File name:

RimWorld setub.exe

Full analysis: https://app.any.run/tasks/63a6b264-c8aa-4a6a-928a-37af60137cf3
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: September 06, 2024, 16:13:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
njrat
bladabindi
remote
vmprotect
pyinstaller
python
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

382C21837FBB296675B92C64BBC6249D

SHA1:

DDEDD90110497139EE0B5FCA0E8EA3B585271F6D

SHA256:

6BA1D9CF4B63033C0D9752FBE663EEE726A5CF5401B20B8B8E927CCA39CF113D

SSDEEP:

6144:hodyEWwBT/2CX05UpknvitetQntJcuUJkx7Kp0y3ZN1QHhrE0HXWiDTOlJO/2Fmk:h7EZTe759+euntJDTsm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • svhost.exe (PID: 7140)

    • NJRAT has been detected (YARA)

      • svhost.exe (PID: 7140)

    • Changes the autorun value in the registry

      • svhost.exe (PID: 7140)

    • NjRAT is detected

      • svhost.exe (PID: 7140)

    • Connects to the CnC server

      • svhost.exe (PID: 7140)

    • Actions looks like stealing of personal data

      • tmpDF73.tmp.exe (PID: 5376)

    • NJRAT has been detected (SURICATA)

      • svhost.exe (PID: 7140)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • RimWorld setub.exe (PID: 6844)
      • svhost.exe (PID: 7140)
      • tmp82D.tmp.exe (PID: 6852)
      • tmpDF73.tmp.exe (PID: 5376)

    • The process creates files with name similar to system file names

      • RimWorld setub.exe (PID: 6844)

    • Starts itself from another location

      • RimWorld setub.exe (PID: 6844)

    • Executable content was dropped or overwritten

      • RimWorld setub.exe (PID: 6844)
      • svhost.exe (PID: 7140)
      • tmp98B9.tmp.exe (PID: 7004)
      • tmpDF73.tmp.exe (PID: 5376)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • svhost.exe (PID: 7140)

    • Connects to unusual port

      • svhost.exe (PID: 7140)

    • The process drops C-runtime libraries

      • tmp98B9.tmp.exe (PID: 7004)

    • Process drops python dynamic module

      • tmp98B9.tmp.exe (PID: 7004)

    • Process drops legitimate windows executable

      • tmp98B9.tmp.exe (PID: 7004)

    • Contacting a server suspected of hosting an CnC

      • svhost.exe (PID: 7140)

    • Application launched itself

      • tmp98B9.tmp.exe (PID: 7004)

    • Loads Python modules

      • tmp98B9.tmp.exe (PID: 6768)

    • Executes application which crashes

      • tmpDF73.tmp.exe (PID: 5700)

    • There is functionality for taking screenshot (YARA)

      • tmpDF73.tmp.exe (PID: 5700)

    • Mutex name with non-standard characters

      • tmpDF73.tmp.exe (PID: 5376)

  • INFO

    • Reads the computer name

      • RimWorld setub.exe (PID: 6844)
      • svhost.exe (PID: 7140)
      • tmp98B9.tmp.exe (PID: 7004)
      • tmp82D.tmp.exe (PID: 6852)
      • tmp98B9.tmp.exe (PID: 6768)
      • tmpDF73.tmp.exe (PID: 5700)
      • tmpDF73.tmp.exe (PID: 5376)

    • Checks supported languages

      • RimWorld setub.exe (PID: 6844)
      • svhost.exe (PID: 7140)
      • tmp98B9.tmp.exe (PID: 7004)
      • tmp98B9.tmp.exe (PID: 6768)
      • tmpDF73.tmp.exe (PID: 5376)
      • tmp82D.tmp.exe (PID: 6852)
      • tmpDF73.tmp.exe (PID: 5700)

    • Reads the machine GUID from the registry

      • RimWorld setub.exe (PID: 6844)
      • svhost.exe (PID: 7140)
      • tmp82D.tmp.exe (PID: 6852)
      • tmp98B9.tmp.exe (PID: 6768)

    • Creates files or folders in the user directory

      • RimWorld setub.exe (PID: 6844)
      • svhost.exe (PID: 7140)
      • tmp82D.tmp.exe (PID: 6852)
      • WerFault.exe (PID: 6516)

    • Process checks computer location settings

      • RimWorld setub.exe (PID: 6844)
      • svhost.exe (PID: 7140)
      • tmpDF73.tmp.exe (PID: 5376)

    • The process uses the downloaded file

      • RimWorld setub.exe (PID: 6844)
      • svhost.exe (PID: 7140)
      • tmpDF73.tmp.exe (PID: 5376)

    • VMProtect protector has been detected

      • svhost.exe (PID: 7140)

