File name:

SPAM.zip

Full analysis: https://app.any.run/tasks/b4518c30-6ee3-4ec5-a04c-c57272535adb
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: April 07, 2025, 11:03:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
remote
xworm
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

F5C0F36AE757B8C7C23F963391BBDF6D

SHA1:

4805D69F82EF721022C2BAF877DD8043B24515CD

SHA256:

86174D4010AF29AF60B87DFE2BABB7DD29B9EA4526E3ED2C125A93237B22A7BA

SSDEEP:

49152:XifIHdG5RP+kBeK2yjC+EhJRnF9Y/HIC5o9NzkOAUTM+FTg8CE1Xle7TKLa19Sfz:XPWoDfF6/Hx5o9GrQZ28n1XCT6ESNvWi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 300)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 2240)
      • powershell.exe (PID: 3304)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 2240)
      • powershell.exe (PID: 3304)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 2240)
      • powershell.exe (PID: 3304)

    • Changes Windows Defender settings

      • embedded.exe (PID: 6744)
      • powershell.exe (PID: 3304)

    • Changes powershell execution policy (Bypass)

      • embedded.exe (PID: 6744)
      • cmd.exe (PID: 5324)
      • powershell.exe (PID: 3304)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 644)
      • powershell.exe (PID: 1052)
      • powershell.exe (PID: 5600)
      • powershell.exe (PID: 2552)
      • powershell.exe (PID: 5416)
      • powershell.exe (PID: 7340)
      • powershell.exe (PID: 7632)
      • powershell.exe (PID: 7984)
      • powershell.exe (PID: 8140)

    • Adds path to the Windows Defender exclusion list

      • embedded.exe (PID: 6744)
      • powershell.exe (PID: 3304)

    • Adds process to the Windows Defender exclusion list

      • embedded.exe (PID: 6744)
      • powershell.exe (PID: 3304)

    • XWORM has been detected (YARA)

      • embedded.exe (PID: 6744)
      • powershell.exe (PID: 3304)

    • Application was injected by another process

      • svchost.exe (PID: 1772)
      • svchost.exe (PID: 4916)
      • svchost.exe (PID: 4312)
      • svchost.exe (PID: 4508)
      • explorer.exe (PID: 5492)
      • svchost.exe (PID: 3564)
      • svchost.exe (PID: 3284)
      • svchost.exe (PID: 1904)
      • svchost.exe (PID: 2544)
      • svchost.exe (PID: 1572)
      • svchost.exe (PID: 2536)
      • svchost.exe (PID: 1352)
      • svchost.exe (PID: 4684)
      • svchost.exe (PID: 1552)
      • svchost.exe (PID: 4292)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 3104)
      • svchost.exe (PID: 2932)
      • svchost.exe (PID: 2112)
      • svchost.exe (PID: 1524)
      • svchost.exe (PID: 7036)
      • svchost.exe (PID: 3860)
      • svchost.exe (PID: 1892)
      • svchost.exe (PID: 3084)
      • svchost.exe (PID: 2292)
      • svchost.exe (PID: 860)
      • svchost.exe (PID: 6024)
      • svchost.exe (PID: 2880)
      • svchost.exe (PID: 884)
      • svchost.exe (PID: 1288)
      • svchost.exe (PID: 6608)
      • svchost.exe (PID: 3232)
      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 1988)
      • svchost.exe (PID: 2068)
      • svchost.exe (PID: 6872)
      • svchost.exe (PID: 468)
      • svchost.exe (PID: 6180)
      • svchost.exe (PID: 2448)
      • svchost.exe (PID: 3216)
      • svchost.exe (PID: 1252)
      • svchost.exe (PID: 1444)
      • svchost.exe (PID: 2624)
      • svchost.exe (PID: 1232)
      • svchost.exe (PID: 3812)
      • svchost.exe (PID: 2816)
      • svchost.exe (PID: 1044)
      • svchost.exe (PID: 2996)
      • svchost.exe (PID: 3196)
      • svchost.exe (PID: 1140)
      • svchost.exe (PID: 6544)
      • svchost.exe (PID: 2584)
      • svchost.exe (PID: 1416)
      • svchost.exe (PID: 1684)
      • svchost.exe (PID: 1792)
      • svchost.exe (PID: 1652)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1616)
      • svchost.exe (PID: 3364)
      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 3184)
      • svchost.exe (PID: 2560)
      • svchost.exe (PID: 4952)
      • svchost.exe (PID: 2776)
      • svchost.exe (PID: 4844)
      • svchost.exe (PID: 4544)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 996)
      • svchost.exe (PID: 4348)
      • svchost.exe (PID: 2172)

    • Runs injected code in another process

      • powershell.exe (PID: 3304)

