File name:

XClient.exe

Full analysis: https://app.any.run/tasks/6a32dfff-451b-4db3-9fa6-fe3bbbbae87c
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 07, 2024, 10:38:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
xworm
remote
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

F50F01420EDEB9CF27F28AFE7EC88F85

SHA1:

6BB68B69A216279398E55129C63893DAC7AE882C

SHA256:

B1BEE9930297CA06DF591B2B0A4CAD3BDAA9DF7A6219E4954ECE082E9BCAB945

SSDEEP:

1536:YhMSpD/fN0oAaR7gRG2eawbKK0nxRv0o6+GkOebOS16YJ:Yn/OoA02eawbKK+xRv0anbOS16U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XWORM has been detected (YARA)

      • XClient.exe (PID: 124)

    • Actions looks like stealing of personal data

      • XClient.exe (PID: 124)

    • Changes the autorun value in the registry

      • unregmp2.exe (PID: 3092)
      • regsvr32.exe (PID: 3152)

    • Steals credentials from Web Browsers

      • setup.exe (PID: 3264)
      • taskhost.exe (PID: 1992)

    • Create files in the Startup directory

      • regsvr32.exe (PID: 3152)

  • SUSPICIOUS

    • Reads the Internet Settings

      • XClient.exe (PID: 124)
      • ie4uinit.exe (PID: 3068)
      • taskhost.exe (PID: 1992)
      • rundll32.exe (PID: 2972)
      • rundll32.exe (PID: 3024)
      • ie4uinit.exe (PID: 3144)
      • ie4uinit.exe (PID: 1408)

    • The system shut down or reboot

      • XClient.exe (PID: 124)

    • Changes internet zones settings

      • ie4uinit.exe (PID: 3068)

    • Reads Internet Explorer settings

      • ie4uinit.exe (PID: 3068)

    • Reads Microsoft Outlook installation path

      • ie4uinit.exe (PID: 3068)

    • Uses RUNDLL32.EXE to load library

      • ie4uinit.exe (PID: 3068)
      • rundll32.exe (PID: 2972)

    • Write to the desktop.ini file (may be used to cloak folders)

      • ie4uinit.exe (PID: 3068)
      • unregmp2.exe (PID: 3092)
      • regsvr32.exe (PID: 3152)

    • Changes default file association

      • unregmp2.exe (PID: 3092)

    • Reads settings of System Certificates

      • sipnotify.exe (PID: 2844)

    • Loads DLL from Mozilla Firefox

      • XClient.exe (PID: 124)

    • Reads browser cookies

      • XClient.exe (PID: 124)

  • INFO

    • Drops the executable file immediately after the start

      • XClient.exe (PID: 124)
      • chrome.exe (PID: 3388)
      • chrome.exe (PID: 3832)

    • Reads the computer name

      • XClient.exe (PID: 124)
      • setup.exe (PID: 3332)
      • IMEKLMG.EXE (PID: 3520)
      • IMEKLMG.EXE (PID: 3528)
      • setup.exe (PID: 3300)
      • wmpnscfg.exe (PID: 1172)
      • wmpnscfg.exe (PID: 3740)

    • Checks supported languages

      • XClient.exe (PID: 124)
      • setup.exe (PID: 3264)
      • setup.exe (PID: 3332)
      • setup.exe (PID: 3300)
      • IMEKLMG.EXE (PID: 3528)
      • IMEKLMG.EXE (PID: 3520)
      • IMKRMIG.EXE (PID: 3500)
      • wmpnscfg.exe (PID: 1172)
      • wmpnscfg.exe (PID: 3740)

    • Reads the machine GUID from the registry

      • XClient.exe (PID: 124)

    • Checks for external IP

      • XClient.exe (PID: 124)

    • Reads Environment values

      • XClient.exe (PID: 124)

    • Connects to unusual port

      • XClient.exe (PID: 124)

    • Steals credentials

      • XClient.exe (PID: 124)

    • Create files in a temporary directory

      • XClient.exe (PID: 124)

    • Connects to the CnC server

      • XClient.exe (PID: 124)

    • XWORM has been detected (SURICATA)

      • XClient.exe (PID: 124)

    • Manual execution by a user

      • ie4uinit.exe (PID: 3068)
      • ie4uinit.exe (PID: 1408)
      • unregmp2.exe (PID: 3092)
      • ie4uinit.exe (PID: 3144)
      • regsvr32.exe (PID: 3152)
      • chrmstp.exe (PID: 3124)
      • setup.exe (PID: 3264)
      • IMEKLMG.EXE (PID: 3528)
      • IMEKLMG.EXE (PID: 3520)
      • wmpnscfg.exe (PID: 1172)
      • wmpnscfg.exe (PID: 3740)
      • chrome.exe (PID: 3776)

