File name:

wininit.exe

Full analysis: https://app.any.run/tasks/06831027-abb2-487e-8a47-210bace4d89c
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: August 31, 2024, 12:02:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xworm
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

4FEE425A99EF065FA6622BD5DAB95224

SHA1:

E353F7A83D466AB2CA4965EA568890FE2AA18677

SHA256:

D09A2809DB93D0BA804BB1025E1730A5B05E3B818D5303F59E81F9ABE3A4A5DC

SSDEEP:

6144:VZY4SQnodizj0u2qUmMrV5GRcYNDH0PC/A6aJz9bDg/UoOcq:VO4SQnAizj+mY7GRcYNDH0a/AZJzFg/Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to autorun other applications

      • wininit.exe (PID: 752)

    • Application was injected by another process

      • lsass.exe (PID: 768)
      • svchost.exe (PID: 476)
      • dwm.exe (PID: 852)
      • svchost.exe (PID: 1200)
      • svchost.exe (PID: 1036)
      • svchost.exe (PID: 1208)
      • svchost.exe (PID: 1408)
      • svchost.exe (PID: 1272)
      • svchost.exe (PID: 1600)
      • svchost.exe (PID: 1316)
      • svchost.exe (PID: 1620)
      • svchost.exe (PID: 1472)
      • svchost.exe (PID: 1816)
      • svchost.exe (PID: 1796)
      • svchost.exe (PID: 1508)
      • svchost.exe (PID: 1628)
      • svchost.exe (PID: 2000)
      • svchost.exe (PID: 1864)
      • svchost.exe (PID: 1872)
      • svchost.exe (PID: 2160)
      • winlogon.exe (PID: 684)
      • svchost.exe (PID: 1588)
      • svchost.exe (PID: 2072)
      • svchost.exe (PID: 2256)
      • svchost.exe (PID: 2344)
      • svchost.exe (PID: 2312)
      • svchost.exe (PID: 2184)
      • svchost.exe (PID: 2496)
      • spoolsv.exe (PID: 2592)
      • svchost.exe (PID: 2304)
      • svchost.exe (PID: 2692)
      • svchost.exe (PID: 2412)
      • svchost.exe (PID: 2788)
      • svchost.exe (PID: 3020)
      • svchost.exe (PID: 3012)
      • OfficeClickToRun.exe (PID: 2656)
      • svchost.exe (PID: 3056)
      • svchost.exe (PID: 2968)
      • svchost.exe (PID: 3084)
      • svchost.exe (PID: 3200)
      • svchost.exe (PID: 3220)
      • svchost.exe (PID: 3496)
      • svchost.exe (PID: 3260)
      • svchost.exe (PID: 3340)
      • dasHost.exe (PID: 3692)
      • svchost.exe (PID: 3888)
      • svchost.exe (PID: 3548)
      • svchost.exe (PID: 3408)
      • svchost.exe (PID: 4140)
      • svchost.exe (PID: 4184)
      • sihost.exe (PID: 4112)
      • svchost.exe (PID: 4332)
      • svchost.exe (PID: 4300)
      • ctfmon.exe (PID: 4356)
      • explorer.exe (PID: 4552)
      • svchost.exe (PID: 4532)
      • svchost.exe (PID: 4808)
      • RuntimeBroker.exe (PID: 4244)
      • MoUsoCoreWorker.exe (PID: 2120)
      • svchost.exe (PID: 5416)
      • RuntimeBroker.exe (PID: 5560)
      • dllhost.exe (PID: 3312)
      • dllhost.exe (PID: 5568)
      • svchost.exe (PID: 4324)
      • ApplicationFrameHost.exe (PID: 4052)
      • RuntimeBroker.exe (PID: 776)
      • UserOOBEBroker.exe (PID: 2744)
      • svchost.exe (PID: 4000)
      • svchost.exe (PID: 1824)
      • svchost.exe (PID: 5236)
      • dllhost.exe (PID: 4424)
      • uhssvc.exe (PID: 536)
      • svchost.exe (PID: 5988)
      • svchost.exe (PID: 5036)
      • svchost.exe (PID: 5256)
      • svchost.exe (PID: 6780)
      • svchost.exe (PID: 5180)
      • svchost.exe (PID: 6564)
      • PLUGScheduler.exe (PID: 6316)
      • MusNotification.exe (PID: 6948)
      • UsoClient.exe (PID: 6968)
      • taskhostw.exe (PID: 6264)
      • svchost.exe (PID: 2996)
      • RUXIMICS.exe (PID: 3140)
      • svchost.exe (PID: 1332)
      • RUXIMICS.exe (PID: 6232)
      • conhost.exe (PID: 2684)
      • WaaSMedicAgent.exe (PID: 2492)
      • MusNotifyIcon.exe (PID: 1480)
      • WmiPrvSE.exe (PID: 3984)
      • svchost.exe (PID: 5624)
      • svchost.exe (PID: 3568)
      • MusNotificationUx.exe (PID: 6580)