    • Create files in a temporary directory

      • svhost.exe (PID: 7140)
      • tmp98B9.tmp.exe (PID: 7004)
      • tmp82D.tmp.exe (PID: 6852)
      • tmpDF73.tmp.exe (PID: 5376)
      • tmpDF73.tmp.exe (PID: 5700)

    • PyInstaller has been detected (YARA)

      • tmp98B9.tmp.exe (PID: 7004)
      • tmp98B9.tmp.exe (PID: 6768)

    • Reads the software policy settings

      • slui.exe (PID: 236)
      • WerFault.exe (PID: 6516)
      • slui.exe (PID: 5468)

    • Checks proxy server information

      • tmp82D.tmp.exe (PID: 6852)
      • WerFault.exe (PID: 6516)
      • slui.exe (PID: 5468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35)
.exe | Win64 Executable (generic) (31)
.scr | Windows screen saver (14.7)
.dll | Win32 Dynamic Link Library (generic) (7.3)
.exe | Win32 Executable (generic) (5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:09:06 12:47:17+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 34816
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0x35062
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
15
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start rimworld setub.exe #NJRAT svhost.exe netsh.exe no specs conhost.exe no specs svchost.exe sppextcomobj.exe no specs slui.exe THREAT tmp98b9.tmp.exe conhost.exe no specs slui.exe tmp82d.tmp.exe no specs THREAT tmp98b9.tmp.exe no specs tmpdf73.tmp.exe THREAT tmpdf73.tmp.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3176C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4804\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetmp98B9.tmp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5376"C:\Users\admin\AppData\Local\Temp\tmpDF73.tmp.exe" C:\Users\admin\AppData\Local\Temp\tmpDF73.tmp.exe
svhost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\tmpdf73.tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5468C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5700"C:\Users\admin\AppData\Local\Temp\3582-490\tmpDF73.tmp.exe" C:\Users\admin\AppData\Local\Temp\3582-490\tmpDF73.tmp.exe
tmpDF73.tmp.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\tmpdf73.tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6352netsh firewall add allowedprogram "C:\Users\admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLEC:\Windows\SysWOW64\netsh.exesvhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6516C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5700 -s 676C:\Windows\SysWOW64\WerFault.exe
tmpDF73.tmp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6768"C:\Users\admin\AppData\Local\Temp\tmp98B9.tmp.exe" C:\Users\admin\AppData\Local\Temp\tmp98B9.tmp.exe
tmp98B9.tmp.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\tmp98b9.tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
11 194
Read events
10 950
Write events
242
Delete events
2

