File name:

explorer.exe

Full analysis: https://app.any.run/tasks/e53277b6-e3a0-4684-9497-edd7cb703fb2
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Analysis date: April 15, 2025, 18:05:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xworm
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

73158E52A6BF29A478D6443F8CB2D2B5

SHA1:

515EF7E1BB30F05ABF6A8D27A1C7A02C2053386C

SHA256:

B1C0DA596252D2322AF646035E21951A7EE16982249AAEF52FB74C8C6EAF65A1

SSDEEP:

6144:+Ek9NQnodizj0u2qUmMrV5GRcYNDH0PC/A6aJz/rbBQq:+VQnAizj+mY7GRcYNDH0a/AZJzpt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses Task Scheduler to autorun other applications

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)
    • Application was injected by another process

      • svchost.exe (PID: 1044)
      • svchost.exe (PID: 468)
      • svchost.exe (PID: 1232)
      • svchost.exe (PID: 1252)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1288)
      • svchost.exe (PID: 1352)
      • svchost.exe (PID: 1552)
      • svchost.exe (PID: 1524)
      • svchost.exe (PID: 1772)
      • svchost.exe (PID: 1652)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1792)
      • svchost.exe (PID: 1904)
      • svchost.exe (PID: 1892)
      • svchost.exe (PID: 1988)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 2068)
      • svchost.exe (PID: 2584)
      • svchost.exe (PID: 2996)
      • dllhost.exe (PID: 6896)
      • svchost.exe (PID: 7992)
      • WaaSMedicAgent.exe (PID: 8044)
      • conhost.exe (PID: 8052)
      • WmiPrvSE.exe (PID: 8180)
      • lsass.exe (PID: 756)
      • svchost.exe (PID: 2172)
      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 2292)
      • svchost.exe (PID: 2448)
      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 2536)
      • svchost.exe (PID: 2624)
      • svchost.exe (PID: 2544)
      • svchost.exe (PID: 2880)
      • svchost.exe (PID: 2776)
      • spoolsv.exe (PID: 2732)
      • svchost.exe (PID: 2932)
      • dasHost.exe (PID: 3012)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 3084)
      • svchost.exe (PID: 3104)
      • OfficeClickToRun.exe (PID: 3112)
      • svchost.exe (PID: 3184)
      • svchost.exe (PID: 3196)
      • svchost.exe (PID: 3232)
      • svchost.exe (PID: 3216)
      • svchost.exe (PID: 3564)
      • svchost.exe (PID: 3812)
      • svchost.exe (PID: 3284)
      • svchost.exe (PID: 3860)
      • svchost.exe (PID: 860)
      • svchost.exe (PID: 4292)
      • svchost.exe (PID: 4508)
      • svchost.exe (PID: 4312)
      • svchost.exe (PID: 2112)
      • dllhost.exe (PID: 5880)
      • MoUsoCoreWorker.exe (PID: 5496)
      • svchost.exe (PID: 1572)
      • uhssvc.exe (PID: 648)
      • svchost.exe (PID: 1444)
      • svchost.exe (PID: 1416)
      • svchost.exe (PID: 6024)
      • svchost.exe (PID: 1684)
      • winlogon.exe (PID: 6648)
      • dwm.exe (PID: 6568)
      • svchost.exe (PID: 4544)
      • svchost.exe (PID: 4952)
      • sihost.exe (PID: 4984)
      • svchost.exe (PID: 6608)
      • explorer.exe (PID: 5492)
      • RuntimeBroker.exe (PID: 6160)
      • ctfmon.exe (PID: 956)
      • RuntimeBroker.exe (PID: 5368)
      • RuntimeBroker.exe (PID: 1036)
      • UserOOBEBroker.exe (PID: 1248)
      • ApplicationFrameHost.exe (PID: 6952)
      • svchost.exe (PID: 6544)
      • svchost.exe (PID: 4684)
      • audiodg.exe (PID: 6168)
      • svchost.exe (PID: 4916)
      • dllhost.exe (PID: 6176)
      • svchost.exe (PID: 4348)
      • svchost.exe (PID: 6344)
      • svchost.exe (PID: 5132)
      • svchost.exe (PID: 6180)
      • svchost.exe (PID: 644)
      • slui.exe (PID: 5960)
      • SppExtComObj.Exe (PID: 6476)
      • RuntimeBroker.exe (PID: 4944)
      • WerFault.exe (PID: 7656)
      • svchost.exe (PID: 668)
      • WmiPrvSE.exe (PID: 1128)
    • Runs injected code in another process

      • yqkoflp4.25c.exe (PID: 5392)
      • mdyebm4h.bgf.exe (PID: 1280)
      • km1jcpme.p5a.exe (PID: 4728)
    • Changes the autorun value in the registry

      • explorer.exe (PID: 4620)
    • Create files in the Startup directory

      • explorer.exe (PID: 4620)
    • XWORM has been detected (YARA)