    • Runs injected code in another process

      • 0bmv0qaq.pjd.exe (PID: 4976)

    • XWORM has been detected (YARA)

      • wininit.exe (PID: 752)

    • XWORM has been detected (SURICATA)

      • wininit.exe (PID: 752)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • wininit.exe (PID: 752)

    • Starts a Microsoft application from unusual location

      • wininit.exe (PID: 6900)
      • wininit.exe (PID: 752)

    • Executable content was dropped or overwritten

      • wininit.exe (PID: 752)

    • Drops the executable file immediately after the start

      • wininit.exe (PID: 752)

    • Reads security settings of Internet Explorer

      • wininit.exe (PID: 752)

    • Reads the date of Windows installation

      • wininit.exe (PID: 752)

    • Connects to unusual port

      • wininit.exe (PID: 752)

    • Contacting a server suspected of hosting an CnC

      • wininit.exe (PID: 752)

  • INFO

    • Checks supported languages

      • wininit.exe (PID: 752)
      • 0bmv0qaq.pjd.exe (PID: 4976)
      • RUXIMICS.exe (PID: 3140)
      • PLUGScheduler.exe (PID: 6316)
      • RUXIMICS.exe (PID: 6232)

    • Reads the computer name

      • wininit.exe (PID: 752)
      • 0bmv0qaq.pjd.exe (PID: 4976)
      • PLUGScheduler.exe (PID: 6316)

    • Reads the machine GUID from the registry

      • wininit.exe (PID: 752)
      • RUXIMICS.exe (PID: 6232)

    • Create files in a temporary directory

      • wininit.exe (PID: 752)

    • The process uses the downloaded file

      • wininit.exe (PID: 752)

    • Process checks computer location settings

      • wininit.exe (PID: 752)

    • Creates files in the program directory

      • RUXIMICS.exe (PID: 3140)
      • MusNotificationUx.exe (PID: 6580)
      • MoUsoCoreWorker.exe (PID: 2120)
      • MusNotifyIcon.exe (PID: 1480)

    • Reads the software policy settings

      • RUXIMICS.exe (PID: 6232)
      • lsass.exe (PID: 768)
      • wininit.exe (PID: 752)
      • WaaSMedicAgent.exe (PID: 2492)

    • Reads Environment values

      • wininit.exe (PID: 752)

    • Disables trace logs

      • wininit.exe (PID: 752)

    • Checks proxy server information

      • wininit.exe (PID: 752)

    • Reads the time zone

      • MusNotificationUx.exe (PID: 6580)
      • MusNotifyIcon.exe (PID: 1480)
      • svchost.exe (PID: 2692)