Modification events

(PID) Process:(6844) RimWorld setub.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7140) svhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:619680d438aded33a3114805b64591c9
Value:
"C:\Users\admin\AppData\Roaming\svhost.exe" ..
(PID) Process:(7140) svhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\619680d438aded33a3114805b64591c9
Operation:writeName:2681e81bb4c4b3e6338ce2a456fb93a7
Value:
4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C010300CE20A9520000000000000000E00002210B010800002A00000004000000000000DE49000000200000006000000000400000200000000200000400000000000000040000000000000000A0000000020000000000000200408500001000001000000000100000100000000000001000000000000000000000008449000057000000006000001000000000000000000000000000000000000000008000000C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000E429000000200000002A000000020000000000000000000000000000200000602E72737263000000100000000060000000020000002C0000000000000000000000000000400000402E72656C6F6300000C0000000080000000020000002E00000000000000000000000000004000004200000000000000000000000000000000C0490000000000004800000002000500043200008017000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002E720100007080040000042AF602280100000A02167D0300000402730200000A7D0500000402720D0000707D0600000402167D0700000402167D0800000402730300000A7D090000042A00001B3005008C00000001000011027B050000040D09280400000A730500000A0B038EB7280600000A720F000070280700000A1304120428050000060A070616068EB76F0800000A070316038EB76F0800000A027B050000046F0900000A076F0A00000A16076F0B00000AB7166F0C00000A26076F0D00000ADE1E09280E00000ADCDE1525280F00000A0C02177D03000004281000000ADE002A0118000002000D00606D0007000000010000000076760015090000013A020F0128050000066F030000062A00133002000D00000002000011281100000A02506F1200000A2A000000133002000D00000003000011281100000A03506F1300000A2A000000133002001A000000040000110225FE0708000006731400000A731500000A0A066F1600000A2A00001B3005006E02000005000011730500000A0D160C156A0B178D140000010A027B05000004027B01000004027B020000046F1700000A281800000A6F1900000A130F120F281A00000A13041D8D0C00000113101110167213000070A21110177E04000004A2111018027B06000004A21110197E04000004A211101A1204281B00000A280600000AA211101B7E04000004A211101C1204281C00000A280600000AA21110281D00000A13050211056F040000060225FE070A000006731400000A17731E00000A130611066F1600000A027B030000042C05DD3C010000027B050000046F1F00000A172F13027B050000046F0900000A15166F2000000A26027B050000046F1F00000A16FE0339F700000007156A3374720D0000701308027B050000046F2100000A6F2200000A13071107153305DDE000000011071633351108282300000A0B720D000070130807166A330E02720D0000706F04000006156A0B027B050000046F1F00000A163E5FFFFFFF2B8B11081107282400000A282500000A280700000A13082B93027B050000046F1F00000A17D68D140000010A07096F0B00000ADA130A068EB76A110A310E110A176ADAB717D68D140000010A027B050000046F0900000A0616068EB7166F2600000A130909061611096F0800000A096F0B00000A07331B156A0B02096F0A00000A6F09000006096F0D00000A730500000A0D38C8FEFFFFDE0F25280F00000A130B281000000ADE0002177D0300000402177D08000004027B050000046F0900000A166F2700000ADE0F25280F00000A130C281000000ADE00027B050000046F2800000ADE0F25280F00000A130D281000000ADE00096F0D00000ADE0F25280F00000A130E281000000ADE002A0000416000000000000012000000E9010000FB0100000F000000090000010000000018020000130000002B0200000F00000009000001000000003A0200000D000000470200000F000000090000010000000056020000080000005E0200000F000000090000011B3009003A02000006000011020F016F060000060B077E040000041516282900000A0A06169A13041104721B00007016282A00000A1640B00000000213051105280400000A02177D080000042B0617282B00000A027B070000042DF202167D0800000402177D070000040225FE070B000006732C00000A732D00000A0C08198D010000011307110716120606189A721F0000701516282900000A169A282E00000A06189A721F0000701516282900000A179A282E00000A282F00000A11068C04000001A211071706179AA211071806199AA211076F3000000ADD670100001105280E00000ADCDD5A0100001104722300007016282A00000A1633330213081108280400000A02177D080000042B0617282B00000A027B070000042DF2DD240100001108280E00000ADCDD170100001104722900007016282A00000A16336406199A282E00000A130911092000080000331D06199A282E00000A161606179A282E00000A17280F000006DDD7000000120A06179A282E00000A06189A282E00000A283100000A110A283200000A06199A282E00000A16161616280F000006DDA30000001104722D00007016282A00000A16332706189A283300000A06189A282E00000A16280E000006B406179A282E00000A16280D000006DE6C1104723100007016282A00000A16330B027B050000046F2800000ADE4F25280F00000A0D021B8D0C000001130B110B167235000070A2110B177E04000004A2110B1806169AA2110B197E04000004A2110B1A096F3400000AA2110B281D00000A6F04000006281000000ADE002A000041480000020000003900000099000000D2000000080000000000000102000000F90000001C0000001501000008000000000000010000000017000000D3010000EA0100004F000000090000011B3005004501000007000011160A383201000017282B00000