File name:

XLtod.exe

Full analysis: https://app.any.run/tasks/01f73875-32c2-4af0-9e02-d117179968f6
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: March 22, 2025, 17:18:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
remote
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

23C936C92EED2FD026C93411D8406A9A

SHA1:

588B72C68B78861BB362F7F6A0EA061D4405AB54

SHA256:

B9A1845462DCA182ABD065C3C87AB3EB6101E84A6D6FB1BA8262A451ED719DCC

SSDEEP:

49152:GK9SBi1fdE4vlHwJbG4TRv4aeAqRN5Aod5uQHBkfikpgavAECsUjF5xS7bJaAS:LSBi1DGJb7TOfA8dklvA9TF5x0bMr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 5376)

    • Adds path to the Windows Defender exclusion list

      • ilrcphdp.jpg (PID: 4000)

    • Adds process to the Windows Defender exclusion list

      • ilrcphdp.jpg (PID: 4000)
      • powershell.exe (PID: 7476)

    • Changes the autorun value in the registry

      • ilrcphdp.jpg (PID: 4000)

    • Adds extension to the Windows Defender exclusion list

      • powershell.exe (PID: 7544)
      • powershell.exe (PID: 7576)
      • ilrcphdp.jpg (PID: 4000)
      • powershell.exe (PID: 7484)
      • powershell.exe (PID: 7636)

    • Changes Windows Defender settings

      • powershell.exe (PID: 7544)
      • powershell.exe (PID: 7576)
      • ilrcphdp.jpg (PID: 4000)
      • powershell.exe (PID: 7484)
      • powershell.exe (PID: 7476)
      • powershell.exe (PID: 7636)

    • XWORM has been detected (SURICATA)

      • RegSvcs.exe (PID: 7348)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)

    • Executable content was dropped or overwritten

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 5376)

    • There is functionality for taking screenshot (YARA)

      • XLtod.exe (PID: 1276)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 5376)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 5376)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5376)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 7372)

    • Script adds exclusion path to Windows Defender

      • ilrcphdp.jpg (PID: 4000)

    • Process uses IPCONFIG to discard the IP address configuration

      • cmd.exe (PID: 4920)

    • The executable file from the user directory is run by the CMD process

      • ilrcphdp.jpg (PID: 4000)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7372)

    • Script adds exclusion process to Windows Defender

      • ilrcphdp.jpg (PID: 4000)
      • powershell.exe (PID: 7476)

    • Application launched itself

      • powershell.exe (PID: 7544)
      • powershell.exe (PID: 7576)
      • powershell.exe (PID: 7484)
      • powershell.exe (PID: 7476)
      • powershell.exe (PID: 7636)

    • Process uses IPCONFIG to renew DHCP configuration

      • cmd.exe (PID: 7792)

    • Process drops legitimate windows executable

      • ilrcphdp.jpg (PID: 4000)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 7544)
      • powershell.exe (PID: 7576)
      • ilrcphdp.jpg (PID: 4000)
      • powershell.exe (PID: 7484)
      • powershell.exe (PID: 7476)
      • powershell.exe (PID: 7636)

    • Script adds exclusion extension to Windows Defender

      • powershell.exe (PID: 7544)
      • powershell.exe (PID: 7576)
      • ilrcphdp.jpg (PID: 4000)
      • powershell.exe (PID: 7484)
      • powershell.exe (PID: 7636)

    • Starts a Microsoft application from unusual location

      • RegSvcs.exe (PID: 7348)

    • Connects to unusual port

      • RegSvcs.exe (PID: 7348)

    • Contacting a server suspected of hosting an CnC

      • RegSvcs.exe (PID: 7348)

  • INFO

    • Reads the computer name

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)
      • RegSvcs.exe (PID: 7348)

    • Checks supported languages

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)
      • RegSvcs.exe (PID: 7348)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)

    • Create files in a temporary directory

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)

    • The sample compiled with english language support

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)

    • Process checks computer location settings

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 7496)
      • BackgroundTransferHost.exe (PID: 7700)
      • BackgroundTransferHost.exe (PID: 8016)
      • BackgroundTransferHost.exe (PID: 6192)
      • BackgroundTransferHost.exe (PID: 7812)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 7700)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 7700)
      • slui.exe (PID: 4756)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 7700)

