File name:

wininit.exe

Full analysis: https://app.any.run/tasks/06831027-abb2-487e-8a47-210bace4d89c
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: August 31, 2024, 12:02:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xworm
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

4FEE425A99EF065FA6622BD5DAB95224

SHA1:

E353F7A83D466AB2CA4965EA568890FE2AA18677

SHA256:

D09A2809DB93D0BA804BB1025E1730A5B05E3B818D5303F59E81F9ABE3A4A5DC

SSDEEP:

6144:VZY4SQnodizj0u2qUmMrV5GRcYNDH0PC/A6aJz9bDg/UoOcq:VO4SQnAizj+mY7GRcYNDH0a/AZJzFg/Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to autorun other applications

      • wininit.exe (PID: 752)

    • Application was injected by another process

      • winlogon.exe (PID: 684)
      • lsass.exe (PID: 768)
      • dwm.exe (PID: 852)
      • svchost.exe (PID: 1200)
      • svchost.exe (PID: 1208)
      • svchost.exe (PID: 1588)
      • svchost.exe (PID: 1508)
      • svchost.exe (PID: 1272)
      • svchost.exe (PID: 1316)
      • svchost.exe (PID: 1408)
      • svchost.exe (PID: 1472)
      • svchost.exe (PID: 1816)
      • svchost.exe (PID: 1600)
      • svchost.exe (PID: 1620)
      • svchost.exe (PID: 1628)
      • svchost.exe (PID: 1796)
      • svchost.exe (PID: 1864)
      • svchost.exe (PID: 2000)
      • svchost.exe (PID: 1872)
      • svchost.exe (PID: 2184)
      • svchost.exe (PID: 2256)
      • svchost.exe (PID: 2344)
      • svchost.exe (PID: 2304)
      • svchost.exe (PID: 2412)
      • OfficeClickToRun.exe (PID: 2656)
      • spoolsv.exe (PID: 2592)
      • svchost.exe (PID: 2788)
      • svchost.exe (PID: 2312)
      • svchost.exe (PID: 2496)
      • svchost.exe (PID: 3020)
      • svchost.exe (PID: 2692)
      • svchost.exe (PID: 2996)
      • svchost.exe (PID: 3012)
      • svchost.exe (PID: 3056)
      • svchost.exe (PID: 2968)
      • svchost.exe (PID: 2160)
      • svchost.exe (PID: 2072)
      • svchost.exe (PID: 3084)
      • svchost.exe (PID: 4300)
      • svchost.exe (PID: 3888)
      • svchost.exe (PID: 3200)
      • svchost.exe (PID: 4332)
      • svchost.exe (PID: 4140)
      • svchost.exe (PID: 3260)
      • svchost.exe (PID: 3220)
      • svchost.exe (PID: 3496)
      • svchost.exe (PID: 3340)
      • svchost.exe (PID: 3408)
      • dasHost.exe (PID: 3692)
      • svchost.exe (PID: 3548)
      • svchost.exe (PID: 4184)
      • svchost.exe (PID: 4532)
      • sihost.exe (PID: 4112)
      • explorer.exe (PID: 4552)
      • ctfmon.exe (PID: 4356)
      • svchost.exe (PID: 4324)
      • svchost.exe (PID: 4808)
      • dllhost.exe (PID: 3312)
      • RuntimeBroker.exe (PID: 4244)
      • MoUsoCoreWorker.exe (PID: 2120)
      • RuntimeBroker.exe (PID: 5560)
      • svchost.exe (PID: 5416)
      • svchost.exe (PID: 5236)
      • RuntimeBroker.exe (PID: 776)
      • ApplicationFrameHost.exe (PID: 4052)
      • UserOOBEBroker.exe (PID: 2744)
      • svchost.exe (PID: 4000)
      • svchost.exe (PID: 1824)
      • uhssvc.exe (PID: 536)
      • svchost.exe (PID: 5036)
      • dllhost.exe (PID: 4424)
      • dllhost.exe (PID: 5568)
      • svchost.exe (PID: 5256)
      • svchost.exe (PID: 5988)
      • svchost.exe (PID: 5624)
      • svchost.exe (PID: 6780)
      • svchost.exe (PID: 6564)
      • UsoClient.exe (PID: 6968)
      • PLUGScheduler.exe (PID: 6316)
      • taskhostw.exe (PID: 6264)
      • svchost.exe (PID: 476)
      • svchost.exe (PID: 5180)
      • MusNotification.exe (PID: 6948)
      • RUXIMICS.exe (PID: 6232)
      • RUXIMICS.exe (PID: 3140)
      • svchost.exe (PID: 1332)
      • WaaSMedicAgent.exe (PID: 2492)
      • conhost.exe (PID: 2684)
      • WmiPrvSE.exe (PID: 3984)
      • MusNotifyIcon.exe (PID: 1480)
      • svchost.exe (PID: 1036)
      • MusNotificationUx.exe (PID: 6580)
      • svchost.exe (PID: 3568)

    • Runs injected code in another process

      • 0bmv0qaq.pjd.exe (PID: 4976)

    • XWORM has been detected (YARA)