A027B090000046F3500000A16FE02027B070000045F3912010000027B0500000413051105280400000A140B027B0900000413061106280400000A2B19027B09000004166F3600000A0B027B09000004166F3700000A027B090000046F3500000A1633D9DE081106280E00000ADC027B030000043AAA000000730500000A0D078EB7280600000A720F000070280700000A1307120728050000060C090816088EB76F0800000A090716078EB76F0800000A027B050000046F0900000A096F0B00000A6C2300000000000004405A283800000AB76F3900000A027B050000046F0900000A15176F2000000A26027B050000046F0900000A096F0A00000A16096F0B00000AB7166F0C00000A26DE1625280F00000A130402177D03000004281000000ADE15DE081105280E00000ADC027B0300000439C3FEFFFF2A00000001240000020047002B7200080000000100008500941901160900000102003600FB310108000000011B300400B40100000800001103178D010000011308110816168C1F000001A2110814283A00000A252D052611092B0A790400000171040000010C03178D010000011308110816178C1F000001A2110814283A00000A283B00000A0B03178D010000011308110816188C1F000001A2110814283A00000A283C00000A0A0873110000060D38FA00000017282B00000A027B090000046F3500000A1640E30000002822000006130511052D05DDD3000000730500000A1304723B0000707E04000004077E04000004283D00000A13061104120628050000061611066F3E00000A6F0800000A110411051611058EB76F0800000A027B09000004130A110A280400000A027B0900000411046F0A00000A6F3F00000ADE08110A280E00000ADC11046F0D00000ADE5D25280F00000A1307021B8D0C000001130B110B167235000070A2110B177E04000004A2110B187245000070A2110B197E04000004A2110B1A11076F3400000AA2110B281D00000A6F0400000620D0070000282B00000A281000000ADE00027B08000004027B030000046039F4FEFFFF027B09000004130C110C280400000A027B090000046F4000000ADE08110C280E00000ADC02167D070000042A012400000200F4001408010800000001000093008619015D09000001020097010DA4010800000001133003004600000009000011734100000A0B07036F4200000A1001720D0000700C0313051613042B1F11051104910D0812037255000070284300000A280700000A0C110417D61304110411058EB732D9082A00001330010044000000000000007F0B000004FE15230000017F0C000004FE15230000017F0D000004FE1523000001734400000A800E0000047E4500000A80100000041F0A80110000041F0A80120000042A5E02280100000A03800A0000047E4500000A80100000042A13300100130000000A000011281800000A6F1900000A0B1201281A00000A2A0013300100060000000B0000117E0A0000042A0000133003002E0000000C000011284600000A0A16068EB70D0C2B1A06089A6F4700000A0216282A00000A16330406089A2A0817D60C080931E2142A000013300600FB0000000D000011027E10000004284800000A39EA0000000F00281B00000A0F00281C00000A200B200E00734900000A800F0000047E0E0000046F4A00000A0280100000047F0B000004FE15230000017F0C000004FE15230000017F0D000004FE1523000001167E1100000417DA0D0A3886000000167E1200000417DA13040B2B701202066C0F00281B00000A6C7E110000046C5B5A283800000AB7076C0F00281C00000A6C7E120000046C5B5A283800000AB70F00281B00000A6C7E110000046C5B283800000AB70F00281C00000A6C7E120000046C5B283800000AB7284B00000A7E0E000004086F4C00000A0717D60B071104318B0617D60A06093E73FFFFFF2A001B300B00100500000E000011281B000006281C000006281F000006720D000070130E16284D00000A2814000006800B0000047E0B0000042815000006800C0000047E0D0000041116284E00000A2C357E0B000004281B000006281C00000613171217281B00000A281B000006281C00000613181218281C00000A2816000006800D0000047E0C0000047E0D000004281700000613097E0C0000041A2821000006267E0C0000041616281B000006281C00000613181218281B00000A281B000006281C00000613171217281C00000A7E0B0000041616281B00000613191219281B00000A281B000006131A121A281C00000A202000CC002813000006267E0C00000411092817000006267E0C00000428190000062616284D00000A7E0B000004281A000006267E0D000004284F00000A0B285000000A130512051205285100000A6C076F5200000A6C281B000006131A121A281B00000A6C5B5A283800000AB7285300000A12051205285400000A6C076F5500000A6C281B000006131A121A281C00000A6C5B5A283800000AB7285600000A1F201F20735700000A0D09285800000A1307285900000A1107121B7E5A00000A096F5B00000A285C00000A111B6F5D00000A11076F5E00000A07285800000A1307110709121B110512182300000000000040407F0A000004281B00000A6C281B000006131A121A281B00000A6C5B5A283800000AB72300000000000040407F0A000004281C00000A6C281B00000613191219281C00000A6C5B5A283800000AB7282F00000A1118285C00000A111B6F5F00000A11076F5E00000A200A202600130C7E0E000004166F6000000A131F121F286100000A7E0E000004166F6000000A131B121B286200000A7E0E0000046F6300000AD8076F6400000A734900000A130D1B8D0C0000011320112016076F5200000A280600000AA2112017725B000070A2112018076F5500000A280600000AA2112019725F000070A211201A7E0E000004166F6000000A131F121F286200000A280600000AA21120281D00000A1308161304167E0E0000046F6300000A17DA1321131138130100007E0E00000411116F6000000A131307111317110C6F6500000A130F7E0F000004111317110C6F6500000A1310110F6F6600000A286700000A110F6F6800000AD81312110F6F6900000A11106F6900000A1112281E000006163B9C000000110D121F161213286200000A1104D81213286100000A1213286200000A284B00000A111F18110C6F6500000A131411146F6900000A110F6F6900000A1112282300000626110D11146F6A00000A1B8D0C00000113201120161108A2112017725F000070A21120181213286B00000A280600000AA2112019