File name:

explorer.exe

Full analysis: https://app.any.run/tasks/e53277b6-e3a0-4684-9497-edd7cb703fb2
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: April 15, 2025, 18:05:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xworm
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

73158E52A6BF29A478D6443F8CB2D2B5

SHA1:

515EF7E1BB30F05ABF6A8D27A1C7A02C2053386C

SHA256:

B1C0DA596252D2322AF646035E21951A7EE16982249AAEF52FB74C8C6EAF65A1

SSDEEP:

6144:+Ek9NQnodizj0u2qUmMrV5GRcYNDH0PC/A6aJz/rbBQq:+VQnAizj+mY7GRcYNDH0a/AZJzpt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to autorun other applications

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Application was injected by another process

      • svchost.exe (PID: 468)
      • svchost.exe (PID: 1288)
      • svchost.exe (PID: 1352)
      • svchost.exe (PID: 1044)
      • svchost.exe (PID: 1252)
      • svchost.exe (PID: 1444)
      • svchost.exe (PID: 1416)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1232)
      • svchost.exe (PID: 1552)
      • svchost.exe (PID: 2068)
      • svchost.exe (PID: 1772)
      • svchost.exe (PID: 1652)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1988)
      • svchost.exe (PID: 1892)
      • svchost.exe (PID: 1792)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 1524)
      • svchost.exe (PID: 2584)
      • svchost.exe (PID: 1904)
      • svchost.exe (PID: 2996)
      • dllhost.exe (PID: 6896)
      • svchost.exe (PID: 7992)
      • WmiPrvSE.exe (PID: 8180)
      • WaaSMedicAgent.exe (PID: 8044)
      • conhost.exe (PID: 8052)
      • svchost.exe (PID: 2624)
      • lsass.exe (PID: 756)
      • svchost.exe (PID: 2448)
      • svchost.exe (PID: 2172)
      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 2292)
      • svchost.exe (PID: 2776)
      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 2536)
      • svchost.exe (PID: 2880)
      • svchost.exe (PID: 2544)
      • svchost.exe (PID: 2932)
      • spoolsv.exe (PID: 2732)
      • svchost.exe (PID: 3232)
      • svchost.exe (PID: 3084)
      • svchost.exe (PID: 3104)
      • OfficeClickToRun.exe (PID: 3112)
      • svchost.exe (PID: 3812)
      • svchost.exe (PID: 3184)
      • svchost.exe (PID: 3196)
      • svchost.exe (PID: 3216)
      • svchost.exe (PID: 3564)
      • svchost.exe (PID: 3284)
      • svchost.exe (PID: 2112)
      • svchost.exe (PID: 860)
      • svchost.exe (PID: 4292)
      • svchost.exe (PID: 4508)
      • svchost.exe (PID: 4312)
      • dllhost.exe (PID: 5880)
      • MoUsoCoreWorker.exe (PID: 5496)
      • dasHost.exe (PID: 3012)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 3860)
      • svchost.exe (PID: 1572)
      • uhssvc.exe (PID: 648)
      • RuntimeBroker.exe (PID: 6160)
      • ctfmon.exe (PID: 956)
      • explorer.exe (PID: 5492)
      • RuntimeBroker.exe (PID: 5368)
      • svchost.exe (PID: 6608)
      • sihost.exe (PID: 4984)
      • winlogon.exe (PID: 6648)
      • svchost.exe (PID: 4544)
      • svchost.exe (PID: 4952)
      • svchost.exe (PID: 1684)
      • svchost.exe (PID: 6024)
      • dwm.exe (PID: 6568)
      • svchost.exe (PID: 4348)
      • svchost.exe (PID: 6344)
      • svchost.exe (PID: 644)
      • svchost.exe (PID: 6180)
      • slui.exe (PID: 5960)
      • SppExtComObj.Exe (PID: 6476)
      • RuntimeBroker.exe (PID: 1036)
      • UserOOBEBroker.exe (PID: 1248)
      • svchost.exe (PID: 6544)
      • ApplicationFrameHost.exe (PID: 6952)
      • svchost.exe (PID: 4684)
      • svchost.exe (PID: 4916)
      • audiodg.exe (PID: 6168)
      • dllhost.exe (PID: 6176)
      • svchost.exe (PID: 5132)
      • RuntimeBroker.exe (PID: 4944)
      • WmiPrvSE.exe (PID: 1128)
      • WerFault.exe (PID: 7656)
      • svchost.exe (PID: 668)

    • Runs injected code in another process

      • yqkoflp4.25c.exe (PID: 5392)
      • mdyebm4h.bgf.exe (PID: 1280)
      • km1jcpme.p5a.exe (PID: 4728)

    • Uses Task Scheduler to run other applications

      • explorer.exe (PID: 4620)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 4620)