    • Uses Task Scheduler to run other applications

      • embedded.exe (PID: 6744)
      • powershell.exe (PID: 3304)

    • Changes the autorun value in the registry

      • embedded.exe (PID: 6744)

    • Create files in the Startup directory

      • embedded.exe (PID: 6744)

    • XWORM has been detected (SURICATA)

      • embedded.exe (PID: 6744)
      • powershell.exe (PID: 3304)

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 4008)
      • cmd.exe (PID: 2692)
      • cmd.exe (PID: 5512)
      • cmd.exe (PID: 664)
      • powershell.exe (PID: 3304)
      • cmd.exe (PID: 7760)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2692)
      • cmd.exe (PID: 4008)
      • explorer.exe (PID: 5492)
      • cmd.exe (PID: 5512)
      • msconfig.exe (PID: 4696)
      • powershell.exe (PID: 2552)
      • cmd.exe (PID: 664)
      • cmd.exe (PID: 7760)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 6736)
      • cmd.exe (PID: 4408)
      • cmd.exe (PID: 7820)

    • Decoding a file from Base64 using CertUtil

      • cmd.exe (PID: 2692)
      • cmd.exe (PID: 5512)
      • cmd.exe (PID: 7760)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 4008)
      • explorer.exe (PID: 5492)
      • powershell.exe (PID: 2552)
      • cmd.exe (PID: 664)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4008)
      • embedded.exe (PID: 6744)
      • cmd.exe (PID: 5324)
      • cmd.exe (PID: 664)
      • powershell.exe (PID: 3304)

    • Cryptography encrypted command line is found

      • cmd.exe (PID: 5984)
      • cmd.exe (PID: 4696)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2240)
      • certutil.exe (PID: 3140)
      • embedded.exe (PID: 6744)
      • powershell.exe (PID: 3304)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 2240)
      • powershell.exe (PID: 3304)

    • Creates file in the systems drive root

      • explorer.exe (PID: 5492)

    • Reads the date of Windows installation

      • embedded.exe (PID: 6744)
      • RelTekAudio.exe (PID: 6896)
      • RelTekAudio.exe (PID: 6236)

    • Reads security settings of Internet Explorer

      • embedded.exe (PID: 6744)
      • RelTekAudio.exe (PID: 6692)
      • RelTekAudio.exe (PID: 6896)
      • RelTekAudio.exe (PID: 6236)

    • Script adds exclusion path to Windows Defender

      • embedded.exe (PID: 6744)
      • powershell.exe (PID: 3304)

    • Executes application which crashes

      • msconfig.exe (PID: 4696)

    • Found IP address in command line

      • powershell.exe (PID: 2552)

    • Script adds exclusion process to Windows Defender

      • embedded.exe (PID: 6744)
      • powershell.exe (PID: 3304)

    • Starts process via Powershell

      • powershell.exe (PID: 2552)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5324)

    • Contacting a server suspected of hosting an CnC

      • embedded.exe (PID: 6744)
      • powershell.exe (PID: 3304)

    • Connects to unusual port

      • embedded.exe (PID: 6744)
      • powershell.exe (PID: 3304)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 2352)
      • RelTekAudio.exe (PID: 6692)
      • SecureBootEncodeUEFI.exe (PID: 4984)

    • Process checks Powershell history file

      • RelTekAudio.exe (PID: 6692)
      • RelTekAudio.exe (PID: 6896)
      • RelTekAudio.exe (PID: 6236)

  • INFO

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 5492)

    • Manual execution by a user

      • cmd.exe (PID: 6744)
      • cmd.exe (PID: 4120)
      • cmd.exe (PID: 2692)
      • WinRAR.exe (PID: 3240)
      • cmd.exe (PID: 4008)
      • cmd.exe (PID: 6516)
      • cmd.exe (PID: 900)
      • cmd.exe (PID: 1168)
      • cmd.exe (PID: 2644)
      • cmd.exe (PID: 5324)
      • cmd.exe (PID: 5364)
      • cmd.exe (PID: 7432)
      • cmd.exe (PID: 7760)
      • RelTekAudio.exe (PID: 6896)
      • RelTekAudio.exe (PID: 6236)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)
      • WMIC.exe (PID: 6876)
      • WMIC.exe (PID: 1912)
      • WMIC.exe (PID: 7840)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 2240)
      • powershell.exe (PID: 3304)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 2240)
      • powershell.exe (PID: 3304)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 2240)
      • powershell.exe (PID: 3304)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2240)
      • powershell.exe (PID: 3304)

    • The sample compiled with english language support

      • powershell.exe (PID: 2240)
      • powershell.exe (PID: 3304)

