File name:

XLtod.exe

Full analysis: https://app.any.run/tasks/01f73875-32c2-4af0-9e02-d117179968f6
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: March 22, 2025, 17:18:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
remote
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

23C936C92EED2FD026C93411D8406A9A

SHA1:

588B72C68B78861BB362F7F6A0EA061D4405AB54

SHA256:

B9A1845462DCA182ABD065C3C87AB3EB6101E84A6D6FB1BA8262A451ED719DCC

SSDEEP:

49152:GK9SBi1fdE4vlHwJbG4TRv4aeAqRN5Aod5uQHBkfikpgavAECsUjF5xS7bJaAS:LSBi1DGJb7TOfA8dklvA9TF5x0bMr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 5376)

    • Adds path to the Windows Defender exclusion list

      • ilrcphdp.jpg (PID: 4000)

    • Adds process to the Windows Defender exclusion list

      • ilrcphdp.jpg (PID: 4000)
      • powershell.exe (PID: 7476)

    • Changes Windows Defender settings

      • powershell.exe (PID: 7544)
      • powershell.exe (PID: 7576)
      • ilrcphdp.jpg (PID: 4000)
      • powershell.exe (PID: 7476)
      • powershell.exe (PID: 7636)
      • powershell.exe (PID: 7484)

    • Changes the autorun value in the registry

      • ilrcphdp.jpg (PID: 4000)

    • Adds extension to the Windows Defender exclusion list

      • powershell.exe (PID: 7544)
      • powershell.exe (PID: 7576)
      • ilrcphdp.jpg (PID: 4000)
      • powershell.exe (PID: 7484)
      • powershell.exe (PID: 7636)

    • XWORM has been detected (SURICATA)

      • RegSvcs.exe (PID: 7348)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)

    • Reads security settings of Internet Explorer

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 5376)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 5376)

    • There is functionality for taking screenshot (YARA)

      • XLtod.exe (PID: 1276)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5376)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 5376)

    • Process uses IPCONFIG to discard the IP address configuration

      • cmd.exe (PID: 4920)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 7372)

    • The executable file from the user directory is run by the CMD process

      • ilrcphdp.jpg (PID: 4000)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7372)

    • Script adds exclusion path to Windows Defender

      • ilrcphdp.jpg (PID: 4000)

    • Script adds exclusion process to Windows Defender

      • ilrcphdp.jpg (PID: 4000)
      • powershell.exe (PID: 7476)

    • Process uses IPCONFIG to renew DHCP configuration

      • cmd.exe (PID: 7792)

    • Process drops legitimate windows executable

      • ilrcphdp.jpg (PID: 4000)

    • Application launched itself

      • powershell.exe (PID: 7544)
      • powershell.exe (PID: 7576)
      • powershell.exe (PID: 7484)
      • powershell.exe (PID: 7476)
      • powershell.exe (PID: 7636)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 7544)
      • powershell.exe (PID: 7576)
      • ilrcphdp.jpg (PID: 4000)
      • powershell.exe (PID: 7484)
      • powershell.exe (PID: 7476)
      • powershell.exe (PID: 7636)

    • Script adds exclusion extension to Windows Defender

      • powershell.exe (PID: 7544)
      • powershell.exe (PID: 7576)
      • ilrcphdp.jpg (PID: 4000)
      • powershell.exe (PID: 7484)
      • powershell.exe (PID: 7636)

    • Starts a Microsoft application from unusual location

      • RegSvcs.exe (PID: 7348)

    • Connects to unusual port

      • RegSvcs.exe (PID: 7348)

    • Contacting a server suspected of hosting an CnC

      • RegSvcs.exe (PID: 7348)

  • INFO

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)

    • Reads the computer name

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)
      • RegSvcs.exe (PID: 7348)

    • Checks supported languages

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)
      • RegSvcs.exe (PID: 7348)

    • The sample compiled with english language support

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)

    • Create files in a temporary directory

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)

    • Process checks computer location settings

      • XLtod.exe (PID: 1276)
      • ilrcphdp.jpg (PID: 4000)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 7496)
      • BackgroundTransferHost.exe (PID: 7700)
      • BackgroundTransferHost.exe (PID: 7812)
      • BackgroundTransferHost.exe (PID: 8016)
      • BackgroundTransferHost.exe (PID: 6192)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 7700)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 7700)
      • slui.exe (PID: 4756)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 7700)

