File name:

Worm.zip

Full analysis: https://app.any.run/tasks/ed157aeb-bfbc-4d03-b05f-5bb093c902e5
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 31, 2024, 19:44:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
upx
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

3167CF08DBACEBA1206755950E02E66C

SHA1:

F608F322801E6BA035136276FE743CF81D555E97

SHA256:

755A1889E618E61C581615A4DF7DF74D313D9EFABF33AC1F64D39C4E6B7309C3

SSDEEP:

49152:lIpveKxv//pnMYFlZWhrAgcRDhYjcoTja5lVr+6ZFmZdEgIGI5TQz/FUtoGpNAmu:wPvBMEElkYjnTja5lVxZQbnQB4azPXB6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Mantas.exe (PID: 6780)
      • svchost.exe (PID: 740)
      • reg.exe (PID: 2036)
      • reg.exe (PID: 4996)
      • reg.exe (PID: 5772)
      • reg.exe (PID: 3972)
      • reg.exe (PID: 1680)
      • reg.exe (PID: 2636)
      • reg.exe (PID: 4316)
      • reg.exe (PID: 5504)
      • reg.exe (PID: 6616)
      • reg.exe (PID: 5880)
      • reg.exe (PID: 6288)
      • reg.exe (PID: 6056)
      • reg.exe (PID: 4020)
      • reg.exe (PID: 6132)
      • reg.exe (PID: 2360)
      • reg.exe (PID: 6456)
      • reg.exe (PID: 1128)
      • Bezilom.exe (PID: 360)

    • Actions looks like stealing of personal data

      • Mantas.exe (PID: 6780)

    • Changes the login/logoff helper path in the registry

      • Fagot.a.exe (PID: 1496)

    • Changes appearance of the Explorer extensions

      • svchost.exe (PID: 1060)

    • Starts NET.EXE to view/change shared resources

      • cmd.exe (PID: 6612)
      • net.exe (PID: 2580)
      • net.exe (PID: 6636)
      • net.exe (PID: 5556)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 4692)
      • Heap41A.exe (PID: 2092)
      • Heap41A.exe (PID: 4316)

    • Executable content was dropped or overwritten

      • Mantas.exe (PID: 6780)
      • Heap41A.exe (PID: 2092)
      • svchost.exe (PID: 740)
      • Nadlote.exe (PID: 5944)

    • Drops the executable file immediately after the start

      • Mantas.exe (PID: 6780)
      • Heap41A.exe (PID: 2092)
      • svchost.exe (PID: 740)
      • Nadlote.exe (PID: 5944)

    • The process creates files with name similar to system file names

      • Mantas.exe (PID: 6780)
      • Heap41A.exe (PID: 2092)
      • svchost.exe (PID: 740)
      • WerFault.exe (PID: 1828)

    • Reads the date of Windows installation

      • Heap41A.exe (PID: 2092)
      • Heap41A.exe (PID: 4316)

    • Starts itself from another location

      • svchost.exe (PID: 740)

    • Executes application which crashes

      • Fagot.a.exe (PID: 1496)
      • wscript.exe (PID: 2580)

    • Application launched itself

      • svchost.exe (PID: 1060)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 2580)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2580)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 2580)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 2580)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 2580)

    • Gets the drive type (SCRIPT)

      • wscript.exe (PID: 2580)

    • Gets a collection of all available drive names (SCRIPT)

      • wscript.exe (PID: 2580)

    • Creates file in the systems drive root

      • Bezilom.exe (PID: 360)
      • Nadlote.exe (PID: 5944)
      • smss.exe (PID: 5212)

    • There is functionality for taking screenshot (YARA)

      • Netres.a.exe (PID: 1556)
      • Fagot.a.exe (PID: 1496)

    • Starts CMD.EXE for commands execution

      • Nadlote.exe (PID: 5944)
      • smss.exe (PID: 5212)

    • Starts application from unusual location

      • Nadlote.exe (PID: 5944)
      • cmd.exe (PID: 7036)
      • cmd.exe (PID: 2660)
      • ipconfig.exe (PID: 3980)
      • smss.exe (PID: 5212)
      • cmd.exe (PID: 2648)
      • PING.EXE (PID: 4088)
      • PING.EXE (PID: 6460)
      • cmd.exe (PID: 2036)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1480)
      • cmd.exe (PID: 4732)
      • cmd.exe (PID: 1156)
      • cmd.exe (PID: 252)
      • cmd.exe (PID: 1124)
      • cmd.exe (PID: 1944)
      • cmd.exe (PID: 7060)
      • cmd.exe (PID: 6684)
      • cmd.exe (PID: 6552)
      • cmd.exe (PID: 5000)
      • cmd.exe (PID: 6424)
      • cmd.exe (PID: 6540)
      • cmd.exe (PID: 2112)
      • cmd.exe (PID: 5940)
      • cmd.exe (PID: 6304)
      • cmd.exe (PID: 4760)
      • cmd.exe (PID: 4524)
      • cmd.exe (PID: 6636)
      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 6576)
      • cmd.exe (PID: 6940)
      • cmd.exe (PID: 3328)
      • cmd.exe (PID: 6408)

