File name:

x69gg.exe

Full analysis: https://app.any.run/tasks/16685c47-35f5-4fd9-a4ae-5bc2e5415a45
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 16:04:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
auto-reg
remote
xworm
amsi-bypass
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:

C55D3927FAC38C996B9306B54F462E4F

SHA1:

E7FA65E1FBBD8D8AA91A35E9EE8D957644D6E9E6

SHA256:

B259C4299683889F04066C0EB3FFAA7CF5531E43CF9D5A588F9105E5CAEA204E

SSDEEP:

6144:1VhRL0maKWQg08g7ADaOt8wFfN0S5uGkuWJ1VGFTdV:770maB08g7AnGwFl0S5LkLCFTd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • x69.exe (PID: 8032)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 7412)

    • Changes the autorun value in the registry

      • x69.exe (PID: 8032)

    • Changes Windows Defender settings

      • cmd.exe (PID: 7308)

    • Changes settings for real-time protection

      • powershell.exe (PID: 7276)

    • XWORM has been detected (SURICATA)

      • x69.exe (PID: 8032)

    • XWORM has been detected (YARA)

      • x69.exe (PID: 8032)

    • Runs injected code in another process

      • powershell.exe (PID: 8168)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 8168)

    • Application was injected by another process

      • dllhost.exe (PID: 2096)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7632)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 1072)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7320)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 1244)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 6112)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • x69gg.exe (PID: 7828)
      • x69tool.exe (PID: 7952)
      • x69.exe (PID: 8032)
      • x69Disable-winDefender.exe (PID: 8052)

    • Base64-obfuscated command line is found

      • x69gg.exe (PID: 7828)

    • Starts POWERSHELL.EXE for commands execution

      • x69gg.exe (PID: 7828)
      • cmd.exe (PID: 7308)

    • Executable content was dropped or overwritten

      • x69gg.exe (PID: 7828)
      • x69.exe (PID: 8032)
      • x69tool.exe (PID: 7952)

    • BASE64 encoded PowerShell command has been detected

      • x69gg.exe (PID: 7828)

    • Reads the date of Windows installation

      • x69tool.exe (PID: 7952)
      • x69.exe (PID: 8032)

    • Executing commands from a ".bat" file

      • x69Disable-winDefender.exe (PID: 8052)

    • Invokes assembly entry point (POWERSHELL)

      • powershell.exe (PID: 8168)

    • The process executes via Task Scheduler

      • powershell.exe (PID: 8168)
      • x69.exe (PID: 6036)
      • x69.exe (PID: 208)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 7308)

    • Found strings related to reading or modifying Windows Defender settings

      • x69Disable-winDefender.exe (PID: 8052)

    • Starts CMD.EXE for commands execution

      • x69Disable-winDefender.exe (PID: 8052)

    • Connects to unusual port

      • x69.exe (PID: 8032)

    • Contacting a server suspected of hosting an CnC

      • x69.exe (PID: 8032)

    • Script disables Windows Defender's behavior monitoring

      • cmd.exe (PID: 7308)

    • There is functionality for taking screenshot (YARA)

      • x69.exe (PID: 8032)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 7308)

    • Executes application which crashes

      • powershell.exe (PID: 6112)
      • reg.exe (PID: 6264)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 968)

    • Uses REG/REGEDIT.EXE to modify registry

      • powershell.exe (PID: 5024)
      • powershell.exe (PID: 1116)
      • cmd.exe (PID: 7308)

    • Uses NETSH.EXE to change the status of the firewall

      • powershell.exe (PID: 924)

    • Modifies existing scheduled task

      • schtasks.exe (PID: 2420)
      • schtasks.exe (PID: 6660)
      • schtasks.exe (PID: 3140)
      • schtasks.exe (PID: 6760)
      • schtasks.exe (PID: 7372)

  • INFO

    • Reads the computer name

      • x69gg.exe (PID: 7828)
      • x69tool.exe (PID: 7952)
      • x69Install.exe (PID: 8080)
      • x69.exe (PID: 8032)
      • MpCmdRun.exe (PID: 7412)
      • x69.exe (PID: 4272)
      • x69Disable-winDefender.exe (PID: 8052)

    • Checks supported languages

      • x69gg.exe (PID: 7828)
      • x69tool.exe (PID: 7952)
      • x69.exe (PID: 8032)
      • x69Disable-winDefender.exe (PID: 8052)
      • x69Install.exe (PID: 8080)
      • MpCmdRun.exe (PID: 7412)
      • x69.exe (PID: 4272)

    • Create files in a temporary directory

      • x69gg.exe (PID: 7828)
      • x69Disable-winDefender.exe (PID: 8052)
      • x69tool.exe (PID: 7952)
      • MpCmdRun.exe (PID: 7412)

    • Process checks computer location settings

      • x69gg.exe (PID: 7828)
      • x69tool.exe (PID: 7952)
      • x69Disable-winDefender.exe (PID: 8052)
      • x69.exe (PID: 8032)

    • Reads the machine GUID from the registry

      • x69tool.exe (PID: 7952)
      • x69Install.exe (PID: 8080)
      • x69.exe (PID: 8032)

    • Creates files or folders in the user directory

      • x69.exe (PID: 8032)
      • WerFault.exe (PID: 968)

    • Auto-launch of the file from Registry key

      • x69.exe (PID: 8032)

    • Disables trace logs

      • x69.exe (PID: 8032)