725B000070A211201A1213286C00000A280600000AA21120281D00000A1308110417D6130407110F6F6A00000A7E0F00000411106F6A00000A111117D61311111111213EE4FEFFFF1104163307140ADDE900000007800F000004110D121D16167E0E000004166F6000000A131E121E286100000A7E0E000004166F6000000A131F121F286200000A1104D8284B00000A111D110D6F6400000A6F6D00000A0B11087E04000004280700000A1308730500000A130A730500000A130B17736E00000A130611066F6F00000A167E7000000A1F326A737100000AA207110A7263000070281D00000611066F7200000A120828050000060C110B0816088EB76F0800000A110B110A6F0A00000A16110A6F0B00000AB76F0800000A110B6F0A00000A0ADE1B25280F00000A13157E4500000A8010000004140A281000000ADE00062A411800000000000000000000F3040000F30400001B0000000900000142534A4201000100000000000C00000076322E302E35303732370000000005006C00000098090000237E0000040A00001C09000023537472696E677300000000201300007C000000235553009C130000100000002347554944000000AC130000D403000023426C6F6200000000000000020000015735021C0900000000FA0133001600000100000031000000030000001200000023000000430000007600000002000000030000000E00000005000000020000001000000001000000050000000000140901000000000006003E0037000E006F005C000600C900AE0012007A016B011200DD02C60212001F036B0112002C036B01060099038F030600A60337000600C103B0030A00F603CF0306000B0437000E001F045C000E0044045C00060050048F030A006404CF0306009E0492040600C604B0030600CD04B0030600D90437001600FB04E6040E004B055C000E005B055C000A00830513001200A9056B010A00AF0513000A00C305CF030600E105B00316000406E6040600470637000600650637000A006B06CF030600AE0691060600C70691060600E106370012001A07C60212002607C602120038076B0112004107C602120064076B011600A507E6041200CC07C60212000D08C60212002808C60206005C083D08060095083D080600A8083D080600D608B6080600F608B60800000000010000000000010001000100100029002B00050001000100010010002F002B0005000A001000060052001B00060054001E0006005600210016005A001B0006007900240006007B001B000600A30021000600A90021000600D00041001100B002AA0011008B01C70011001003C70011001703C70011002903CA0011003303D20011003A03AA00110043031E00110046031E0050200000000011184500130001005C200000000006184C00170001009C200000000006007F0028000100502100000000060087002E00020060210000000016008E00330003007C2100000000060091003A0004009821000000000600960017000500C0210000000006009C0017000500A0240000000006009F00280005003427000000000600D40017000600B028000000000600D70049000600982A000000000600DD004E0007000000000080001120E8005400080000000000800011201D015C000C000000000080001620500162000E00EC2A0000000011184500130013003C2B0000000006184C006B00130000000000800016208401710014000000000080001120C5017E001D00000000008000112036028D002800000000008000112041028D00290000000000800011205B0292002A000000000080001620720299002D00000000008000112087029F002F00000000008000112094029F00310000000000800011209D02A4003300542B000000001600B302AE003600742B000000001600BE02B3003600882B000000001600EC02BA0037000000000080001120FD02C0003800C42B0000000016004A03D6003B0000000000800016204F0392003C0000000000800011205D03DC003F00CC2C0000000016007C03E200410000000000800016208403E7004100000001008500000001008C00000001008C0000000100940000000100850000000100DA0000000100940000000100F40000000200F80000000300FE00000004000601000001002B0100000200310100000100FE00000002005C01000003005F01000004006201000005000601000001007F01000001008B01000002008F01000003009601000004009D0100000500A40100000600AC0100000700B30100000800B90100000900BF0100000100D00100000200D80100000300E50100000400F20100000500FD0100000600AC0100000700090200000800150200000900210200000A002B0200000B00BF01000001003C02000001005402000001008B01000002009D0100000300A401000001008B01000002007F02002000000000000001007F02002000000000000001008B0100200000000000000100A70200000200AC02000001007F0100000100FB02000001000403000002000703000003000A03000001007F01000001005603000002005B03000003000A03000001008B01000002006F03000001005603000002008B03000003000A0309004C00170011004C0017000C004C0017005100C903F50041004C00170059000204FA0061001204FF00410019040501110026040D01410031041201410039041701690087001B0179005704170051005F04F5008100700425018100800413008900A70437018900B3043C018900BC044E0099004C004B0191004C0051019100960017001100DE045C01A90002056201A9001405670131001F056C0121002805710121003205710161001204750191004C007B0111003D05710169005605820111006905890179007305710159007C058E01C1008B059301590002049801690090051B01690098059D011100A3051700C100BD05C001D900CD05CA019100DB05D101E1004C004B0191004C00D6015900FA05DC0121004C00E101910096004900C9004C00E101E9000B06E70159001806ED0149001F06F2010C002B0671010C0035060E020C003E061402F1004C06190269005206140201017A063302590002043C025900FA0541026100120446026100390471010C0087064E020C008B06170009014C0017001101D5067602A10002047D0214004C0017002100E806AA002900EE06A1022900FF06F20121000C07B10239004C00B90214008B06170031004C00C202140087064E0219014C07D30219015807A40041016A07D802E9007607DE02C90083077101410128057101C90089071402C9008F077101410132057101C9009