      • explorer.exe (PID: 4620)
    • XWORM has been detected (SURICATA)

      • explorer.exe (PID: 4620)
    • Uses Task Scheduler to run other applications

      • explorer.exe (PID: 4620)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)
    • Reads the date of Windows installation

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)
    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)
    • Connects to unusual port

      • explorer.exe (PID: 4620)
    • Contacting a server suspected of hosting an CnC

      • explorer.exe (PID: 4620)
    • The process executes via Task Scheduler

      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)
    • Executes application which crashes

      • schtasks.exe (PID: 2432)
    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 4920)
  • INFO

    • Checks supported languages

      • explorer.exe (PID: 4620)
      • yqkoflp4.25c.exe (PID: 5392)
      • XClient.exe (PID: 6148)
      • mdyebm4h.bgf.exe (PID: 1280)
      • XClient.exe (PID: 2564)
      • km1jcpme.p5a.exe (PID: 4728)
    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)
      • RuntimeBroker.exe (PID: 4944)
    • Reads the computer name

      • explorer.exe (PID: 4620)
      • yqkoflp4.25c.exe (PID: 5392)
      • XClient.exe (PID: 6148)
      • mdyebm4h.bgf.exe (PID: 1280)
      • XClient.exe (PID: 2564)
      • km1jcpme.p5a.exe (PID: 4728)
    • Create files in a temporary directory

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)
    • Reads the machine GUID from the registry

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)
    • Creates files or folders in the user directory

      • explorer.exe (PID: 4620)
      • explorer.exe (PID: 5492)
      • lsass.exe (PID: 756)
      • WerFault.exe (PID: 4920)
    • Process checks computer location settings

      • explorer.exe (PID: 4620)
      • XClient.exe (PID: 6148)
      • XClient.exe (PID: 2564)
    • Reads the software policy settings

      • WaaSMedicAgent.exe (PID: 8044)
      • slui.exe (PID: 5960)
      • slui.exe (PID: 5772)
    • Reads Windows Product ID

      • WmiPrvSE.exe (PID: 8180)
      • WmiPrvSE.exe (PID: 1128)
    • Reads the time zone

      • WmiPrvSE.exe (PID: 8180)
    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 3112)
    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 5496)
      • svchost.exe (PID: 668)
    • Checks proxy server information

      • slui.exe (PID: 5772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(4620) explorer.exe
C2iraq-roses.gl.at.ply.gg:64231
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameNoMoreLife
Mutex2F7K0EVP0oiIMKzW
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2090:10:05 05:32:40+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 254464
InitializedDataSize: 5120
UninitializedDataSize: -
EntryPoint: 0x4003e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: MasonRootkit.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: MasonRootkit.exe
ProductName: -
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
114
Malicious processes
92
Suspicious processes
7

Behavior graph

Click at the process to see the details
start #XWORM explorer.exe yqkoflp4.25c.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs svchost.exe waasmedicagent.exe conhost.exe svchost.exe wmiprvse.exe slui.exe xclient.exe mdyebm4h.bgf.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs runtimebroker.exe xclient.exe km1jcpme.p5a.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe conhost.exe no specs svchost.exe werfault.exe werfault.exe no specs wmiprvse.exe svchost.exe svchost.exe uhssvc.exe lsass.exe svchost.exe ctfmon.exe runtimebroker.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe svchost.exe runtimebroker.exe explorer.exe mousocoreworker.exe dllhost.exe slui.exe svchost.exe runtimebroker.exe audiodg.exe dllhost.exe svchost.exe svchost.exe sppextcomobj.exe explorer.exe no specs svchost.exe dwm.exe svchost.exe winlogon.exe dllhost.exe applicationframehost.exe

Process information

PID
CMD
Path
Indicators
Parent process
468C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
644C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhostsC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
648"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
668C:\WINDOWS\System32\svchost.exe -k WerSvcGroupC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wersvc.dll
c:\windows\system32\msvcrt.dll
756C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
860C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvcC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
956"ctfmon.exe"C:\Windows\System32\ctfmon.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CTF Loader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1036C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
1044C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1128C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\System32\wbem\WmiPrvSE.exe
svchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Provider Host
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiprvse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\combase.dll
c:\windows\system32\ncobjapi.dll
c:\windows\system32\ucrtbase.dll
Total events
33 000
Read events
32 699
Write events
199
Delete events
102