    • Application launched itself

      • ie4uinit.exe (PID: 3068)
      • rundll32.exe (PID: 2972)
      • setup.exe (PID: 3264)
      • chrmstp.exe (PID: 3124)
      • chrmstp.exe (PID: 2868)
      • msedge.exe (PID: 3320)
      • chrome.exe (PID: 3776)
      • chrmstp.exe (PID: 1628)
      • chrmstp.exe (PID: 3128)

    • Reads security settings of Internet Explorer

      • ie4uinit.exe (PID: 3068)
      • sipnotify.exe (PID: 2844)

    • Creates files in the program directory

      • ie4uinit.exe (PID: 3068)
      • chrmstp.exe (PID: 2868)
      • chrmstp.exe (PID: 3124)
      • setup.exe (PID: 3332)
      • setup.exe (PID: 3264)
      • setup.exe (PID: 3300)
      • chrome.exe (PID: 3776)
      • chrmstp.exe (PID: 3128)
      • chrmstp.exe (PID: 1628)

    • Process checks are UAC notifies on

      • IMEKLMG.EXE (PID: 3528)
      • IMEKLMG.EXE (PID: 3520)

    • Executes as Windows Service

      • EOSNotify.exe (PID: 2092)
      • taskhost.exe (PID: 1992)

    • The process executes via Task Scheduler

      • sipnotify.exe (PID: 2844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:07 11:36:27+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 68608
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x12bbe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: XClient.exe
LegalCopyright:
OriginalFileName: XClient.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
64
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #XWORM xclient.exe shutdown.exe no specs dllhost.exe no specs taskhost.exe sipnotify.exe ie4uinit.exe no specs ie4uinit.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs ie4uinit.exe no specs unregmp2.exe ie4uinit.exe no specs regsvr32.exe chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs setup.exe setup.exe no specs setup.exe no specs msedge.exe no specs msedge.exe no specs imeklmg.exe no specs imeklmg.exe no specs imkrmig.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs eosnotify.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrmstp.exe no specs chrome.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs software_reporter_tool.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1396 --field-trial-handle=1276,i,171039507668029431,15247290664659931574,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
124"C:\Users\admin\AppData\Local\Temp\XClient.exe" C:\Users\admin\AppData\Local\Temp\XClient.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
1073807364
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\xclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
308"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2172 --field-trial-handle=1168,i,8635382299967443116,2332883644874889662,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
Administrator
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
464"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2132 --field-trial-handle=1168,i,8635382299967443116,2332883644874889662,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
Administrator
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
560"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1248 --field-trial-handle=1276,i,171039507668029431,15247290664659931574,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
632"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3440 --field-trial-handle=1168,i,8635382299967443116,2332883644874889662,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
Administrator
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
880C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36C:\Windows\System32\rundll32.exeie4uinit.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
948C:\Windows\System32\ie4uinit.exe -ClearIconCacheC:\Windows\System32\ie4uinit.exeie4uinit.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IE Per-User Initialization Utility
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\ie4uinit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1172"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1308"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1340 --field-trial-handle=1168,i,8635382299967443116,2332883644874889662,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
Administrator
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
12 844
Read events
11 974
Write events
856
Delete events
14

Modification events

(PID) Process:(3068) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
Operation:writeName:Attributes
Value:
0
(PID) Process:(3068) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
Operation:delete keyName:(default)
Value:
(PID) Process:(3068) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3
Operation:writeName:IEPropFontName
Value:
Times New Roman
(PID) Process:(3068) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3
Operation:writeName:IEFixedFontName
Value:
Courier New
(PID) Process:(3068) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\4
Operation:writeName:IEPropFontName
Value:
Times New Roman
(PID) Process:(3068) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\4
Operation:writeName:IEFixedFontName
Value:
Courier New
(PID) Process:(3068) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\5
Operation:writeName:IEPropFontName
Value:
Times New Roman
(PID) Process:(3068) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\5
Operation:writeName:IEFixedFontName
Value:
Courier New
(PID) Process:(3068) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\6
Operation:writeName:IEPropFontName
Value:
Times New Roman
(PID) Process:(3068) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\6
Operation:writeName:IEFixedFontName
Value:
Courier New
Executable files
14
Suspicious files
452
Text files
161
Unknown types
14