507140239004C00E10131019B07E3024901A704EC02C900E806F10241011F056C0131004C00F502E900AD07FD023101570417003101B2070603140035060E0231002805710131003205710114002B0671014101BC070F033900DA0715033901E3077101F100EE0723033901320571013901F20728033900FC072C0331008307710131008F07710139000708330329014C00140229011E083D0361013008440359014C00490341013808510369014C002E0071014C00A10381014C00140289014C0017002E00AB03AA032E00B303B3035F00A8036300A8036700A8032B01420147015701A201F6011E025402820295029C02A702CA025C0312013A016F087A088408EE008E0243011B00E800010043011D004101020043011F0050010200000125008401040000012700C5010400000129003602010040012B004102040000012D005B02040000012F007202050000013100870204000001330094020400000135009D02010000023D00FD020300000241008E080300000143005D03040000024700840303000480000000000000000000000000000000002B00000002000000000000000000000001000A00000000000800000000000000000000000A0013000000000002000000000000000000000001003700000000000200000000000000000000000A006B01000000000200000000000000000000000100E604000000000000003C4D6F64756C653E006D73636F726C6962004D6963726F736F66742E56697375616C426173696300410073633200636170747572650053797374656D004F626A656374002E6363746F72002E63746F7200480050004F464600590053797374656D2E4E65742E536F636B65747300546370436C69656E740043004F534B0053656E646200620053656E640053005342004253004200537461727400524300696E6400697372756E00556F66660053797374656D2E436F6C6C656374696F6E732E47656E65726963004C697374603100626D62006672007564007861006765744D443548617368006B657962645F6576656E740062566B00625363616E006477466C6167730064774578747261496E666F007573657233322E646C6C004D61705669727475616C4B65790077436F646500774D61705479706500757365723332004D61705669727475616C4B657941006D6F7573655F6576656E740064780064790063427574746F6E730053797374656D2E44726177696E670053697A650073697A6500426974426C7400686463006E5844657374006E5944657374006E5769647468006E48656967687400686463537263006E58537263006E59537263006477526F700053747265746368426C740068646344657374006E584F726967696E44657374006E594F726967696E44657374006E576964746844657374006E48656967687444657374006E584F726967696E537263006E594F726967696E537263006E5769647468537263006E4865696768745372630047657444430068776E6400437265617465436F6D70617469626C6544430068526566444300437265617465436F6D70617469626C654269746D61700053656C6563744F626A65637400684F626A6563740044656C6574654F626A6563740044656C65746544430052656C6561736544430068576E640068444300737A0073637265656E73697A650067657473697A650053797374656D2E44726177696E672E496D6167696E6700496D616765436F646563496E666F00476574456E636F646572496E666F004D006D656D636D7000703100703200636F756E7400686D656D646300686269746D61700052656374616E676C65007267004269746D6170006C6173746274006C61737473697A6500636F00636F3200696E6974004D656D536574006465737400630053657453747265746368426C744D6F64650069537472657463684D6F64650043617074757265006D656D637079007372630053797374656D2E494F004D656D6F727953747265616D00457863657074696F6E0053797374656D2E546872656164696E67004D6F6E69746F7200456E746572004D6963726F736F66742E56697375616C42617369632E436F6D70696C6572536572766963657300436F6E76657273696F6E7300546F537472696E6700537472696E6700436F6E63617400577269746500536F636B6574006765745F436C69656E7400546F4172726179006765745F4C656E67746800536F636B6574466C6167730053747265616D00446973706F736500457869740050726F6A656374446174610053657450726F6A6563744572726F7200436C65617250726F6A6563744572726F720053797374656D2E5465787400456E636F64696E67006765745F44656661756C7400476574427974657300476574537472696E6700546872656164005468726561645374617274004279746500436F6E6E6563740053797374656D2E57696E646F77732E466F726D730053637265656E006765745F5072696D61727953637265656E006765745F426F756E6473006765745F53697A65006765745F5769647468006765745F486569676874006765745F417661696C61626C650053656C6563744D6F646500506F6C6C004E6574776F726B53747265616D0047657453747265616D00526561644279746500546F4C6F6E6700537472696E67730043687257005265636569766500446973636F6E6E65637400436C6F736500506F696E7400436F6D706172654D6574686F640053706C6974004F70657261746F727300436F6D70617265537472696E6700536C65657000506172616D65746572697A6564546872656164537461727400546F496E746567657200437572736F72007365745F506F736974696F6E00546F42797465006765745F4D657373616765006765745F436F756E74006765745F4974656D0052656D6F76654174004D61746800526F756E64007365745F53656E6442756666657253697A6500496E743332004E65774C61746542696E64696E67004C617465496E6465784765740041646400436C6561720053797374656D2E53656375726974792E43727970746F677261706879004D443543727970746F5365727669636550726F76696465720048617368416C676F726974686D00436F6D707574654861736800496E7450747200456D70747900476574496D616765456E636F64657273006765745F4D696D6554797065006F705F496E657175616C69747900506978656C466F726D617400456E636F646572506172616D6574657273004772617068696373004269746D617044617461006F705F4578706C69636974006F705F457