    • Reads the software policy settings

      • x69.exe (PID: 8032)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7880)
      • powershell.exe (PID: 7276)
      • powershell.exe (PID: 7628)
      • powershell.exe (PID: 7632)
      • powershell.exe (PID: 1132)
      • powershell.exe (PID: 5548)
      • powershell.exe (PID: 7400)
      • powershell.exe (PID: 7540)
      • powershell.exe (PID: 1072)
      • powershell.exe (PID: 7320)
      • powershell.exe (PID: 1244)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7276)
      • powershell.exe (PID: 7880)
      • powershell.exe (PID: 7628)
      • powershell.exe (PID: 1132)
      • powershell.exe (PID: 7632)
      • powershell.exe (PID: 5548)
      • powershell.exe (PID: 7540)
      • powershell.exe (PID: 7320)
      • powershell.exe (PID: 1244)
      • powershell.exe (PID: 7400)

    • Reads Environment values

      • x69.exe (PID: 8032)

    • Checks proxy server information

      • x69.exe (PID: 8032)

    • Manual execution by a user

      • x69.exe (PID: 4272)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 8168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(8032) x69.exe
C2civil-regression.gl.at.ply.gg:27176
Keys
AESMasonRAT
Options
SplitterMasonGroup
USB drop nameUSB.exe
MutexefkWSoYdkMysjLSP
C2https://raw.githubusercontent.com/76bh/img/main/h:%ip%
Keys
AES%port%
Options
SplitterMasonRAT
USB drop nameMasonGroup
MutexUSB.exe
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 2048
InitializedDataSize: 243712
UninitializedDataSize: -
EntryPoint: 0x1499
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
202
Monitored processes
74
Malicious processes
7
Suspicious processes
7

Behavior graph

Click at the process to see the details
start x69gg.exe powershell.exe no specs conhost.exe no specs x69tool.exe #XWORM x69.exe x69disable-windefender.exe no specs x69install.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs schtasks.exe no specs conhost.exe no specs conhost.exe no specs mpcmdrun.exe no specs powershell.exe no specs x69.exe no specs svchost.exe powershell.exe no specs powershell.exe no specs dllhost.exe powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe werfault.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs x69.exe no specs powershell.exe no specs reg.exe no specs powershell.exe no specs reg.exe no specs powershell.exe no specs netsh.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe werfault.exe no specs reg.exe no specs slui.exe x69.exe no specs x69gg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Users\admin\AppData\Roaming\x69.exe"C:\Users\admin\AppData\Roaming\x69.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\x69.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\pdh.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
924powershell.exe -command "netsh advfirewall set allprofiles state off"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
968C:\WINDOWS\system32\WerFault.exe -u -p 6112 -s 436C:\Windows\System32\WerFault.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
968reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1072powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1096powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
1116powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1132powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1244powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
1328reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
109 700
Read events
109 607
Write events
79
Delete events
14

Modification events

(PID) Process:(8032) x69.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:x69
Value:
C:\Users\admin\AppData\Roaming\x69.exe
(PID) Process:(8032) x69.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\x69_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(8032) x69.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\x69_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(8032) x69.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\x69_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(8032) x69.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\x69_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(8032) x69.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\x69_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(8032) x69.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\x69_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(8032) x69.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\x69_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(8032) x69.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\x69_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(8032) x69.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\x69_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
5
Suspicious files
10
Text files
43
Unknown types
0

Dropped files

PID
Process
Filename
Type
7952x69tool.exeC:\Users\admin\AppData\Local\Temp\x69Install.exeexecutable
MD5:A6807422FD83A9382CC5F68F89E94320
SHA256:5D09D7E11C41758A0645A16F464E9F749F93B7A037853403EC8D2E4F6D9A737A
7880powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_knai5nfk.5wx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7952x69tool.exeC:\Users\admin\AppData\Local\Temp\x69.exeexecutable
MD5:F05AC74DF8A457DE82780E81BEF9AE5B
SHA256:C749F9CB69B081C3EC405B81327C2713544862BA1FB1812166E299DA133EA2E0
8032x69.exeC:\Users\admin\AppData\Roaming\x69.exeexecutable
MD5:F05AC74DF8A457DE82780E81BEF9AE5B
SHA256:C749F9CB69B081C3EC405B81327C2713544862BA1FB1812166E299DA133EA2E0
7952x69tool.exeC:\Users\admin\AppData\Local\Temp\x69Disable-winDefender.exeexecutable
MD5:99374AEEB9DC3FB49B2E41D85BDB0AA1
SHA256:E247A221014FD4A925CAFDEC6BAFCDDEE98401CEA6456ABCCE2854D593BCC406
7540powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_q52usknq.bbi.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7880powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jc4emyup.fjx.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7412MpCmdRun.exeC:\Users\admin\AppData\Local\Temp\MpCmdRun.logbinary
MD5:4DA143E9A7FCCE6F9D1EC8D9A081F004
SHA256:A2275DD7D479F9F28CCFA5A42A7F17D39E6B022A548E93AD047533BFA98520EA
8168powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_2biblwr3.sg5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7276powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_usxdg2ep.24q.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
31
DNS requests
8
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
8032
x69.exe
185.199.111.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
8032
x69.exe
147.185.221.28:27176
civil-regression.gl.at.ply.gg
PLAYIT-GG
US
malicious
8032
x69.exe
185.91.127.173:505
SkyLink Data Center BV
GB
unknown
4
System
192.168.100.255:137
whitelisted
2292
svchost.exe
239.255.255.250:3702
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.29
  • 23.216.77.36
  • 23.216.77.7
  • 23.216.77.13
  • 23.216.77.15
  • 23.216.77.32
  • 23.216.77.22
  • 23.216.77.21
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.110.133
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
civil-regression.gl.at.ply.gg
  • 147.185.221.28
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2196
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
8032
x69.exe
Misc Attack
ET DROP Dshield Block Listed Source group 1
8032
x69.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
8032
x69.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
8032
x69.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
8032
x69.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
x69gg.exe