WinRaR.exe (PID: 5472)

    • Process drops legitimate windows executable

      • Nursultan installer alpha.exe (PID: 3848)
      • installer.exe (PID: 3772)

    • Starts a Microsoft application from unusual location

      • installer.exe (PID: 3772)

    • Starts POWERSHELL.EXE for commands execution

      • installer.exe (PID: 3772)
      • WinRaR.exe (PID: 5472)

    • Reads the date of Windows installation

      • installer.exe (PID: 3772)

    • Script adds exclusion path to Windows Defender

      • WinRaR.exe (PID: 5472)
      • installer.exe (PID: 3772)

    • Checks for external IP

      • svchost.exe (PID: 2192)
      • WinRaR.exe (PID: 5472)
      • installer.exe (PID: 3772)

    • Script adds exclusion process to Windows Defender

      • WinRaR.exe (PID: 5472)
      • installer.exe (PID: 3772)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • WinRaR.exe (PID: 5472)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • WinRaR.exe (PID: 5472)

    • Contacting a server suspected of hosting an CnC

      • installer.exe (PID: 3772)

    • Connects to unusual port

      • WinRaR.exe (PID: 5472)
      • installer.exe (PID: 3772)

    • The process executes via Task Scheduler

      • svchost.exe (PID: 5076)
      • WinRaR.exe (PID: 3836)

  • INFO

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 2828)

    • Manual execution by a user

      • Nursultan installer alpha.exe (PID: 2548)
      • Nursultan installer alpha.exe (PID: 3848)

    • Process checks computer location settings

      • Nursultan installer alpha.exe (PID: 3848)
      • installer.exe (PID: 3772)
      • WinRaR.exe (PID: 5472)

    • Reads the computer name

      • Nursultan installer alpha.exe (PID: 3848)
      • installer.exe (PID: 3772)
      • WinRaR.exe (PID: 5472)
      • WinRaR.exe (PID: 3836)

    • Checks supported languages

      • Nursultan installer alpha.exe (PID: 3848)
      • WinRaR.exe (PID: 5472)
      • installer.exe (PID: 3772)
      • injector.exe (PID: 4556)
      • WinRaR.exe (PID: 3836)
      • svchost.exe (PID: 5076)

    • Create files in a temporary directory

      • Nursultan installer alpha.exe (PID: 3848)

    • The process uses the downloaded file

      • Nursultan installer alpha.exe (PID: 3848)
      • WinRaR.exe (PID: 5472)
      • installer.exe (PID: 3772)

    • Reads the machine GUID from the registry

      • installer.exe (PID: 3772)
      • WinRaR.exe (PID: 5472)
      • WinRaR.exe (PID: 3836)

    • Reads Environment values

      • installer.exe (PID: 3772)
      • WinRaR.exe (PID: 5472)

    • Disables trace logs

      • WinRaR.exe (PID: 5472)

    • Checks proxy server information

      • WinRaR.exe (PID: 5472)
      • installer.exe (PID: 3772)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6196)
      • powershell.exe (PID: 6228)
      • powershell.exe (PID: 6936)
      • powershell.exe (PID: 4420)
      • powershell.exe (PID: 5652)
      • powershell.exe (PID: 6780)
      • powershell.exe (PID: 7120)
      • powershell.exe (PID: 7104)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6196)
      • powershell.exe (PID: 6228)
      • powershell.exe (PID: 6780)
      • powershell.exe (PID: 6936)
      • powershell.exe (PID: 5652)
      • powershell.exe (PID: 4420)
      • powershell.exe (PID: 7120)
      • powershell.exe (PID: 7104)

    • Creates files or folders in the user directory

      • WinRaR.exe (PID: 5472)