175616C69747900496D6167650046726F6D486269746D6170006765745F506F736974696F6E006765745F58007365745F58006765745F59007365745F590046726F6D496D61676500437572736F727300447261770044726177496D616765006765745F506978656C466F726D617400496D6167654C6F636B4D6F6465004C6F636B42697473006765745F53747269646500416273006765745F5363616E3000556E6C6F636B4269747300436C6F6E6500456E636F646572506172616D65746572006765745F506172616D00456E636F646572005175616C69747900536176650053797374656D2E52756E74696D652E496E7465726F70536572766963657300446C6C496D706F7274417474726962757465006D73766372742E646C6C0067646933322E646C6C0047646933322E646C6C006D656D736574004D61727368616C417341747472696275746500556E6D616E61676564547970650053797374656D2E52756E74696D652E436F6D70696C6572536572766963657300436F6D70696C6174696F6E52656C61786174696F6E734174747269627574650052756E74696D65436F6D7061746962696C697479417474726962757465007363322E646C6C00000B7C0027007C0027007C000101000300000107730063007E00000321000003780000052100210000034000000323000003240000054500520000097300630050004B00000F7300630032002E0064006C006C0000057800320000032C0000032D00011569006D006100670065002F006A00700065006700000000007DD8BE03B5480D4BBB8EA572118542230008B77A5C561934E08908B03F5F7F11D50A3A030000010320000102060E02060802060203061209052001011D05042001010E0600011D05100E0620010E101D05070615120D011D05042001011C0520010E1D0507000401050508080500020808080800050108080808080520010111110C0009021808080808180808090E000B02180808080818080808080904000118180600031818080805000218181804000102180500020218180306111104000011110600011111111105000112150E06000308181808020618070615120D0111190306121D0500010111110500020218080400001D05060003181818080615120D011D05040001011C0400010E080500020E0E0E072003011D05080804200012350420001D050320000A092004081D05080811390500010112250B07051D051221122512090E04000012450520011D050E0407011D050307010E052002011C1805200101124D0407011249052002010E08040000125504200011190420001111032000080500010E1D0E06200201124D0806200202081159042000125D0400010A0E04000103080400010E0304200101021D07111D050A08122111110E1249080E080A122512251225122511191D0E0900041D0E0E0E081169060003080E0E020400010108052001011271040001080E052002010808050001011165040001050E0320000E17070C1D0E0E124912250E120811111D1C12080811651D0E05200113000804200101080400010D0D140708081D051D0512211225120915120D011D050E0800031C1C1D1C1D0E0400010E1C040001081C0700040E0E0E0E0E05200101130021070D080E1111120C12211D050E12251D1C111115120D011D051D0E15120D011D050620011D051D050420010E0E0B07060E1280850E05081D050615120D0111190607021111111904070111110500001D12150907041D121512150808070002021111111108200301080811809107200401080808080807050808111908080400011808050001121D1804000011650800011280991280A10400001275030611650720020111651111082002011280991119082002011280A111190520001180910D200312809D11191180A91180910400010808032000180620010112809D092002121D11191180910620001D1280AD04061280B1072002011280B10A0A200301123D12151280954407221D05121D1D05121D0811651280951280990E1812211221118091121D0E12809D12809D0808111912809D1225181111111111111111111911191119111911191D0E08062001011180BD01020801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F7773010000AC4900000000000000000000CE490000002000000000000000000000000000000000000000000000C04900000000000000000000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF2500204000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000C000000E03900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6852) tmp82D.tmp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Media\WMSDK\General
Operation:writeName:UniqueID
Value:
{89F76791-B1F2-4403-AFB5-472B80832254}
(PID) Process:(6852) tmp82D.tmp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Media\WMSDK\General
Operation:writeName:ComputerName
Value:
DESKTOP-JGLLJLD
(PID) Process:(6852) tmp82D.tmp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Media\WMSDK\General
Operation:writeName:VolumeSerialNumber
Value:
649566714
(PID) Process:(6852) tmp82D.tmp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\MediaPlayer\Player\Settings
Operation:delete valueName:Client ID
Value:
{CECDFD5C-8F08-4FEF-8713-FAA895A422EB}
(PID) Process:(6852) tmp82D.tmp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Media\WMSDK\Namespace
Operation:writeName:LocalBase
Value:
C:\Users\admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
(PID) Process:(6852) tmp82D.tmp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Media\WMSDK\Namespace
Operation:writeName:DTDFile
Value:
C:\Users\admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
(PID) Process:(6852) tmp82D.tmp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Media\WMSDK\Namespace
Operation:writeName:LocalDelta
Value:
C:\Users\admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNSD.XML
Executable files
75
Suspicious files
11
Text files
921
Unknown types
0