    • Reads mouse settings

      • ilrcphdp.jpg (PID: 4000)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7144)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 8044)
      • powershell.exe (PID: 8188)
      • powershell.exe (PID: 8028)
      • powershell.exe (PID: 8056)

    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 7348)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8188)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 7144)
      • powershell.exe (PID: 8028)
      • powershell.exe (PID: 8044)
      • powershell.exe (PID: 8048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:12 10:17:03+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 238592
InitializedDataSize: 118784
UninitializedDataSize: -
EntryPoint: 0x265d0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
38
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start xltod.exe wscript.exe no specs sppextcomobj.exe no specs slui.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs ilrcphdp.jpg powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs #XWORM regsvcs.exe svchost.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1276"C:\Users\admin\AppData\Local\Temp\XLtod.exe" C:\Users\admin\AppData\Local\Temp\XLtod.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\xltod.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1512C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4000ilrcphdp.jpg daiars.docxC:\Users\admin\AppData\Local\Temp\RarSFX0\ilrcphdp.jpg
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 16, 1
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\ilrcphdp.jpg
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\user32.dll
4408\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4424\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4756"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4920"C:\Windows\System32\cmd.exe" /c ipconfig /release C:\Windows\SysWOW64\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5376"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\RarSFX0\xtbd.vbe" C:\Windows\SysWOW64\wscript.exeXLtod.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5436ipconfig /renew C:\Windows\SysWOW64\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ws2_32.dll
Total events
55 506
Read events
55 487
Write events
19
Delete events
0

Modification events

(PID) Process:(1276) XLtod.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(7496) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7496) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7496) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7700) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7700) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7700) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7812) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7812) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7812) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
5
Suspicious files
6
Text files
73
Unknown types
0

Dropped files

PID
Process
Filename
Type
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\daiars.docx
MD5:
SHA256:
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\tltgrlc.dlltext
MD5:46187E8A7254D954EF7A2555B6E491EB
SHA256:6195FD59A5FB6441279F58C8DC835D3DD9EE4334BA6D09C8D71EF69568A803CA
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\fhkoan.exetext
MD5:473DAA89C1BD7865A9FBA63358BC855A
SHA256:2D96A24DEF50AEFF20836AEAF8E6298200E2723070047B0A7C350389B5AF9A60
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\eetgingox.mp2text
MD5:68B31CDDC37E998B7B1499301D62914E
SHA256:9485FC85F473547B349E5D198BE32C8BED5C2ACA33306742A33809A5B5F5A5D3
7700BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\e39f2203-e929-4947-bd21-09f16a1447c5.down_data
MD5:
SHA256:
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\ognxjlxudx.exetext
MD5:64D19B0414B708CF5ED1CFDE7924F5EA
SHA256:B74598459AA98367CC2F601E71A9300129442302EAF4E7E912FC63002C07B495
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\jgoxafa.xlstext
MD5:F38115A81695B7ADB006EF01666AC6E8
SHA256:0858332245F693EAEDC53B4B21221CD352E69282F3C5CD2DAAE606EAB2E57A52
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\ntjvscha.jpgtext
MD5:FC9ABE049F32F25F1D0E2AE5F9089AC3
SHA256:E0A081DE73CA6794413E062A7EAC88C74471A1DE81E64612B4B30195BCEA2E3A
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\qrjvsee.exetext
MD5:0F8BA244F162ED7E3B24A1F3858CDBEB
SHA256:8B4F09868816C011A11E1499011D517C43088D80DFEEE941D51174784631BE7E
1276XLtod.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\dfvjmjs.xlstext
MD5:B31A73336ED00F268DAEF65FFC562B10
SHA256:303FC171B81AA50160B5CA009E50A6EC59F0553CA26B515239D77BA6B8552F10
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
25
DNS requests
20
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1672
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7860
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7860
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7700
BackgroundTransferHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
20.198.162.78:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
1672
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.google.com
  • 142.250.186.100
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 20.198.162.78
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.75
  • 40.126.31.129
  • 40.126.31.130
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.129
whitelisted
ocsp.digicert.com
  • 23.54.109.203
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.mypets .ws Domain
7348
RegSvcs.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
XLtod.exe