File name:

xDedic IP Scanner.exe

Full analysis: https://app.any.run/tasks/d2749873-e8e4-426d-a353-7adef29a5f33
Verdict: Malicious activity
Analysis date: November 07, 2023, 17:39:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4C1FAD66304C42438249A4A38EE53DBC

SHA1:

23F98C00CEA9650DC1C56FFB106F458021199DD6

SHA256:

DDF796664716DBF2D9D90EB21E3D4C69465B52D0D76F64669B5F3CC8C9A585B9

SSDEEP:

49152:tM5aAc9Nd0h5PmOl7BwfRLJRwpecccPNw1jlBfYzYa9ToPB6YRh94OR02tz6nGTF:tM5Y0h4O8LLQ9P2hlBfYzb9TsgY394ON

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • xDedic IP Scanner.exe (PID: 3140)
      • svchost.exe (PID: 3512)

    • Create files in the Startup directory

      • svchost.exe (PID: 3512)

  • SUSPICIOUS

    • Reads the Internet Settings

      • xDedic IP Scanner.exe (PID: 3140)

    • Reads Microsoft Outlook installation path

      • xDedic IP Scanner.exe (PID: 3140)

    • Reads Internet Explorer settings

      • xDedic IP Scanner.exe (PID: 3140)

    • The process creates files with name similar to system file names

      • xDedic IP Scanner.exe (PID: 3140)
      • svchost.exe (PID: 3512)

    • Creates executable files that already exist in Windows

      • xDedic IP Scanner.exe (PID: 3140)
      • svchost.exe (PID: 3512)

  • INFO

    • Checks supported languages

      • wmpnscfg.exe (PID: 3440)
      • xDedic IP Scanner.exe (PID: 3140)
      • svchost.exe (PID: 3512)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3440)
      • xDedic IP Scanner.exe (PID: 3140)
      • svchost.exe (PID: 3512)

    • Checks proxy server information

      • xDedic IP Scanner.exe (PID: 3140)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3440)
      • xDedic IP Scanner.exe (PID: 3140)
      • svchost.exe (PID: 3512)

    • Create files in a temporary directory

      • xDedic IP Scanner.exe (PID: 3140)

    • Creates files or folders in the user directory

      • svchost.exe (PID: 3512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:08:14 21:15:49+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 188416
InitializedDataSize: 196096
UninitializedDataSize: -
EntryPoint: 0x1cab5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start xdedic ip scanner.exe no specs svchost.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3140"C:\Users\admin\AppData\Local\Temp\xDedic IP Scanner.exe" C:\Users\admin\AppData\Local\Temp\xDedic IP Scanner.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\xdedic ip scanner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc_os.dll
3440"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3512"C:\Users\admin\AppData\Local\Temp\svchost.exe" C:\Users\admin\AppData\Local\Temp\svchost.exe
xDedic IP Scanner.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
1 152
Read events
1 139
Write events
10
Delete events
3

Modification events

(PID) Process:(3440) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D781F88E-B10B-4534-A09E-690BBE9CE8B4}\{8578CC3A-0438-4087-8F82-D1A324CC6941}
Operation:delete keyName:(default)
Value:
(PID) Process:(3440) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D781F88E-B10B-4534-A09E-690BBE9CE8B4}
Operation:delete keyName:(default)
Value:
(PID) Process:(3440) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{CF6B7DA6-DD6D-4944-A393-9639369FCADE}
Operation:delete keyName:(default)
Value:
(PID) Process:(3140) xDedic IP Scanner.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3140) xDedic IP Scanner.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3140) xDedic IP Scanner.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3140) xDedic IP Scanner.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3140) xDedic IP Scanner.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3140) xDedic IP Scanner.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
4
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3140xDedic IP Scanner.exeC:\Users\admin\AppData\Local\Temp\learn all kind of hacking.urlbinary
MD5:7ADE4A739CBD8F44D0EF52A2F1BC6E7B
SHA256:CC7649ED53C65E4851ACE414529564FE16801BB2BED4CB15588BFD6B4AC13616
3140xDedic IP Scanner.exeC:\Users\admin\AppData\Local\Temp\Home - blankhack.urlbinary
MD5:4A4418C24D2F2A9DEEE8046363BDD28F
SHA256:55DFE247F8FD6A8B0B66B3CB61FEEAE96D0B357338CD95771E89897AAC1A6839
3140xDedic IP Scanner.exeC:\Users\admin\AppData\Local\Temp\Home - cybergoons.urlbinary
MD5:EF51820E228C5BBCF9AABE92E747782E
SHA256:59AC2D12EA4559253FA25F2D367F75B7689BB7B772965101903063F646AE9B4D
3140xDedic IP Scanner.exeC:\Users\admin\AppData\Local\Temp\svchost.exeexecutable
MD5:F83C1904404D2B40622D28A5C05420F9
SHA256:58FA8679EB278C0FBE4B9348E61CD274234037AF160878289A988260EAF6246E
3140xDedic IP Scanner.exeC:\Users\admin\AppData\Local\Temp\main.cfgtext
MD5:A3FAD363B036EC26BA075316790CDE7C
SHA256:DAB8C92FC1BA139A2F5D949354BBE1C35AE8CC35F0859F0E94EAAE938F22FE1F
3140xDedic IP Scanner.exeC:\Users\admin\AppData\Local\Temp\xDedicIPScanner.exeexecutable
MD5:1A587D17A73D21AD4328E2AC0CAE9AC4
SHA256:653A4C89821339CE60F62FF59A4C3DE041C982F70A7BC9A6C4F621963458DF2A
3140xDedic IP Scanner.exeC:\Users\admin\AppData\Local\Temp\gbpast - Login.urlbinary
MD5:4A4F5BE9370E206241BB73BFC2367F3C
SHA256:210F2EE620FE51ACDBE59BBA7BB4ACBDE397034818B09156F6F0874B016A5B18
3512svchost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeexecutable
MD5:F83C1904404D2B40622D28A5C05420F9
SHA256:58FA8679EB278C0FBE4B9348E61CD274234037AF160878289A988260EAF6246E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xDedic IP Scanner.exe