    • Process uses IPCONFIG to get network configuration information

      • cmd.exe (PID: 2660)

    • Detected use of alternative data streams (AltDS)

      • smss.exe (PID: 5212)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4692)

    • Manual execution by a user

      • Nople.exe (PID: 5612)
      • Netres.a.exe (PID: 1556)
      • Mantas.exe (PID: 6780)
      • Heap41A.exe (PID: 1172)
      • Heap41A.exe (PID: 2092)
      • Fagot.a.exe (PID: 1496)
      • Bumerang.exe (PID: 6584)
      • Heap41A.exe (PID: 4316)
      • Heap41A.exe (PID: 6488)
      • wscript.exe (PID: 2580)
      • Bezilom.exe (PID: 360)
      • Vobus.exe (PID: 6380)
      • Nadlote.exe (PID: 5944)
      • DComExploit.exe (PID: 940)
      • DComExploit.exe (PID: 5916)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 4692)
      • Heap41A.exe (PID: 2092)
      • Heap41A.exe (PID: 4316)

    • Reads the computer name

      • Nople.exe (PID: 5612)
      • Netres.a.exe (PID: 1556)
      • Heap41A.exe (PID: 2092)
      • Bumerang.exe (PID: 6584)
      • Fagot.a.exe (PID: 1496)
      • Heap41A.exe (PID: 4316)
      • Bezilom.exe (PID: 360)
      • Nadlote.exe (PID: 5944)
      • smss.exe (PID: 5212)

    • Checks supported languages

      • Nople.exe (PID: 5612)
      • Netres.a.exe (PID: 1556)
      • Mantas.exe (PID: 6780)
      • Heap41A.exe (PID: 2092)
      • svchost.exe (PID: 740)
      • svchost.exe (PID: 1060)
      • Fagot.a.exe (PID: 1496)
      • Bumerang.exe (PID: 6584)
      • svchost.exe (PID: 5112)
      • svchost.exe (PID: 6372)
      • Heap41A.exe (PID: 4316)
      • svchost.exe (PID: 5516)
      • Bezilom.exe (PID: 360)
      • Vobus.exe (PID: 6380)
      • Nadlote.exe (PID: 5944)
      • smss.exe (PID: 5212)
      • DComExploit.exe (PID: 940)
      • DComExploit.exe (PID: 5916)

    • Creates files or folders in the user directory

      • Netres.a.exe (PID: 1556)
      • WerFault.exe (PID: 6716)
      • WerFault.exe (PID: 1828)

    • Create files in a temporary directory

      • Heap41A.exe (PID: 2092)
      • Heap41A.exe (PID: 4316)
      • Bezilom.exe (PID: 360)
      • Nadlote.exe (PID: 5944)
      • smss.exe (PID: 5212)

    • Process checks computer location settings

      • Heap41A.exe (PID: 2092)
      • Heap41A.exe (PID: 4316)

    • Reads the software policy settings

      • WerFault.exe (PID: 6716)
      • WerFault.exe (PID: 1828)

    • Checks proxy server information

      • WerFault.exe (PID: 6716)
      • WerFault.exe (PID: 1828)

    • UPX packer has been detected

      • svchost.exe (PID: 6372)
      • svchost.exe (PID: 5112)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:08:31 15:43:22
ZipCRC: 0x643ce414
ZipCompressedSize: 9211
ZipUncompressedSize: 28672
ZipFileName: Worm/Bezilom.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
244
Monitored processes
116
Malicious processes
8
Suspicious processes
21

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs nople.exe THREAT netres.a.exe no specs mantas.exe heap41a.exe no specs heap41a.exe svchost.exe svchost.exe no specs THREAT fagot.a.exe THREAT svchost.exe no specs THREAT svchost.exe no specs werfault.exe bumerang.exe no specs heap41a.exe no specs heap41a.exe svchost.exe no specs wscript.exe werfault.exe bezilom.exe vobus.exe no specs nadlote.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe smss.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs openwith.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs reg.exe ipconfig.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs net.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs dcomexploit.exe no specs conhost.exe no specs dcomexploit.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe ping.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs reg.exe cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs ping.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs reg.exe