    • Reads mouse settings

      • ilrcphdp.jpg (PID: 4000)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 8028)
      • powershell.exe (PID: 8044)
      • powershell.exe (PID: 8188)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 7144)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8028)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8188)
      • powershell.exe (PID: 7144)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 8044)

    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 7348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:12 10:17:03+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 238592
InitializedDataSize: 118784
UninitializedDataSize: -
EntryPoint: 0x265d0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
38
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start xltod.exe wscript.exe no specs sppextcomobj.exe no specs slui.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs ilrcphdp.jpg powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs #XWORM regsvcs.exe svchost.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1276"C:\Users\admin\AppData\Local\Temp\XLtod.exe" C:\Users\admin\AppData\Local\Temp\XLtod.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\xltod.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1512C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4000ilrcphdp.jpg daiars.docxC:\Users\admin\AppData\Local\Temp\RarSFX0\ilrcphdp.jpg
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 16, 1
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\ilrcphdp.jpg
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\user32.dll
4408\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4424\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4756"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4920"C:\Windows\System32\cmd.exe" /c ipconfig /release C:\Windows\SysWOW64\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5376"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\RarSFX0\xtbd.vbe" C:\Windows\SysWOW64\wscript.exeXLtod.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5436ipconfig /renew C:\Windows\SysWOW64\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ws2_32.dll
Total events
55 506
Read events
55 487
Write events
19
Delete events
0

Modification events

(PID) Process:(1276) XLtod.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(7496) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7496) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7496) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7700) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7700) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7700) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7812) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7812) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7812) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
5
Suspicious files
6
Text files
73
Unknown types
0

Dropped files

PID
Process
Filename
Type
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\daiars.docx
MD5:
SHA256:
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\tltgrlc.dlltext
MD5:46187E8A7254D954EF7A2555B6E491EB
SHA256:6195FD59A5FB6441279F58C8DC835D3DD9EE4334BA6D09C8D71EF69568A803CA
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\ohrrxvrn.vcltext
MD5:3AA35D1A2DCF0F2F6FB72ECACAC04706
SHA256:76CE4E41A049C09EA3BCF7C5C0082E3B949A96F672AC2D39712454A58CF5299A
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\nshkmeu.3gptext
MD5:20B15EA6C3C1A6AEA4D0D54429A37F68
SHA256:629615E976D59E1085ACB05FDB5CAEF61412A8912503DB50DE5E6B324F3305E6
7700BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\e39f2203-e929-4947-bd21-09f16a1447c5.down_data
MD5:
SHA256:
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\xtbd.vbetext
MD5:C4EE5F0904448E41D07F3BF9410F2AB4
SHA256:D6C9E804AAFD297F8E57415985CE0211416A09A11B237086B70B6E02CD9BB7F8
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\ilrcphdp.jpgexecutable
MD5:0ADB9B817F1DF7807576C2D7068DD931
SHA256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\ognxjlxudx.exetext
MD5:64D19B0414B708CF5ED1CFDE7924F5EA
SHA256:B74598459AA98367CC2F601E71A9300129442302EAF4E7E912FC63002C07B495
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\jgoxafa.xlstext
MD5:F38115A81695B7ADB006EF01666AC6E8
SHA256:0858332245F693EAEDC53B4B21221CD352E69282F3C5CD2DAAE606EAB2E57A52
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\ftrthigqe.ppttext
MD5:B8255193187FBD27512E46723148CCCD
SHA256:980EADB06A25DFB56ADFDEB628B351953CE3ACD1257A922084D160DFC2F0B347
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
25
DNS requests
20
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7700
BackgroundTransferHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1672
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7860
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7860
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
20.198.162.78:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
1672
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.google.com
  • 142.250.186.100
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 20.198.162.78
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.75
  • 40.126.31.129
  • 40.126.31.130
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.129
whitelisted
ocsp.digicert.com
  • 23.54.109.203
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.mypets .ws Domain
7348
RegSvcs.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
XLtod.exe