    • Checks supported languages

      • msconfig.exe (PID: 4696)
      • embedded.exe (PID: 6744)
      • PLUGScheduler.exe (PID: 2352)
      • RelTekAudio.exe (PID: 6896)
      • RelTekAudio.exe (PID: 6692)
      • RelTekAudio.exe (PID: 6236)

    • Creates files in the program directory

      • svchost.exe (PID: 6872)
      • certutil.exe (PID: 5216)
      • certutil.exe (PID: 4068)
      • certutil.exe (PID: 6344)
      • certutil.exe (PID: 3140)
      • certutil.exe (PID: 4736)
      • cmd.exe (PID: 5512)
      • embedded.exe (PID: 6744)
      • powershell.exe (PID: 3304)
      • PLUGScheduler.exe (PID: 2352)

    • Reads the computer name

      • msconfig.exe (PID: 4696)
      • embedded.exe (PID: 6744)
      • PLUGScheduler.exe (PID: 2352)
      • RelTekAudio.exe (PID: 6896)
      • RelTekAudio.exe (PID: 6236)
      • RelTekAudio.exe (PID: 6692)

    • Reads the machine GUID from the registry

      • embedded.exe (PID: 6744)
      • RelTekAudio.exe (PID: 6692)
      • RelTekAudio.exe (PID: 6896)
      • RelTekAudio.exe (PID: 6236)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5324)
      • embedded.exe (PID: 6744)
      • explorer.exe (PID: 5492)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 644)
      • powershell.exe (PID: 1052)
      • powershell.exe (PID: 5600)
      • powershell.exe (PID: 5416)
      • powershell.exe (PID: 7340)
      • powershell.exe (PID: 7632)
      • powershell.exe (PID: 7984)
      • powershell.exe (PID: 8140)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 644)
      • powershell.exe (PID: 1052)
      • powershell.exe (PID: 5600)
      • powershell.exe (PID: 5416)
      • powershell.exe (PID: 7340)
      • powershell.exe (PID: 7632)
      • powershell.exe (PID: 7984)
      • powershell.exe (PID: 8140)

    • Process checks computer location settings

      • embedded.exe (PID: 6744)
      • RelTekAudio.exe (PID: 6896)
      • RelTekAudio.exe (PID: 6236)

    • Reads the software policy settings

      • slui.exe (PID: 864)
      • RelTekAudio.exe (PID: 6692)
      • RelTekAudio.exe (PID: 6896)
      • RelTekAudio.exe (PID: 6236)

    • Process checks Powershell version

      • RelTekAudio.exe (PID: 6692)
      • RelTekAudio.exe (PID: 6896)
      • RelTekAudio.exe (PID: 6236)

    • Create files in a temporary directory

      • RelTekAudio.exe (PID: 6896)
      • RelTekAudio.exe (PID: 6692)
      • RelTekAudio.exe (PID: 6236)

    • Reads Environment values

      • RelTekAudio.exe (PID: 6896)
      • RelTekAudio.exe (PID: 6692)
      • RelTekAudio.exe (PID: 6236)

    • Encodes the UEFI Secure Boot certificates

      • SecureBootEncodeUEFI.exe (PID: 4984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(6744) embedded.exe
C283.147.240.230:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.2
MutexhtLv736bvko9rw6V
(PID) Process(3304) powershell.exe
C283.147.240.230:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.2
MutexfUDCz9HsXdFIH9LF
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:04:07 13:01:40
ZipCRC: 0x4657cfe5
ZipCompressedSize: 202046
ZipUncompressedSize: 284780
ZipFileName: 83.147.240.230 (10).bat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
386
Monitored processes
164
Malicious processes
10
Suspicious processes
75

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe winrar.exe no specs rundll32.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs certutil.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe msconfig.exe no specs msconfig.exe cmd.exe no specs conhost.exe no specs svchost.exe cmd.exe no specs wmic.exe no specs find.exe no specs werfault.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe #XWORM embedded.exe svchost.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs #XWORM powershell.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs certutil.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs slui.exe no specs wermgr.exe no specs plugscheduler.exe no specs reltekaudio.exe no specs conhost.exe no specs reltekaudio.exe no specs conhost.exe no specs reltekaudio.exe no specs conhost.exe no specs securebootencodeuefi.exe no specs conhost.exe no specs svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe explorer.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\SPAM.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
468C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
644"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\embedded.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeembedded.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
664"C:\WINDOWS\System32\cmd.exe" /C "C:\Users\admin\Desktop\SPAM\83.147.240.230 (10).bat" C:\Users\admin\Desktop\SPAM C:\Windows\System32\cmd.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
860C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvcC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
864"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
884C:\WINDOWS\system32\svchost.exe -k DcomLaunch -pC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\umpnpmgr.dll
c:\windows\system32\msvcrt.dll
900C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\SPAM\83.147.240.230 (7).bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
996C:\WINDOWS\system32\svchost.exe -k RPCSS -pC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcepmap.dll
c:\windows\system32\wldp.dll
Total events
150 883
Read events
150 580
Write events
220
Delete events
83

