File name:

explorer.exe

Full analysis: https://app.any.run/tasks/e53277b6-e3a0-4684-9497-edd7cb703fb2
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: April 15, 2025, 18:05:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xworm
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

73158E52A6BF29A478D6443F8CB2D2B5

SHA1:

515EF7E1BB30F05ABF6A8D27A1C7A02C2053386C

SHA256:

B1C0DA596252D2322AF646035E21951A7EE16982249AAEF52FB74C8C6EAF65A1

SSDEEP:

6144:+Ek9NQnodizj0u2qUmMrV5GRcYNDH0PC/A6aJz/rbBQq:+VQnAizj+mY7GRcYNDH0a/AZJzpt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to autorun other applications

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Application was injected by another process

      • svchost.exe (PID: 468)
      • svchost.exe (PID: 1288)
      • svchost.exe (PID: 1044)
      • svchost.exe (PID: 1416)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1444)
      • svchost.exe (PID: 1232)
      • svchost.exe (PID: 1252)
      • svchost.exe (PID: 1552)
      • svchost.exe (PID: 1524)
      • svchost.exe (PID: 1352)
      • svchost.exe (PID: 1652)
      • svchost.exe (PID: 1904)
      • svchost.exe (PID: 1792)
      • svchost.exe (PID: 1892)
      • svchost.exe (PID: 1988)
      • dllhost.exe (PID: 6896)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 2068)
      • svchost.exe (PID: 2996)
      • WaaSMedicAgent.exe (PID: 8044)
      • svchost.exe (PID: 7992)
      • conhost.exe (PID: 8052)
      • WmiPrvSE.exe (PID: 8180)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1772)
      • svchost.exe (PID: 2584)
      • svchost.exe (PID: 2172)
      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 2544)
      • svchost.exe (PID: 2880)
      • lsass.exe (PID: 756)
      • svchost.exe (PID: 2536)
      • svchost.exe (PID: 2448)
      • svchost.exe (PID: 2624)
      • svchost.exe (PID: 2776)
      • spoolsv.exe (PID: 2732)
      • svchost.exe (PID: 2932)
      • svchost.exe (PID: 3104)
      • OfficeClickToRun.exe (PID: 3112)
      • svchost.exe (PID: 3184)
      • svchost.exe (PID: 3216)
      • svchost.exe (PID: 3812)
      • svchost.exe (PID: 3860)
      • svchost.exe (PID: 3196)
      • svchost.exe (PID: 3232)
      • svchost.exe (PID: 860)
      • svchost.exe (PID: 4292)
      • svchost.exe (PID: 4508)
      • svchost.exe (PID: 3564)
      • svchost.exe (PID: 3284)
      • svchost.exe (PID: 4312)
      • svchost.exe (PID: 2112)
      • MoUsoCoreWorker.exe (PID: 5496)
      • dllhost.exe (PID: 5880)
      • svchost.exe (PID: 1572)
      • uhssvc.exe (PID: 648)
      • svchost.exe (PID: 6544)
      • RuntimeBroker.exe (PID: 1036)
      • ApplicationFrameHost.exe (PID: 6952)
      • RuntimeBroker.exe (PID: 5368)
      • UserOOBEBroker.exe (PID: 1248)
      • explorer.exe (PID: 5492)
      • sihost.exe (PID: 4984)
      • RuntimeBroker.exe (PID: 6160)
      • svchost.exe (PID: 4952)
      • dwm.exe (PID: 6568)
      • ctfmon.exe (PID: 956)
      • svchost.exe (PID: 6608)
      • svchost.exe (PID: 4544)
      • svchost.exe (PID: 1684)
      • winlogon.exe (PID: 6648)
      • svchost.exe (PID: 6024)
      • svchost.exe (PID: 4684)
      • svchost.exe (PID: 4916)
      • audiodg.exe (PID: 6168)
      • svchost.exe (PID: 4348)
      • dllhost.exe (PID: 6176)
      • svchost.exe (PID: 6344)
      • svchost.exe (PID: 5132)
      • svchost.exe (PID: 6180)
      • svchost.exe (PID: 644)
      • slui.exe (PID: 5960)
      • RuntimeBroker.exe (PID: 4944)
      • SppExtComObj.Exe (PID: 6476)
      • svchost.exe (PID: 2292)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 3084)
      • dasHost.exe (PID: 3012)
      • WerFault.exe (PID: 7656)
      • svchost.exe (PID: 668)
      • WmiPrvSE.exe (PID: 1128)

    • Runs injected code in another process

      • yqkoflp4.25c.exe (PID: 5392)
      • mdyebm4h.bgf.exe (PID: 1280)
      • km1jcpme.p5a.exe (PID: 4728)