      • wininit.exe (PID: 752)

    • XWORM has been detected (SURICATA)

      • wininit.exe (PID: 752)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • wininit.exe (PID: 6900)
      • wininit.exe (PID: 752)

    • Process drops legitimate windows executable

      • wininit.exe (PID: 752)

    • Executable content was dropped or overwritten

      • wininit.exe (PID: 752)

    • Drops the executable file immediately after the start

      • wininit.exe (PID: 752)

    • Reads security settings of Internet Explorer

      • wininit.exe (PID: 752)

    • Reads the date of Windows installation

      • wininit.exe (PID: 752)

    • Connects to unusual port

      • wininit.exe (PID: 752)

    • Contacting a server suspected of hosting an CnC

      • wininit.exe (PID: 752)

  • INFO

    • Reads the machine GUID from the registry

      • wininit.exe (PID: 752)
      • RUXIMICS.exe (PID: 6232)

    • Checks supported languages

      • wininit.exe (PID: 752)
      • 0bmv0qaq.pjd.exe (PID: 4976)
      • RUXIMICS.exe (PID: 3140)
      • RUXIMICS.exe (PID: 6232)
      • PLUGScheduler.exe (PID: 6316)

    • Create files in a temporary directory

      • wininit.exe (PID: 752)

    • The process uses the downloaded file

      • wininit.exe (PID: 752)

    • Reads the computer name

      • wininit.exe (PID: 752)
      • 0bmv0qaq.pjd.exe (PID: 4976)
      • PLUGScheduler.exe (PID: 6316)

    • Process checks computer location settings

      • wininit.exe (PID: 752)

    • Reads the software policy settings

      • RUXIMICS.exe (PID: 6232)
      • lsass.exe (PID: 768)
      • wininit.exe (PID: 752)
      • WaaSMedicAgent.exe (PID: 2492)

    • Creates files in the program directory

      • RUXIMICS.exe (PID: 3140)
      • MusNotificationUx.exe (PID: 6580)
      • MusNotifyIcon.exe (PID: 1480)
      • MoUsoCoreWorker.exe (PID: 2120)

    • Disables trace logs

      • wininit.exe (PID: 752)

    • Reads Environment values

      • wininit.exe (PID: 752)

    • Checks proxy server information

      • wininit.exe (PID: 752)

    • Reads the time zone

      • MusNotificationUx.exe (PID: 6580)
      • MusNotifyIcon.exe (PID: 1480)
      • svchost.exe (PID: 2692)

    • Reads Windows Product ID

      • WmiPrvSE.exe (PID: 3984)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 2656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(752) wininit.exe
C22qlCBquhNK33mYdymtvIWu8Ha+uVowSgqhXgd2l+QnEQ/Q3jRjNfczxWObvahYK07At+B+Spx8qsFhk/rYGPWiu24KNn5kMPmyoFkkNARmMP3F/j2bexglMRyH3/j21R7XFWgFXuJ5B/CjP8wNafm4m/OumR9P/hDUGe2908MeQ=:%IP%
Keys
AES%Port%
Options
SplitterJsk3mL7bH+VopEBXuNQH8Q==
USB drop namemJapCH+jhZjTYvAEIwsbsQ==
Mutex2
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2090:10:05 05:32:40+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 218624
InitializedDataSize: 5120
UninitializedDataSize: -
EntryPoint: 0x375de
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.4355
ProductVersionNumber: 10.0.19041.4355
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Windows Start-Up Application
FileVersion: 10.0.19041.4355 (WinBuild.160101.0800)
InternalName: WinInit
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WinInit.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.4355
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
100
Malicious processes
10
Suspicious processes
85

Behavior graph

Click at the process to see the details
start #XWORM wininit.exe 0bmv0qaq.pjd.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs ruximics.exe waasmedicagent.exe conhost.exe musnotificationux.exe musnotifyicon.exe wmiprvse.exe svchost.exe svchost.exe uhssvc.exe winlogon.exe lsass.exe runtimebroker.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe mousocoreworker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe officeclicktorun.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe applicationframehost.exe sihost.exe svchost.exe svchost.exe runtimebroker.exe svchost.exe svchost.exe svchost.exe ctfmon.exe dllhost.exe svchost.exe explorer.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe runtimebroker.exe dllhost.exe svchost.exe svchost.exe ruximics.exe taskhostw.exe plugscheduler.exe svchost.exe svchost.exe wininit.exe no specs musnotification.exe usoclient.exe

Process information

PID
CMD
Path
Indicators
Parent process
236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
476C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
536"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\shlwapi.dll
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
684winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
752"C:\Users\admin\Desktop\wininit.exe" C:\Users\admin\Desktop\wininit.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Start-Up Application
Version:
10.0.19041.4355 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\wininit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(752) wininit.exe
C22qlCBquhNK33mYdymtvIWu8Ha+uVowSgqhXgd2l+QnEQ/Q3jRjNfczxWObvahYK07At+B+Spx8qsFhk/rYGPWiu24KNn5kMPmyoFkkNARmMP3F/j2bexglMRyH3/j21R7XFWgFXuJ5B/CjP8wNafm4m/OumR9P/hDUGe2908MeQ=:%IP%
Keys
AES%Port%
Options
SplitterJsk3mL7bH+VopEBXuNQH8Q==
USB drop namemJapCH+jhZjTYvAEIwsbsQ==
Mutex2
768C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
776C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
852"dwm.exe"C:\Windows\System32\dwm.exe
winlogon.exe
User:
DWM-1
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Desktop Window Manager
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1036C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1200C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbServiceC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
34 401
Read events
33 796
Write events
339
Delete events
266