    • Reads Windows Product ID

      • WmiPrvSE.exe (PID: 3984)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 2656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(752) wininit.exe
C22qlCBquhNK33mYdymtvIWu8Ha+uVowSgqhXgd2l+QnEQ/Q3jRjNfczxWObvahYK07At+B+Spx8qsFhk/rYGPWiu24KNn5kMPmyoFkkNARmMP3F/j2bexglMRyH3/j21R7XFWgFXuJ5B/CjP8wNafm4m/OumR9P/hDUGe2908MeQ=:%IP%
Keys
AES%Port%
Options
SplitterJsk3mL7bH+VopEBXuNQH8Q==
USB drop namemJapCH+jhZjTYvAEIwsbsQ==
Mutex2
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2090:10:05 05:32:40+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 218624
InitializedDataSize: 5120
UninitializedDataSize: -
EntryPoint: 0x375de
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.4355
ProductVersionNumber: 10.0.19041.4355
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Windows Start-Up Application
FileVersion: 10.0.19041.4355 (WinBuild.160101.0800)
InternalName: WinInit
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WinInit.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.4355
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
100
Malicious processes
10
Suspicious processes
85

Behavior graph

Click at the process to see the details
start #XWORM wininit.exe 0bmv0qaq.pjd.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs ruximics.exe waasmedicagent.exe conhost.exe musnotificationux.exe musnotifyicon.exe wmiprvse.exe svchost.exe svchost.exe uhssvc.exe winlogon.exe lsass.exe runtimebroker.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe mousocoreworker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe officeclicktorun.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe applicationframehost.exe sihost.exe svchost.exe svchost.exe runtimebroker.exe svchost.exe svchost.exe svchost.exe ctfmon.exe dllhost.exe svchost.exe explorer.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe runtimebroker.exe dllhost.exe svchost.exe svchost.exe ruximics.exe taskhostw.exe plugscheduler.exe svchost.exe svchost.exe wininit.exe no specs musnotification.exe usoclient.exe

Process information

PID
CMD
Path
Indicators
Parent process
236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
476C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
536"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\shlwapi.dll
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
684winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
752"C:\Users\admin\Desktop\wininit.exe" C:\Users\admin\Desktop\wininit.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Start-Up Application
Version:
10.0.19041.4355 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\wininit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(752) wininit.exe
C22qlCBquhNK33mYdymtvIWu8Ha+uVowSgqhXgd2l+QnEQ/Q3jRjNfczxWObvahYK07At+B+Spx8qsFhk/rYGPWiu24KNn5kMPmyoFkkNARmMP3F/j2bexglMRyH3/j21R7XFWgFXuJ5B/CjP8wNafm4m/OumR9P/hDUGe2908MeQ=:%IP%
Keys
AES%Port%
Options
SplitterJsk3mL7bH+VopEBXuNQH8Q==
USB drop namemJapCH+jhZjTYvAEIwsbsQ==
Mutex2
768C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
776C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
852"dwm.exe"C:\Windows\System32\dwm.exe
winlogon.exe
User:
DWM-1
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Desktop Window Manager
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1036C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1200C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbServiceC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
34 401
Read events
33 796
Write events
339
Delete events
266

Modification events

(PID) Process:(752) wininit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Masonconfig\pid
Operation:writeName:vtpgs5ac.i4w
Value:
752
(PID) Process:(752) wininit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Masonconfig\paths
Operation:writeName:vq414klr.ikk
Value:
C:\Users\admin\Desktop\wininit.exe
(PID) Process:(752) wininit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(752) wininit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(752) wininit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(752) wininit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(752) wininit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Masonconfig\pid
Operation:writeName:f5rxf1ez.315
Value:
4976
(PID) Process:(752) wininit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Masonconfig\paths
Operation:writeName:kkuflriz.azj
Value:
C:\Users\admin\AppData\Local\Temp\0bmv0qaq.pjd.exe
(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{beea3fec-9b1c-dcb6-3634-08befcc9441e}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{beea3fec-9b1c-dcb6-3634-08befcc9441e}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
1
Suspicious files
43
Text files
7
Unknown types
23