    • Uses Task Scheduler to run other applications

      • explorer.exe (PID: 4620)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 4620)

    • Create files in the Startup directory

      • explorer.exe (PID: 4620)

    • XWORM has been detected (YARA)

      • explorer.exe (PID: 4620)

    • XWORM has been detected (SURICATA)

      • explorer.exe (PID: 4620)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Contacting a server suspected of hosting an CnC

      • explorer.exe (PID: 4620)

    • Connects to unusual port

      • explorer.exe (PID: 4620)

    • The process executes via Task Scheduler

      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Executes application which crashes

      • schtasks.exe (PID: 2432)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 4920)

  • INFO

    • Checks supported languages

      • explorer.exe (PID: 4620)
      • yqkoflp4.25c.exe (PID: 5392)
      • XClient.exe (PID: 6148)
      • mdyebm4h.bgf.exe (PID: 1280)
      • XClient.exe (PID: 2564)
      • km1jcpme.p5a.exe (PID: 4728)

    • Reads the machine GUID from the registry

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Create files in a temporary directory

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)
      • RuntimeBroker.exe (PID: 4944)

    • Reads the computer name

      • explorer.exe (PID: 4620)
      • yqkoflp4.25c.exe (PID: 5392)
      • XClient.exe (PID: 6148)
      • mdyebm4h.bgf.exe (PID: 1280)
      • km1jcpme.p5a.exe (PID: 4728)
      • XClient.exe (PID: 2564)

    • Process checks computer location settings

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 4620)
      • explorer.exe (PID: 5492)
      • lsass.exe (PID: 756)
      • WerFault.exe (PID: 4920)

    • Reads the software policy settings

      • WaaSMedicAgent.exe (PID: 8044)
      • slui.exe (PID: 5960)
      • slui.exe (PID: 5772)

    • Reads Windows Product ID

      • WmiPrvSE.exe (PID: 8180)
      • WmiPrvSE.exe (PID: 1128)

    • Reads the time zone

      • WmiPrvSE.exe (PID: 8180)

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 5496)
      • svchost.exe (PID: 668)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 3112)

    • Checks proxy server information

      • slui.exe (PID: 5772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(4620) explorer.exe
C2iraq-roses.gl.at.ply.gg:64231
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameNoMoreLife
Mutex2F7K0EVP0oiIMKzW
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2090:10:05 05:32:40+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 254464
InitializedDataSize: 5120
UninitializedDataSize: -
EntryPoint: 0x4003e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: MasonRootkit.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: MasonRootkit.exe
ProductName: -
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
114
Malicious processes
92
Suspicious processes
7

Behavior graph

Click at the process to see the details
start #XWORM explorer.exe yqkoflp4.25c.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs svchost.exe waasmedicagent.exe conhost.exe svchost.exe wmiprvse.exe slui.exe xclient.exe mdyebm4h.bgf.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs runtimebroker.exe xclient.exe km1jcpme.p5a.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe conhost.exe no specs svchost.exe werfault.exe werfault.exe no specs wmiprvse.exe svchost.exe svchost.exe uhssvc.exe lsass.exe svchost.exe ctfmon.exe runtimebroker.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe svchost.exe runtimebroker.exe explorer.exe mousocoreworker.exe dllhost.exe slui.exe svchost.exe runtimebroker.exe audiodg.exe dllhost.exe svchost.exe svchost.exe sppextcomobj.exe explorer.exe no specs svchost.exe dwm.exe svchost.exe winlogon.exe dllhost.exe applicationframehost.exe

Process information

PID
CMD
Path
Indicators
Parent process
468C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
644C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhostsC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
648"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
668C:\WINDOWS\System32\svchost.exe -k WerSvcGroupC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wersvc.dll
c:\windows\system32\msvcrt.dll
756C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
860C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvcC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
956"ctfmon.exe"C:\Windows\System32\ctfmon.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CTF Loader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1036C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
1044C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1128C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\System32\wbem\WmiPrvSE.exe
svchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Provider Host
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiprvse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\combase.dll
c:\windows\system32\ncobjapi.dll
c:\windows\system32\ucrtbase.dll
Total events
33 000
Read events
32 699
Write events
199
Delete events
102