Process information

PID
CMD
Path
Indicators
Parent process
252cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /fC:\Windows\SysWOW64\cmd.exesmss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
360"C:\Users\admin\AppData\Local\Temp\Worm\Worm\Bezilom.exe" C:\Users\admin\AppData\Local\Temp\Worm\Worm\Bezilom.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Version:
1.00.0004
Modules
Images
c:\users\admin\appdata\local\temp\worm\worm\bezilom.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
740"C:\Users\admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe" MicrosoftPowerPoint\install.txtC:\Users\admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe
Heap41A.exe
User:
admin
Integrity Level:
HIGH
Description:
AutoHotkey
Exit code:
0
Version:
1, 0, 46, 08
Modules
Images
c:\users\admin\appdata\local\temp\microsoftpowerpoint\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
892C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\Windows\System32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
940"C:\Users\admin\AppData\Local\Temp\Worm\Worm\Blaster\DComExploit.exe" C:\Users\admin\AppData\Local\Temp\Worm\Worm\Blaster\DComExploit.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\worm\worm\blaster\dcomexploit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
1060C:\heap41a\svchost.exe C:\heap41a\std.txtC:\heap41a\svchost.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Description:
AutoHotkey
Exit code:
0
Version:
1, 0, 46, 08
Modules
Images
c:\heap41a\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1124cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /fC:\Windows\SysWOW64\cmd.exesmss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1124REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1128REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /fC:\Windows\SysWOW64\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
29 681
Read events
28 411
Write events
1 268
Delete events
2

Modification events

(PID) Process:(4692) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4692) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4692) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(4692) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Worm.zip
(PID) Process:(4692) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4692) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4692) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4692) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4692) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Worm
(PID) Process:(1556) Netres.a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:Network check
Value:
Executable files
120
Suspicious files
8
Text files
37
Unknown types
1

Dropped files

PID
Process
Filename
Type
4692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Worm\Worm\Bezilom.exeexecutable
MD5:8E9D7FEB3B955E6DEF8365FD83007080
SHA256:94D2B1DA2C4CE7DB94EE9603BC2F81386032687E7C664AFF6460BA0F5DAC0022
4692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Worm\Worm\Blaster\607B60AD512C50B7D71DCCC057E85F1Cexecutable
MD5:607B60AD512C50B7D71DCCC057E85F1C
SHA256:3E363D76D3949CC218A83A2EE13603D643E3274D3CFF71247E38B92BDB391CFA
4692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Worm\Worm\Blaster\dcom.ctext
MD5:DFC6EE0A2EB77556D803104D761EF8AC
SHA256:9F0962E07CBDA4C7F4B18A4463FAA5D78208A078B61809B67D95FBD813008B66
4692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Worm\Worm\Blaster\DComExploit.exe.virexecutable
MD5:D68CF4CB734BFAD7982C692D51F9D156
SHA256:54143B9CD7AAF5AB164822BB905A69F88C5B54A88B48CC93114283D651EDF6A9
4692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Worm\Worm\Mantas.exeexecutable
MD5:53F25F98742C5114EEC23C6487AF624C
SHA256:7B5DEC6A48EE2114C3056F4CCB6935F3E7418EF0B0BC4A58931F2C80FC94D705
4692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Worm\Worm\Heap41A.exeexecutable
MD5:4F30003916CC70FCA3CE6EC3F0FF1429
SHA256:746153871F816ECE357589B2351818E449B1BEECFB21EB75A3305899CE9AE37C
4692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Worm\Worm\NadIote\Nadlote.exeexecutable
MD5:57AECBCDCB3A5AD31AC07C5A62B56085
SHA256:AB020413DCE53C9D57CF22D75EAF1339D72252D5316617A935149E02FEE42FD3
4692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Worm\Worm\HeadTail.vbstext
MD5:E0A3AB130609C80B452EE423D3A55355
SHA256:AF1DE4B7C65071F490CFD1425C45C9538FD7888CB7DC509304D8EC11CB046649
4692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Worm\Worm\Fagot.a.exeexecutable
MD5:30CDAB5CF1D607EE7B34F44AB38E9190
SHA256:1517527C1D705A6EBC6EC9194AA95459E875AC3902A9F4AAB3BF24B6A6F8407F
4692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Worm\Worm\Blaster\8676210e6246948201aa014db471de90executable
MD5:8676210E6246948201AA014DB471DE90
SHA256:2E481059B9BC9686C676D69A80202EED5022C9A53ECD8CAC215E70C601DD7FDC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
17
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1356
svchost.exe
20.106.86.13:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
20.106.86.13:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2120
MoUsoCoreWorker.exe
20.106.86.13:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
whitelisted
4324
svchost.exe
20.106.86.13:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
1356
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6716
WerFault.exe
13.89.179.12:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1828
WerFault.exe
13.89.179.12:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.106.86.13
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.142
whitelisted
watson.events.data.microsoft.com
  • 13.89.179.12
whitelisted

Threats

No threats detected
Process
Message
Nople.exe
Nople.exe
Nople.exe
Nople.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Worm.zip