Dropped files

PID
Process
Filename
Type
124XClient.exeC:\Users\admin\AppData\Local\Temp\places.raw
MD5:
SHA256:
124XClient.exeC:\Users\admin\AppData\Local\Temp\tmpC882.tmp.dat
MD5:
SHA256:
124XClient.exeC:\Users\admin\AppData\Local\Temp\tmpC706.tmp.datbinary
MD5:52E51471E9281235323F633CD0DEA56C
SHA256:147F3137B387FE4FBE3215B7864568404580A799D031009FE9C718F4C2EF87D0
3068ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xmlxml
MD5:CAEEF699DDB055C4BCF9EED5AA412F20
SHA256:395D4587E1A057E7369B95563BE2DD37BC55988318180668779BDF2E6590FE42
1992taskhost.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V01tmp.logbinary
MD5:D15FB7D81C0264CDE7EF7E1208754F2A
SHA256:94C8C7D5B7DF403FD57DA36C6BCC7B2E498E14254A88EE8076E8AD9395652365
124XClient.exeC:\Users\admin\AppData\Local\Temp\tmpC7D3.tmp.datbinary
MD5:FBD34F0AB5E3F18371CF71395F40C3C5
SHA256:17C9F4CB0FA71685013A864174352D87B1FE35CC3F3B499DF92EEDA3ABB8F862
124XClient.exeC:\Users\admin\AppData\Local\Temp\tmpCA19.tmp.datbinary
MD5:03EF1C0012EE77CDA2C2CB36DFBDA123
SHA256:800D734016D8FBCDE263D8CD2411167406C544FC090A5DCBD2D374CABF918B86
3024rundll32.exeC:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\ZECYQ8BR\fwlink[1]
MD5:
SHA256:
3024rundll32.exeC:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\WAW40Y8G\fwlink[1]
MD5:
SHA256:
3024rundll32.exeC:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\RUM8PTXO\fwlink[1]
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
28
DNS requests
30
Threats
34

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2844
sipnotify.exe
HEAD
200
88.221.61.151:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133490976508230000
unknown
unknown
2844
sipnotify.exe
GET
200
88.221.61.151:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133490976508230000
unknown
compressed
78.4 Kb
unknown
124
XClient.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
text
6 b
unknown
856
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acf5iuk6pnjlc6lnxtqm5ki6eoqq_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win_aclnpjhtsv44pze3qmxsxb7fq66q.crx3
unknown
unknown
1308
chrome.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx
unknown
binary
242 Kb
unknown
856
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acf5iuk6pnjlc6lnxtqm5ki6eoqq_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win_aclnpjhtsv44pze3qmxsxb7fq66q.crx3
unknown
binary
7.82 Kb
unknown
856
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acf5iuk6pnjlc6lnxtqm5ki6eoqq_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win_aclnpjhtsv44pze3qmxsxb7fq66q.crx3
unknown
binary
10.5 Kb
unknown
856
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acf5iuk6pnjlc6lnxtqm5ki6eoqq_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win_aclnpjhtsv44pze3qmxsxb7fq66q.crx3
unknown
binary
5.48 Kb
unknown
856
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acf5iuk6pnjlc6lnxtqm5ki6eoqq_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win_aclnpjhtsv44pze3qmxsxb7fq66q.crx3
unknown
binary
15.7 Kb
unknown
856
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acf5iuk6pnjlc6lnxtqm5ki6eoqq_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win_aclnpjhtsv44pze3qmxsxb7fq66q.crx3
unknown
binary
11.0 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
124
XClient.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
124
XClient.exe
147.185.221.16:46469
northern-sept.gl.at.ply.gg
PLAYIT-GG
US
malicious
2844
sipnotify.exe
88.221.61.151:80
query.prod.cms.rt.microsoft.com
AKAMAI-AS
DE
unknown
3776
chrome.exe
239.255.255.250:1900
whitelisted
1308
chrome.exe
142.250.185.67:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
1308
chrome.exe
74.125.8.72:443
r3---sn-5hneknee.gvt1.com
whitelisted
1308
chrome.exe
142.250.185.78:443
clients2.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared
northern-sept.gl.at.ply.gg
  • 147.185.221.16
malicious
query.prod.cms.rt.microsoft.com
  • 88.221.61.151
whitelisted
clientservices.googleapis.com
  • 142.250.185.67
whitelisted
clients2.google.com
  • 142.250.185.78
whitelisted
redirector.gvt1.com
  • 172.217.18.14
whitelisted
accounts.google.com
  • 74.125.71.84
shared
r3---sn-5hneknee.gvt1.com
  • 74.125.8.72
whitelisted
clients2.googleusercontent.com
  • 216.58.212.161
whitelisted
edgedl.me.gvt1.com
  • 34.104.35.123
whitelisted

Threats

PID
Process
Class
Message
124
XClient.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
124
XClient.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
124
XClient.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
1080
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
124
XClient.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
29 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
XClient.exe