Modification events

(PID) Process:(752) wininit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Masonconfig\pid
Operation:writeName:vtpgs5ac.i4w
Value:
752
(PID) Process:(752) wininit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Masonconfig\paths
Operation:writeName:vq414klr.ikk
Value:
C:\Users\admin\Desktop\wininit.exe
(PID) Process:(752) wininit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(752) wininit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(752) wininit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(752) wininit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(752) wininit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Masonconfig\pid
Operation:writeName:f5rxf1ez.315
Value:
4976
(PID) Process:(752) wininit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Masonconfig\paths
Operation:writeName:kkuflriz.azj
Value:
C:\Users\admin\AppData\Local\Temp\0bmv0qaq.pjd.exe
(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{beea3fec-9b1c-dcb6-3634-08befcc9441e}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{beea3fec-9b1c-dcb6-3634-08befcc9441e}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
1
Suspicious files
43
Text files
7
Unknown types
23

Dropped files

PID
Process
Filename
Type
3140RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.033.etletl
MD5:673727AF7C6805E869C9F8BE1E468F4A
SHA256:6B16B7DE97F397BCEC36EB3F18C7B64CD3DB6D2974DDF319A251CE27B80D837B
1620svchost.exeC:\Windows\Prefetch\SCHTASKS.EXE-5CA45734.pfbinary
MD5:AC2F440E6FD63E492063586EF76193BE
SHA256:4201CDA5F28A4A40784E3B68F0BB47571E6ACE7A1E5E552A77A7C69F35E62FB5
1316svchost.exeC:\Windows\System32\Tasks\Masonwininit.exexml
MD5:7480698A0FF7F05678C3F52CF8466F53
SHA256:22167DCB60CC79D6D2D0E30F903B181D0B9D3008EA9DF641E22FF47BC7BFA1B3
3140RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.035.etletl
MD5:FA358BFEE9B4E1FFB7394D13CBBC4898
SHA256:6FF97BBF8A56286A4C71623829514CC14B7F8CBBCF09748D939F733968478A22
1620svchost.exeC:\Windows\Prefetch\HOST.EXE-F5D74C61.pfbinary
MD5:CDE50D83CFC1B34D8B21463F1FBD2254
SHA256:B72AC7296A90EA9CE4520DB3734EB0F9938A851264AF748A9EF8AC0AFD361203
3140RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.030.etletl
MD5:868E79A00A8204448B2FFC4F4D5C08EA
SHA256:148FE324431CB4C826BCF0436147D946AC389A877732612CF40629048B8517DC
3140RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.024.etletl
MD5:FED961067F664B5381B65A534B7AB728
SHA256:652F31A8284AE812D1D9D24192BC800976BF74C240591C6AC443A28C4709FB7C
3140RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.025.etletl
MD5:A23907B6FDD47DCABFDFD7CF2FCD7671
SHA256:0C9C33FE9E984A2E5A70EBA51F36B9929A86199E424AF2F8080E1267B87DC970
3140RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.023.etletl
MD5:A7A21FBC9D00F33F186B34A50E170C13
SHA256:64CAC91E46D4FC832958232A658431CBF9D8D9F265653ACA2BEB32428D4688EC
3140RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.020.etletl
MD5:8A2BDE0EAFA7E946196A1B114AB636E9
SHA256:1C338CBDD9316D7FD8F208341466FEDC554A04D489B3A86C736EC3831A2F2BA2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
62
DNS requests
8
Threats
50

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
188.114.96.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
GET
188.114.97.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
GET
188.114.97.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
GET
188.114.96.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
GET
188.114.97.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
GET
188.114.96.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
GET
188.114.97.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
GET
188.114.96.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
GET
188.114.97.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
GET
188.114.96.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6876
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
6232
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
752
wininit.exe
162.19.58.156:443
i.ibb.co
OVH SAS
FR
shared
6876
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4324
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
752
wininit.exe
104.26.2.16:443
rentry.co
CLOUDFLARENET
US
suspicious
752
wininit.exe
147.185.221.18:36538
00000000000000000000004000055005.600000000000000003000000000870.000.pe
PLAYIT-GG
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
i.ibb.co
  • 162.19.58.156
  • 162.19.58.158
  • 162.19.58.157
  • 162.19.58.160
  • 162.19.58.161
  • 162.19.58.159
shared
rentry.co
  • 104.26.2.16
  • 104.26.3.16
  • 172.67.75.40
unknown
00000000000000000000004000055005.600000000000000003000000000870.000.pe
  • 147.185.221.18
unknown

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
Misc activity
ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
wininit.exe