Dropped files

PID
Process
Filename
Type
752wininit.exeC:\Users\admin\AppData\Local\Temp\0bmv0qaq.pjd.exeexecutable
MD5:94F1AB3A068F83B32639579EC9C5D025
SHA256:879CC20B41635709BB304E315AAA5CA4708B480A1BFC2F4935FCF2215188EFB0
1316svchost.exeC:\Windows\System32\Tasks\Masonwininit.exexml
MD5:7480698A0FF7F05678C3F52CF8466F53
SHA256:22167DCB60CC79D6D2D0E30F903B181D0B9D3008EA9DF641E22FF47BC7BFA1B3
1620svchost.exeC:\Windows\Prefetch\SCHTASKS.EXE-5CA45734.pfbinary
MD5:AC2F440E6FD63E492063586EF76193BE
SHA256:4201CDA5F28A4A40784E3B68F0BB47571E6ACE7A1E5E552A77A7C69F35E62FB5
3140RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.035.etletl
MD5:FA358BFEE9B4E1FFB7394D13CBBC4898
SHA256:6FF97BBF8A56286A4C71623829514CC14B7F8CBBCF09748D939F733968478A22
3140RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.032.etletl
MD5:079890A8EC8D5CB6523FCEC2209780AA
SHA256:0E12D2D76DD738CE196BED522E35F75E2CC91294F78CDDCBE8CE7787AAA70049
3140RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.033.etletl
MD5:673727AF7C6805E869C9F8BE1E468F4A
SHA256:6B16B7DE97F397BCEC36EB3F18C7B64CD3DB6D2974DDF319A251CE27B80D837B
1620svchost.exeC:\Windows\Prefetch\HOST.EXE-F5D74C61.pfbinary
MD5:CDE50D83CFC1B34D8B21463F1FBD2254
SHA256:B72AC7296A90EA9CE4520DB3734EB0F9938A851264AF748A9EF8AC0AFD361203
3140RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.029.etletl
MD5:44A0E917AD0C126931B1BCD959285A9A
SHA256:DDFBE47E7DFD6D8B7517F2F6FF9808ECF3C0A25F588A9F96D04F4E2B4A578573
3140RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.031.etletl
MD5:2F36C598EBFF5B5CDD898C9691D6BCCB
SHA256:8900C5931ED8E0D1B68082B45CF2F4E8C1025D36825508E0804C916D781B9F50
3140RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.022.etletl
MD5:89BD161BF7B46C9078937CF832786737
SHA256:2B83DF5532E9F54ED301C8F82E2CDD489799C8D5222A2D44C97DCB151A96FAA9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
62
DNS requests
8
Threats
50

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
188.114.96.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
unknown
GET
188.114.97.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
unknown
GET
188.114.96.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
unknown
GET
188.114.97.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
unknown
GET
188.114.96.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
unknown
GET
188.114.97.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
unknown
GET
188.114.96.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
unknown
GET
188.114.97.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
unknown
GET
188.114.96.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
unknown
GET
188.114.97.3:443
https://i.ibb.co/Dwrj41N/Image.png
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6876
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
6232
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
752
wininit.exe
162.19.58.156:443
i.ibb.co
OVH SAS
FR
shared
6876
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4324
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
752
wininit.exe
104.26.2.16:443
rentry.co
CLOUDFLARENET
US
suspicious
752
wininit.exe
147.185.221.18:36538
00000000000000000000004000055005.600000000000000003000000000870.000.pe
PLAYIT-GG
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
i.ibb.co
  • 162.19.58.156
  • 162.19.58.158
  • 162.19.58.157
  • 162.19.58.160
  • 162.19.58.161
  • 162.19.58.159
shared
rentry.co
  • 104.26.2.16
  • 104.26.3.16
  • 172.67.75.40
unknown
00000000000000000000004000055005.600000000000000003000000000870.000.pe
  • 147.185.221.18
unknown

Threats

PID
Process
Class
Message
752
wininit.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
2256
svchost.exe
Misc activity
ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
752
wininit.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
752
wininit.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
752
wininit.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
752
wininit.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
752
wininit.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
752
wininit.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
752
wininit.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
752
wininit.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wininit.exe