    • Create files in the Startup directory

      • explorer.exe (PID: 4620)

    • XWORM has been detected (YARA)

      • explorer.exe (PID: 4620)

    • XWORM has been detected (SURICATA)

      • explorer.exe (PID: 4620)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • The process executes via Task Scheduler

      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Connects to unusual port

      • explorer.exe (PID: 4620)

    • Contacting a server suspected of hosting an CnC

      • explorer.exe (PID: 4620)

    • Executes application which crashes

      • schtasks.exe (PID: 2432)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 4920)

  • INFO

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)
      • RuntimeBroker.exe (PID: 4944)

    • Checks supported languages

      • explorer.exe (PID: 4620)
      • yqkoflp4.25c.exe (PID: 5392)
      • XClient.exe (PID: 6148)
      • mdyebm4h.bgf.exe (PID: 1280)
      • XClient.exe (PID: 2564)
      • km1jcpme.p5a.exe (PID: 4728)

    • Reads the machine GUID from the registry

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Reads the computer name

      • explorer.exe (PID: 4620)
      • yqkoflp4.25c.exe (PID: 5392)
      • XClient.exe (PID: 6148)
      • mdyebm4h.bgf.exe (PID: 1280)
      • XClient.exe (PID: 2564)
      • km1jcpme.p5a.exe (PID: 4728)

    • Create files in a temporary directory

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Process checks computer location settings

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 4620)
      • explorer.exe (PID: 5492)
      • lsass.exe (PID: 756)
      • WerFault.exe (PID: 4920)

    • Reads the software policy settings

      • WaaSMedicAgent.exe (PID: 8044)
      • slui.exe (PID: 5960)
      • slui.exe (PID: 5772)

    • Reads Windows Product ID

      • WmiPrvSE.exe (PID: 8180)
      • WmiPrvSE.exe (PID: 1128)

    • Reads the time zone

      • WmiPrvSE.exe (PID: 8180)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 3112)

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 5496)
      • svchost.exe (PID: 668)

    • Checks proxy server information

      • slui.exe (PID: 5772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(4620) explorer.exe
C2iraq-roses.gl.at.ply.gg:64231
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameNoMoreLife
Mutex2F7K0EVP0oiIMKzW
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2090:10:05 05:32:40+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 254464
InitializedDataSize: 5120
UninitializedDataSize: -
EntryPoint: 0x4003e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: MasonRootkit.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: MasonRootkit.exe
ProductName: -
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
114
Malicious processes
92
Suspicious processes
7

Behavior graph

Click at the process to see the details
start #XWORM explorer.exe yqkoflp4.25c.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs svchost.exe waasmedicagent.exe conhost.exe svchost.exe wmiprvse.exe slui.exe xclient.exe mdyebm4h.bgf.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs runtimebroker.exe xclient.exe km1jcpme.p5a.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe conhost.exe no specs svchost.exe werfault.exe werfault.exe no specs wmiprvse.exe svchost.exe svchost.exe uhssvc.exe lsass.exe svchost.exe ctfmon.exe runtimebroker.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe svchost.exe runtimebroker.exe explorer.exe mousocoreworker.exe dllhost.exe slui.exe svchost.exe runtimebroker.exe audiodg.exe dllhost.exe svchost.exe svchost.exe sppextcomobj.exe explorer.exe no specs svchost.exe dwm.exe svchost.exe winlogon.exe dllhost.exe applicationframehost.exe

Process information

PID
CMD
Path
Indicators
Parent process
468C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
644C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhostsC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
648"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
668C:\WINDOWS\System32\svchost.exe -k WerSvcGroupC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wersvc.dll
c:\windows\system32\msvcrt.dll
756C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
860C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvcC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
956"ctfmon.exe"C:\Windows\System32\ctfmon.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CTF Loader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1036C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
1044C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1128C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\System32\wbem\WmiPrvSE.exe
svchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Provider Host
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiprvse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\combase.dll
c:\windows\system32\ncobjapi.dll
c:\windows\system32\ucrtbase.dll
Total events
33 000
Read events
32 699
Write events
199
Delete events
102