    • Reads the software policy settings

      • WinRaR.exe (PID: 5472)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(5472) WinRaR.exe
C224.ip.gl.ply.gg:11476
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexxIlhAEFW1tb8Nb0H

ims-api

(PID) Process(5472) WinRaR.exe
Telegram-Tokens (1)7581531705:AAG9MCtUOFUO238JTNxs2kc7H8Sy9CPQTFs
Telegram-Info-Links
7581531705:AAG9MCtUOFUO238JTNxs2kc7H8Sy9CPQTFs
Get info about bothttps://api.telegram.org/bot7581531705:AAG9MCtUOFUO238JTNxs2kc7H8Sy9CPQTFs/getMe
Get incoming updateshttps://api.telegram.org/bot7581531705:AAG9MCtUOFUO238JTNxs2kc7H8Sy9CPQTFs/getUpdates
Get webhookhttps://api.telegram.org/bot7581531705:AAG9MCtUOFUO238JTNxs2kc7H8Sy9CPQTFs/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7581531705:AAG9MCtUOFUO238JTNxs2kc7H8Sy9CPQTFs/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7581531705:AAG9MCtUOFUO238JTNxs2kc7H8Sy9CPQTFs/deleteWebhook?drop_pending_updates=true
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:10 07:37:01+00:00
ImageFileCharacteristics: Executable, Large address aware, DLL
PEType: PE32+
LinkerVersion: 14.35
CodeSize: 1254400
InitializedDataSize: 202240
UninitializedDataSize: -
EntryPoint: 0xfd7b4
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
31
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs nursultan installer alpha.exe no specs nursultan installer alpha.exe notepad.exe no specs injector.exe no specs conhost.exe no specs #XWORM winrar.exe #XWORM installer.exe powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs svchost.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs svchost.exe no specs winrar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
904"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\admin\AppData\Roaming\svchost.exe"C:\Windows\System32\schtasks.exeinstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1140"C:\WINDOWS\System32\rundll32.exe" C:\Users\admin\AppData\Local\Temp\dump.dll, #1C:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1744\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2160\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2548"C:\Users\admin\Desktop\Nursultan installer alpha.exe" C:\Users\admin\Desktop\Nursultan installer alpha.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\nursultan installer alpha.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2828"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\123.txtC:\Windows\SysWOW64\notepad.exeNursultan installer alpha.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
3772"C:\Users\admin\AppData\Local\Temp\installer.exe" C:\Users\admin\AppData\Local\Temp\installer.exe
Nursultan installer alpha.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Блокнот
Version:
6.2.19041.4355
Modules
Images
c:\users\admin\appdata\local\temp\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3836"C:\Users\admin\AppData\Roaming\WinRaR.exe"C:\Users\admin\AppData\Roaming\WinRaR.exesvchost.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
131.0.6778.205
Modules
Images
c:\users\admin\appdata\roaming\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3848"C:\Users\admin\Desktop\Nursultan installer alpha.exe" C:\Users\admin\Desktop\Nursultan installer alpha.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\nursultan installer alpha.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
48 351
Read events
48 269
Write events
82
Delete events
0