Modification events

(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogon
Operation:writeName:Index
Value:
2
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:writeName:Hash
Value:
CDA7456BF99509A5E35E271627318ADB606F72CB542F752AFB69F292A7535F3C
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:delete valueName:Schema
Value:
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:writeName:Version
Value:
1.0
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:delete valueName:Date
Value:
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:writeName:SecurityDescriptor
Value:
D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFW;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-4)
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:writeName:Source
Value:
$(@%systemroot%\system32\sppc.dll,-200)
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:writeName:Author
Value:
$(@%systemroot%\system32\sppc.dll,-200)
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:writeName:Description
Value:
$(@%systemroot%\system32\sppc.dll,-202)
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:delete valueName:Documentation
Value:
Executable files
5
Suspicious files
83
Text files
50
Unknown types
0

Dropped files

PID
Process
Filename
Type
3240WinRAR.exeC:\Users\admin\Desktop\SPAM\83.147.240.230 (2).battext
MD5:D5BBB20F091D43D0A67328B0EB6F12F8
SHA256:3B3583E2486D9736FEC5BBB77EB0B7F151A418B525A9283170C5019C0A7EE53A
3240WinRAR.exeC:\Users\admin\Desktop\SPAM\83.147.240.230 (3).battext
MD5:F1F94B0F9CBA91CC35A9E5F0F0963F9F
SHA256:7CD62B603BAFABFA299F4823866CEC33AD4CAAB2F549BF1837F119B93C3F645C
1772svchost.exeC:\Windows\Prefetch\SVCHOST.EXE-2E4E3AC7.pfbinary
MD5:6D38D0F5A9E6CF41DFDC9C9A6AAE24AF
SHA256:F22F0CF8B1BFB682A7AFB224B841DD102BBC2D44C2F2E9199D8F72CC719889B0
5492explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
1260svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogonxml
MD5:8CBC84881481158749FD559D1D305C46
SHA256:F4902BEF1E82CDAB34A23A43A7F15C0D1C0A0B86E5DD187CACB75E3DF4024153
1260svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskNetworkxml
MD5:18E755C987BFC19E9243E2297F9E5973
SHA256:28A47DB050051049E35249EA57B389E3946003173806D02064ADFCC5F46E0880
3240WinRAR.exeC:\Users\admin\Desktop\SPAM\83.147.240.230 (4).battext
MD5:FDA9FB255D3B2B28F5AF4ADE688ED8C3
SHA256:45CA3D764F32490B6621016D41A578A9D0670AD2E4C5DCC2B04BA7F70473EDE5
2996svchost.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:4305B5EA642EF01208023811719544BE
SHA256:86173E593257158C38C205E23BCA65EA09595EA44E7ECBD54769D9B3D1B10EC0
3240WinRAR.exeC:\Users\admin\Desktop\SPAM\83.147.240.230 (10).battext
MD5:287C9E74DA646C50C4D1988F7DB67D06
SHA256:88502DDDA4EA16F7C1D8929E681902E67895CBEE56F31CE2FC77C8420DE0A8AC
3240WinRAR.exeC:\Users\admin\Desktop\SPAM\83.147.240.230 (13).battext
MD5:274C8D979D3CB4A652AC711253003255
SHA256:F6A6C6C6FD7616F6EA65202084C002ECD91C52F6A34675342A83763BAA067054
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
215
TCP/UDP connections
105
DNS requests
31
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7448
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7448
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7448
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7448
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7448
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7448
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7448
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6744
embedded.exe
83.147.240.230:7000
WINDSTREAM
US
malicious
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3304
powershell.exe
83.147.240.230:7000
WINDSTREAM
US
malicious
7448
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7448
SIHClient.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
  • 52.111.229.43
whitelisted
login.live.com
  • 40.126.32.134
  • 20.190.160.2
  • 20.190.160.67
  • 40.126.32.138
  • 20.190.160.128
  • 20.190.160.64
  • 20.190.160.66
  • 20.190.160.14
  • 20.190.160.3
  • 20.190.160.132
  • 40.126.32.76
  • 20.190.160.22
  • 20.190.160.130
  • 20.190.160.20
  • 40.126.32.136
  • 20.190.160.131
  • 20.190.160.5
whitelisted

Threats

PID
Process
Class
Message
6744
embedded.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
3304
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SPAM.zip