Modification events

(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment
Operation:writeName:refreshAfter
Value:
CFFAEA33FAAEDB01
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment
Operation:delete valueName:ETag
Value:
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment
Operation:delete valueName:refreshAfter
Value:
𢡊㏪껺Ǜ
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:WaaSOutOfDateState
Value:
0
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:WaasAssessmentCheckTimestamp
Value:
5022810931AEDB01
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:UpToDateStatusRecalcTimestamp
Value:
5022810931AEDB01
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:ActiveHoursStart
Value:
10
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:ActiveHoursEnd
Value:
18
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000006D0073006D000000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010013000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C0000001400000000000000630061006C006C0065006400760061006C007500650073002E0070006E0067003E00200020000000150000000000000063006F006D0070007500740065007200730074006F006E0065002E007200740066003E00200020000000150000000000000063006F00720070006F007200610074006500730065006C0066002E006A00700067003E0020002000000016000000000000006500780069007300740069006E0067006500660066006500630074002E0070006E0067003E002000200000001700000000000000680065006100720064006E0061007600690067006100740069006F006E002E006A00700067003E0020002000000011000000000000006D006F007300740061006C00620075006D002E006A00700067003E00200020000000120000000000000070006F007300690074006900760065006D0064002E007200740066003E0020002000000010000000000000007200650061006C0061007700610079002E007200740066003E002000200000001000000000000000730074006100660066007000610079002E0070006E0067003E002000200000000F000000000000007700650065006B007900650073002E007200740066003E0020002000000010000000000000006500780070006C006F007200650072002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001300000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A0401100000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000000001200
Executable files
4
Suspicious files
37
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1772svchost.exeC:\Windows\Prefetch\CONSENT.EXE-531BD9EA.pfbinary
MD5:2A02A912A188CF2B44E0B2600F480460
SHA256:1E0CDADD10396811B05C193876898B308179A10FBF419CE129D7A0B39BBFBC3B
6896dllhost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.chkbinary
MD5:E313E6FAE3209AADA08F9555EC656479
SHA256:A7C3F81F6A785EDAD90CA02F02D7FBCBBCCC711A00F924D1AA8ED18284CF7F87
4620explorer.exeC:\Users\admin\AppData\Local\Temp\yqkoflp4.25c.exeexecutable
MD5:94F1AB3A068F83B32639579EC9C5D025
SHA256:879CC20B41635709BB304E315AAA5CA4708B480A1BFC2F4935FCF2215188EFB0
1772svchost.exeC:\Windows\Prefetch\SPPEXTCOMOBJ.EXE-BB03B3D6.pfbinary
MD5:4C28D2ECEACDF7E2DA6200F1DC41FA3F
SHA256:016A8C944E861030249FBDDB944F1892D4D36D1D8285E1A1363402742CA40DE5
1772svchost.exeC:\Windows\Prefetch\HOST.EXE-F5D74C61.pfbinary
MD5:F0728865EBC4FCB519B073B4FA03C3C2
SHA256:2045455FF7B9DF3C8E135B7A5A7BA3BEBF137F782D4649B183E409398F182BE9
1772svchost.exeC:\Windows\Prefetch\TASKHOSTW.EXE-3E0B74C8.pfbinary
MD5:C7C6C488F79A311C12690604999E7FD7
SHA256:C452BF673753AA88E4DA2F8734DB35F638249F58D9707751CA45232D9DA1D670
1260svchost.exeC:\Windows\System32\Tasks\XClientbinary
MD5:F548F1F65447D85DE26FDEFC47C0F00B
SHA256:BBFD1F2EA5FAD318D5901F2DA73ABC3B4A195B8E4881BC3FACE2E7E05568F428
8180WmiPrvSE.exeC:\Windows\INF\display.PNFbinary
MD5:C0F7A0C6771D7AED8370EA70CC0F7461
SHA256:41B72BCDE2478164259053A061A256F1F48A82EB132AD233F6958F5F5B7AE3B5
1260svchost.exeC:\Windows\System32\Tasks\Masonexplorer.exebinary
MD5:DF72B9094A390993052B0A9A4842AEF3
SHA256:86D9307EB4F69C033A5E31F340D5DE4BACAEA365053FFDD9FA503DF907537109
1772svchost.exeC:\Windows\Prefetch\SCHTASKS.EXE-5CA45734.pfbinary
MD5:10A99989F896A73319D2F7CE51DD3FDE
SHA256:EAB1FEA7237B342E5BBF547E8D2CDCDD050FE6D518DE93B203149817DF503559
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
54
DNS requests
21
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7416
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7416
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7416
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
4.175.87.197:443
https://slscr.update.microsoft.com/sls/ping
unknown
POST
400
20.190.159.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.75:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
20.190.159.129:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
  • 23.48.23.193
  • 23.48.23.146
  • 23.48.23.192
  • 23.48.23.137
  • 23.48.23.194
  • 23.48.23.147
  • 23.48.23.190
  • 23.48.23.141
  • 23.48.23.191
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.0
  • 20.190.159.130
  • 40.126.31.129
  • 40.126.31.1
  • 40.126.31.3
  • 20.190.159.64
  • 40.126.31.2
whitelisted
iraq-roses.gl.at.ply.gg
  • 147.185.221.20
unknown
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2196
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
4620
explorer.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
explorer.exe