File name:

XWorm V6.0.7z

Full analysis: https://app.any.run/tasks/785e99bf-53d5-4c0c-97d2-aca3fbcc9a09
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: December 15, 2025, 03:06:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xworm
ip-check
crypto-regex
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

41484B3861D3134E93DE13F9AAAACFA4

SHA1:

B4B707EF3AFF4361ABA77F2F9B42F964BAA23DEE

SHA256:

0C0FE862FCC63516531E2642FE2BC0792D0322F72724F8D667B89C56F546450E

SSDEEP:

98304:NKeVVL6wSsgu9NflKDLQMQ2V63aesK2wsYod+c9ZAa8WmkgH/5OJQ3Qns7ciIjNm:/fOP7FPgfwP5aurBRrZh9V8CZWXy40sh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XWORM has been detected (YARA)

      • XWorm V6.0.exe (PID: 8128)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7508)
      • XWorm V6.0.exe (PID: 8128)

    • There is functionality for capture public ip (YARA)

      • XWorm V6.0.exe (PID: 8128)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 7508)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 7508)

    • Found regular expressions for crypto-addresses (YARA)

      • XWorm V6.0.exe (PID: 8128)

    • There is functionality for taking screenshot (YARA)

      • XWorm V6.0.exe (PID: 8128)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7508)

    • Checks supported languages

      • XWorm V6.0.exe (PID: 8128)

    • Reads the computer name

      • XWorm V6.0.exe (PID: 8128)

    • Reads the machine GUID from the registry

      • XWorm V6.0.exe (PID: 8128)

    • Checks proxy server information

      • XWorm V6.0.exe (PID: 8128)
      • slui.exe (PID: 7344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #XWORM xworm v6.0.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7344C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7508"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\XWorm V6.0.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
8128"C:\Users\admin\AppData\Local\Temp\Rar$EXb7508.13983\XWorm V6.0\XWorm V6.0.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb7508.13983\XWorm V6.0\XWorm V6.0.exe
WinRAR.exe
User:
admin
Company:
t.me XCoderTools
Integrity Level:
MEDIUM
Description:
XWorm V6.0
Version:
6.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb7508.13983\xworm v6.0\xworm v6.0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
6 726
Read events
6 717
Write events
9
Delete events
0

Modification events

(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\XWorm V6.0.7z
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
47
Suspicious files
3
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
7508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7508.13983\XWorm V6.0\Icons\icon (1).icoimage
MD5:4F409511E9F93F175CD18187379E94CB
SHA256:115F0DB669B624D0A7782A7CFAF6E7C17282D88DE3A287855DBD6FE0F8551A8F
7508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7508.13983\XWorm V6.0\Icons\icon (13).icoimage
MD5:E6FEC4185B607E01A938FA405E0A6C6C
SHA256:2E2F17B7DD15007192E7CBBD0019355F8BE58068DC5042323123724B99AE4B44
7508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7508.13983\XWorm V6.0\Icons\icon (12).icoimage
MD5:4EA9AB789F5AE96766E3F64C8A4E2480
SHA256:84B48CA52DFCD7C74171CF291D2EF1247C3C7591A56B538083834D82857FEE50
7508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7508.13983\XWorm V6.0\Icons\icon (2).icoimage
MD5:F1463F4E1A6EF6CC6E290D46830D2DA1
SHA256:142B529799268A753F5214265C53A26A7A6F8833B31640C90A69A4FF94CEE5EC
7508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7508.13983\XWorm V6.0\Fixer V6.battext
MD5:2DABC46CE85AAFF29F22CD74EC074F86
SHA256:A11703FD47D16020FA099A95BB4E46247D32CF8821DC1826E77A971CDD3C4C55
7508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7508.13983\XWorm V6.0\Background.pngimage
MD5:C93EE3ABEFF4AC24936471F80B36EC7A
SHA256:2F691CAFF7E1980CFB069D2608B6470B3A06CDB90467CE47820E8602115A0C5B
7508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7508.13983\XWorm V6.0\Icons\icon (10).icoimage
MD5:AD1740CB3317527AA1ACAE6E7440311E
SHA256:7A97547954AAAD629B0563CC78BCA75E3339E8408B70DA2ED67FA73B4935D878
7508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7508.13983\XWorm V6.0\GeoIP.datbinary
MD5:8EF41798DF108CE9BD41382C9721B1C9
SHA256:BC07FF22D4EE0B6FAFCC12482ECF2981C172A672194C647CEDF9B4D215AD9740
7508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7508.13983\XWorm V6.0\Icons\icon (14).icoimage
MD5:0C24EDEC606ABDA7C6570B7DCF439298
SHA256:8FC693238AFC49A8098DAC1762BFAE891E818BB84749C6EEF5F1B0C6C8FFDDB2
7508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7508.13983\XWorm V6.0\Icons\icon (11).icoimage
MD5:1C2CEA154DEEDC5A39DAEC2F1DADF991
SHA256:3B64B79E4092251EBF090164CD2C4815390F34849BBD76FB51085B6A13301B6D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
27
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
7304
SIHClient.exe
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
7304
SIHClient.exe
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
7304
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
3032
svchost.exe
POST
200
20.190.159.130:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
whitelisted
3032
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
3032
svchost.exe
POST
200
20.190.159.130:443
https://login.live.com/RST2.srf
US
xml
11.0 Kb
whitelisted
3032
svchost.exe
POST
200
20.190.159.130:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
whitelisted
7304
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
US
binary
419 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6508
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2680
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
6508
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6508
svchost.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6508
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
3032
svchost.exe
20.190.159.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3032
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted
login.live.com
  • 20.190.159.130
  • 20.190.159.2
  • 40.126.31.69
  • 20.190.159.4
  • 40.126.31.67
  • 20.190.159.129
  • 40.126.31.128
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 128.24.231.65
  • 48.192.1.64
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
XWorm V6.0.7z