Modification events

(PID) Process:(3848) Nursultan installer alpha.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids
Operation:writeName:txtfile
Value:
(PID) Process:(3848) Nursultan installer alpha.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-500\SOFTWARE\RegisteredApplications
Operation:writeName:AppXmgj48ewmzzwt11zq319t7591v59qteen
Value:
Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.XboxGameCallableUI_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy\Microsoft.XboxGameCallableUI\Capabilities
(PID) Process:(3848) Nursultan installer alpha.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-500\SOFTWARE\RegisteredApplications
Operation:writeName:AppXyw9m79fnbp5my6829hn2k8akzs2jq5f3
Value:
Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.Windows.SecureAssessmentBrowser_10.0.16299.15_neutral_neutral_cw5n1h2txyewy\App\Capabilities
(PID) Process:(3848) Nursultan installer alpha.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-500\SOFTWARE\RegisteredApplications
Operation:writeName:AppX58hjgn2bg726g1kw5yg1p7s9vq3wvx6f
Value:
Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.Windows.ParentalControls_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy\App\Capabilities
(PID) Process:(3848) Nursultan installer alpha.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-500\SOFTWARE\RegisteredApplications
Operation:writeName:AppXwxvnpdbw9c10hhrvdzzdqn2p2jej368v
Value:
Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.Windows.Apprep.ChxApp_1000.16299.15.0_neutral_neutral_cw5n1h2txyewy\App\Capabilities
(PID) Process:(3848) Nursultan installer alpha.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-500\SOFTWARE\RegisteredApplications
Operation:writeName:AppX5zjesx7qzfc49qr8sz790v9hnabbqnqp
Value:
Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.16299.15_neutral_neutral_cw5n1h2txyewy\App\Capabilities
(PID) Process:(3848) Nursultan installer alpha.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-500\SOFTWARE\RegisteredApplications
Operation:writeName:AppX0zm3nqtpjqjp9a8barnpj10cdtef7rd1
Value:
Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.Xbox.TCUI_1.8.24001.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.TCUI\Capabilities
(PID) Process:(3848) Nursultan installer alpha.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-500\SOFTWARE\RegisteredApplications
Operation:writeName:AppXcx6rg3afke35210sfedzsqebxy81fzcq
Value:
Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.Print3D_1.0.2422.0_x64__8wekyb3d8bbwe\App\Capabilities
(PID) Process:(3848) Nursultan installer alpha.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-500\SOFTWARE\RegisteredApplications
Operation:writeName:AppXravs7b5fz5kv9agm2wc9rphy1w78yqh4
Value:
Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.GetHelp_10.1706.1811.0_x64__8wekyb3d8bbwe\App\Capabilities
(PID) Process:(3848) Nursultan installer alpha.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-500\SOFTWARE\RegisteredApplications
Operation:writeName:AppXv86g457c9nyh539ace8n49xba16q7tce
Value:
Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.Windows.SecHealthUI_10.0.16299.402_neutral__cw5n1h2txyewy\SecHealthUI\Capabilities
Executable files
4
Suspicious files
3
Text files
17
Unknown types
0

Dropped files

PID
Process
Filename
Type
3848Nursultan installer alpha.exeC:\Users\admin\AppData\Local\Temp\injector.exe
MD5:
SHA256:
6936powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j3rjmipb.yte.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6936powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xqekbtek.jlo.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3848Nursultan installer alpha.exeC:\Users\admin\AppData\Local\Temp\WinRaR.exeexecutable
MD5:FEB1C980CE3411D07FD270BFF604DDA2
SHA256:5EC9D3810F331E456B6A7B054E361E503EFC28DA60A1EAB13D6CC1F32691C2C2
7120powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5cfi5l3x.k1t.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6228powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:2EF3161A3B707AB9634C0A5D21501B31
SHA256:B7ED16A2AB6254ACF319E2E54706B8B5DD52BE84D5ABA7F7999E171C410B1AFE
7104powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xtspsvve.le0.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4420powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_clpdnzvl.dt2.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_awengrm5.rsd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5472WinRaR.exeC:\Users\admin\AppData\Roaming\WinRaR.exeexecutable
MD5:FEB1C980CE3411D07FD270BFF604DDA2
SHA256:5EC9D3810F331E456B6A7B054E361E503EFC28DA60A1EAB13D6CC1F32691C2C2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
46
DNS requests
21
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6160
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7096
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7096
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3772
installer.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
5472
WinRaR.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
1460
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.139:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.48.23.176
  • 23.48.23.167
  • 23.48.23.194
  • 23.48.23.180
  • 23.48.23.173
  • 23.48.23.141
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 104.126.37.139
  • 104.126.37.153
  • 104.126.37.163
  • 104.126.37.161
  • 104.126.37.137
  • 104.126.37.178
  • 104.126.37.170
  • 104.126.37.154
  • 104.126.37.130
whitelisted
login.live.com
  • 20.190.159.4
  • 40.126.31.73
  • 40.126.31.71
  • 20.190.159.75
  • 20.190.159.68
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.67
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
5472
WinRaR.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
5472
WinRaR.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
5472
WinRaR.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
3772
installer.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
2192
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
2192
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
5472
WinRaR.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
5472
WinRaR.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dump.dll