Modification events

(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment
Operation:writeName:refreshAfter
Value:
CFFAEA33FAAEDB01
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment
Operation:delete valueName:ETag
Value:
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment
Operation:delete valueName:refreshAfter
Value:
𢡊㏪껺Ǜ
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:WaaSOutOfDateState
Value:
0
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:WaasAssessmentCheckTimestamp
Value:
5022810931AEDB01
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:UpToDateStatusRecalcTimestamp
Value:
5022810931AEDB01
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:ActiveHoursStart
Value:
10
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:ActiveHoursEnd
Value:
18
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000006D0073006D000000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010013000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C0000001400000000000000630061006C006C0065006400760061006C007500650073002E0070006E0067003E00200020000000150000000000000063006F006D0070007500740065007200730074006F006E0065002E007200740066003E00200020000000150000000000000063006F00720070006F007200610074006500730065006C0066002E006A00700067003E0020002000000016000000000000006500780069007300740069006E0067006500660066006500630074002E0070006E0067003E002000200000001700000000000000680065006100720064006E0061007600690067006100740069006F006E002E006A00700067003E0020002000000011000000000000006D006F007300740061006C00620075006D002E006A00700067003E00200020000000120000000000000070006F007300690074006900760065006D0064002E007200740066003E0020002000000010000000000000007200650061006C0061007700610079002E007200740066003E002000200000001000000000000000730074006100660066007000610079002E0070006E0067003E002000200000000F000000000000007700650065006B007900650073002E007200740066003E0020002000000010000000000000006500780070006C006F007200650072002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001300000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A0401100000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000000001200
Executable files
4
Suspicious files
37
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1772svchost.exeC:\Windows\Prefetch\CONSENT.EXE-531BD9EA.pfbinary
MD5:2A02A912A188CF2B44E0B2600F480460
SHA256:1E0CDADD10396811B05C193876898B308179A10FBF419CE129D7A0B39BBFBC3B
1772svchost.exeC:\Windows\Prefetch\TASKHOSTW.EXE-3E0B74C8.pfbinary
MD5:C7C6C488F79A311C12690604999E7FD7
SHA256:C452BF673753AA88E4DA2F8734DB35F638249F58D9707751CA45232D9DA1D670
1772svchost.exeC:\Windows\Prefetch\UPFC.EXE-BDDF79D6.pfbinary
MD5:23B9E867DDDFD72EC29957846B43BBFF
SHA256:B47274E9E14CBCFC675F3C465C020F2942916275A9447337BF93D0A231FA56C5
1260svchost.exeC:\Windows\System32\Tasks\Masonexplorer.exebinary
MD5:DF72B9094A390993052B0A9A4842AEF3
SHA256:86D9307EB4F69C033A5E31F340D5DE4BACAEA365053FFDD9FA503DF907537109
1772svchost.exeC:\Windows\Prefetch\WAASMEDICAGENT.EXE-ED0D7511.pfbinary
MD5:BE04089CEFCB7F90D2987470624EBEEE
SHA256:A05C46AAE78FF5E36CAF2A7D5246C17287731361261075FDC382C963C03D9C89
4620explorer.exeC:\Users\admin\AppData\Roaming\XClient.exeexecutable
MD5:73158E52A6BF29A478D6443F8CB2D2B5
SHA256:B1C0DA596252D2322AF646035E21951A7EE16982249AAEF52FB74C8C6EAF65A1
1772svchost.exeC:\Windows\Prefetch\YQKOFLP4.25C.EXE-F54C3980.pfbinary
MD5:31084FB070FDECD18D190C032A4D8050
SHA256:5364FDBA675151D878A6E5C5C262CC2B1490B9CDBE8735F84537E76F38710B50
1772svchost.exeC:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pfbinary
MD5:2D142F433350EE43B2F1ABA93E52A448
SHA256:32467759B971D3C4A70C37CCD6E7372550667163A40630FE3C5EE742BC79C70B
1772svchost.exeC:\Windows\Prefetch\SPPEXTCOMOBJ.EXE-BB03B3D6.pfbinary
MD5:4C28D2ECEACDF7E2DA6200F1DC41FA3F
SHA256:016A8C944E861030249FBDDB944F1892D4D36D1D8285E1A1363402742CA40DE5
1772svchost.exeC:\Windows\Prefetch\SVCHOST.EXE-EBA34E64.pfbinary
MD5:424678DDBE857CDA692E0EBF3D89BC7A
SHA256:8C8E7122E98FCED32107EB63A6F33F097E049B5594D06B5D5B9A095134B8551E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
54
DNS requests
21
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7416
SIHClient.exe
GET
200
23.48.23.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7416
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7416
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7416
SIHClient.exe
GET
200
23.48.23.193:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7416
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7416
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7416
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
  • 23.48.23.193
  • 23.48.23.146
  • 23.48.23.192
  • 23.48.23.137
  • 23.48.23.194
  • 23.48.23.147
  • 23.48.23.190
  • 23.48.23.141
  • 23.48.23.191
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.0
  • 20.190.159.130
  • 40.126.31.129
  • 40.126.31.1
  • 40.126.31.3
  • 20.190.159.64
  • 40.126.31.2
whitelisted
iraq-roses.gl.at.ply.gg
  • 147.185.221.20
unknown
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2196
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
4620
explorer.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
explorer.exe