Dropped files

PID
Process
Filename
Type
7004tmp98B9.tmp.exeC:\Users\admin\AppData\Local\Temp\_MEI70042\VCRUNTIME140.dllexecutable
MD5:0E675D4A7A5B7CCD69013386793F68EB
SHA256:BF5FF4603557C9959ACEC995653D052D9054AD4826DF967974EFD2F377C723D1
7140svhost.exeC:\Users\admin\AppData\Local\Temp\tmp98B9.tmp.exeexecutable
MD5:2A4D918A793117031C4273B4786AA274
SHA256:3D53E6270A9DD4B2AF371069831F2CF94A439843CE8CDC46895F96783A30572D
7140svhost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\619680d438aded33a3114805b64591c9.exeexecutable
MD5:382C21837FBB296675B92C64BBC6249D
SHA256:6BA1D9CF4B63033C0D9752FBE663EEE726A5CF5401B20B8B8E927CCA39CF113D
7004tmp98B9.tmp.exeC:\Users\admin\AppData\Local\Temp\_MEI70042\_asyncio.pydexecutable
MD5:FE9322E00324B59C179D4C9803322B6C
SHA256:46967E4EF54E222DCDA43B64032A3F22ED9FCE4CEBBE0E64288ED80F86A500EB
7004tmp98B9.tmp.exeC:\Users\admin\AppData\Local\Temp\_MEI70042\_bz2.pydexecutable
MD5:3DC8AF67E6EE06AF9EEC52FE985A7633
SHA256:C55821F5FDB0064C796B2C0B03B51971F073140BC210CBE6ED90387DB2BED929
6844RimWorld setub.exeC:\Users\admin\AppData\Roaming\svhost.exeexecutable
MD5:382C21837FBB296675B92C64BBC6249D
SHA256:6BA1D9CF4B63033C0D9752FBE663EEE726A5CF5401B20B8B8E927CCA39CF113D
7004tmp98B9.tmp.exeC:\Users\admin\AppData\Local\Temp\_MEI70042\_hashlib.pydexecutable
MD5:A6448BC5E5DA21A222DE164823ADD45C
SHA256:3692FC8E70E6E29910032240080FC8109248CE9A996F0A70D69ACF1542FCA69A
7004tmp98B9.tmp.exeC:\Users\admin\AppData\Local\Temp\_MEI70042\_overlapped.pydexecutable
MD5:1B04BD84BDD90B8419E2A658A1CACC6E
SHA256:44F9ED9D97881B29ECC79A2B3077760A4F9F7B5BA386751C0F3B98F1BFB0D8C4
7004tmp98B9.tmp.exeC:\Users\admin\AppData\Local\Temp\_MEI70042\_ctypes.pydexecutable
MD5:F1E33A8F6F91C2ED93DC5049DD50D7B8
SHA256:9459D246DF7A3C638776305CF3683946BA8DB26A7DE90DF8B60E1BE0B27E53C4
7004tmp98B9.tmp.exeC:\Users\admin\AppData\Local\Temp\_MEI70042\_lzma.pydexecutable
MD5:37057C92F50391D0751F2C1D7AD25B02
SHA256:9442DC46829485670A6AC0C02EF83C54B401F1570D1D5D1D85C19C1587487764
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
40
DNS requests
20
Threats
341

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4164
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4316
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6516
WerFault.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4772
SIHClient.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4772
SIHClient.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4316
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6408
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4316
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4316
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4164
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4164
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 23.32.185.131
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.68
  • 40.126.32.72
  • 40.126.32.136
  • 40.126.32.76
  • 40.126.32.140
  • 20.190.160.14
  • 40.126.32.138
  • 20.190.159.75
  • 20.190.159.0
  • 40.126.31.67
  • 20.190.159.73
  • 20.190.159.68
  • 20.190.159.64
  • 40.126.31.71
  • 40.126.31.69
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
security-sudan.gl.at.ply.gg
  • 147.185.221.22
unknown
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
14 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
RimWorld setub.exe