Modification events

(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment
Operation:writeName:refreshAfter
Value:
CFFAEA33FAAEDB01
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment
Operation:delete valueName:ETag
Value:
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment
Operation:delete valueName:refreshAfter
Value:
𢡊㏪껺Ǜ
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:WaaSOutOfDateState
Value:
0
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:WaasAssessmentCheckTimestamp
Value:
5022810931AEDB01
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:UpToDateStatusRecalcTimestamp
Value:
5022810931AEDB01
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:ActiveHoursStart
Value:
10
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:ActiveHoursEnd
Value:
18
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000006D0073006D000000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010013000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C0000001400000000000000630061006C006C0065006400760061006C007500650073002E0070006E0067003E00200020000000150000000000000063006F006D0070007500740065007200730074006F006E0065002E007200740066003E00200020000000150000000000000063006F00720070006F007200610074006500730065006C0066002E006A00700067003E0020002000000016000000000000006500780069007300740069006E0067006500660066006500630074002E0070006E0067003E002000200000001700000000000000680065006100720064006E0061007600690067006100740069006F006E002E006A00700067003E0020002000000011000000000000006D006F007300740061006C00620075006D002E006A00700067003E00200020000000120000000000000070006F007300690074006900760065006D0064002E007200740066003E0020002000000010000000000000007200650061006C0061007700610079002E007200740066003E002000200000001000000000000000730074006100660066007000610079002E0070006E0067003E002000200000000F000000000000007700650065006B007900650073002E007200740066003E0020002000000010000000000000006500780070006C006F007200650072002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001300000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A0401100000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000000001200
Executable files
4
Suspicious files
37
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1772svchost.exeC:\Windows\Prefetch\CONSENT.EXE-531BD9EA.pfbinary
MD5:2A02A912A188CF2B44E0B2600F480460
SHA256:55D2C36A6B4CC23868462D36570F997E39634C411EB4C287B15485CACC17299C
1260svchost.exeC:\Windows\System32\Tasks\Masonexplorer.exebinary
MD5:DF72B9094A390993052B0A9A4842AEF3
SHA256:2107FF0241489D0FBF0604EF65CFFCE5A618BAF902921E09EB40C786FD5F65CA
6896dllhost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.chkbinary
MD5:E313E6FAE3209AADA08F9555EC656479
SHA256:17394B7C7540B44894D2DFBE714EF25BD03C5C8AD8DC8FA2464735C0FF908131
4620explorer.exeC:\Users\admin\AppData\Local\Temp\yqkoflp4.25c.exeexecutable
MD5:94F1AB3A068F83B32639579EC9C5D025
SHA256:879CC20B41635709BB304E315AAA5CA4708B480A1BFC2F4935FCF2215188EFB0
1772svchost.exeC:\Windows\Prefetch\SCHTASKS.EXE-5CA45734.pfbinary
MD5:10A99989F896A73319D2F7CE51DD3FDE
SHA256:13E855FD508E58FF87FC67D746DF07B9E0995F51D2839C2AD70365A636BE21BF
1772svchost.exeC:\Windows\Prefetch\HOST.EXE-F5D74C61.pfbinary
MD5:F0728865EBC4FCB519B073B4FA03C3C2
SHA256:16B3ED604BF0B75C4289300A8F7BE30D32DD523A9598061189C41A32DD1EE819
1772svchost.exeC:\Windows\Prefetch\TASKHOSTW.EXE-3E0B74C8.pfbinary
MD5:C7C6C488F79A311C12690604999E7FD7
SHA256:E261F63BBE4CCDAAC9CDAFE79CCF8FC6EB6EF6B8888937A281C267E0C43920D2
1772svchost.exeC:\Windows\Prefetch\UPFC.EXE-BDDF79D6.pfbinary
MD5:23B9E867DDDFD72EC29957846B43BBFF
SHA256:BBC56FCC66679B786318B3D4730B59736D433158E23D82F046D731F0C63DBC91
1260svchost.exeC:\Windows\System32\Tasks\XClientbinary
MD5:F548F1F65447D85DE26FDEFC47C0F00B
SHA256:C597733EE9BE23008C83F6D22FB898F26A82E25C6D70FE87E810B50DF1F6CCD0
4620explorer.exeC:\Users\admin\AppData\Roaming\XClient.exeexecutable
MD5:73158E52A6BF29A478D6443F8CB2D2B5
SHA256:B1C0DA596252D2322AF646035E21951A7EE16982249AAEF52FB74C8C6EAF65A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
54
DNS requests
21
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7416
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7416
SIHClient.exe
GET
200
23.48.23.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7416
SIHClient.exe
GET
200
23.48.23.193:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7416
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7416
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7416
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7416
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
  • 23.48.23.193
  • 23.48.23.146
  • 23.48.23.192
  • 23.48.23.137
  • 23.48.23.194
  • 23.48.23.147
  • 23.48.23.190
  • 23.48.23.141
  • 23.48.23.191
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.0
  • 20.190.159.130
  • 40.126.31.129
  • 40.126.31.1
  • 40.126.31.3
  • 20.190.159.64
  • 40.126.31.2
whitelisted
iraq-roses.gl.at.ply.gg
  • 147.185.221.20
unknown
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info