File name: | xWormClient.exe |
Full analysis: | https://app.any.run/tasks/29569bed-bd8f-4d8f-8c77-de878853f525 |
Verdict: | Malicious activity |
Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
Analysis date: | April 15, 2025, 17:33:28 |
OS: | Windows 10 Professional (build: 19044, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32+ executable (GUI) x86-64, for MS Windows, 7 sections |
MD5: | 5EEB3A1F1BD4BFD02F1A58625D20B72D |
SHA1: | 9E9C368D5A68922CE486318AD21E3A01D4A7B3D1 |
SHA256: | 0C5FF0AA181B189C7C924BC44B008AF4C4AECC7B1E9B15A2A18711C062C4EBAF |
SSDEEP: | 196608:iDnlLhOK0xcdlJHUqGtgoijF5u9VP6ioePsR3MaT4eXfHz5oZI:mb0xcd0qGtDPtvPm3MaT4eP9oZI |
.exe | | | Win64 Executable (generic) (87.3) |
---|---|---|
.exe | | | Generic Win/DOS Executable (6.3) |
.exe | | | DOS Executable Generic (6.3) |
MachineType: | AMD AMD64 |
---|---|
TimeStamp: | 2025:04:15 08:17:15+00:00 |
ImageFileCharacteristics: | Executable, Large address aware |
PEType: | PE32+ |
LinkerVersion: | 14.42 |
CodeSize: | 173568 |
InitializedDataSize: | 116224 |
UninitializedDataSize: | - |
EntryPoint: | 0xce20 |
OSVersion: | 6 |
ImageVersion: | - |
SubsystemVersion: | 6 |
Subsystem: | Windows GUI |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4040 | "C:\ProgramData\roblox.exe" | C:\ProgramData\roblox.exe | xWormConnection.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
6040 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | UCPDMgr.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6620 | "C:\WINDOWS\system32\UCPDMgr.exe" | C:\Windows\System32\UCPDMgr.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: User Choice Protection Manager Exit code: 0 Version: 1.0.0.414301 Modules
| |||||||||||||||
7304 | "C:\Users\admin\Desktop\xWormClient.exe" | C:\Users\admin\Desktop\xWormClient.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
7324 | "C:\Users\admin\Desktop\xWormClient.exe" | C:\Users\admin\Desktop\xWormClient.exe | xWormClient.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
7352 | C:\WINDOWS\system32\cmd.exe /c "C:\programdata\xWormConnection.exe" | C:\Windows\System32\cmd.exe | — | xWormClient.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
7360 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
7408 | C:\programdata\xWormConnection.exe | C:\ProgramData\xWormConnection.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: csharp_defenderbypass denmesi sonra sil ise yaramazsa Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
7432 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | UCPDMgr.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (7508) xWormConnection.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths |
Operation: | write | Name: | C:\ProgramData |
Value: 0 | |||
(PID) Process: | (7508) xWormConnection.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (7508) xWormConnection.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32 |
Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
(PID) Process: | (7508) xWormConnection.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (7508) xWormConnection.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (7508) xWormConnection.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (7508) xWormConnection.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (7508) xWormConnection.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (7508) xWormConnection.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (7508) xWormConnection.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xWormConnection_RASMANCS |
Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
7304 | xWormClient.exe | C:\Users\admin\AppData\Local\Temp\_MEI73042\VCRUNTIME140.dll | executable | |
MD5:F34EB034AA4A9735218686590CBA2E8B | SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1 | |||
7304 | xWormClient.exe | C:\Users\admin\AppData\Local\Temp\_MEI73042\_bz2.pyd | executable | |
MD5:FF52C3B3EF7549A1D89070E8649F8ED2 | SHA256:69D181C25797E994A9961C9F40DC57D04F8391C4FD83D412D23162FB4BEB4FD7 | |||
7304 | xWormClient.exe | C:\Users\admin\AppData\Local\Temp\_MEI73042\_hashlib.pyd | executable | |
MD5:244AC279950597392F9A9133A976F20B | SHA256:0E39DD9B6F307F6C43F25444492B7913039EA86C84E82715863FB2BF6C1CF4F4 | |||
7304 | xWormClient.exe | C:\Users\admin\AppData\Local\Temp\_MEI73042\_decimal.pyd | executable | |
MD5:A9E4C6C68E20518E4301A865A6387C4A | SHA256:23D9216D09ABE0DCF7F9D31DB37239F2BCDCDA1954EBE0E8FE094C905F071C1C | |||
7304 | xWormClient.exe | C:\Users\admin\AppData\Local\Temp\_MEI73042\_lzma.pyd | executable | |
MD5:9C52741FCDEE40F2B8A44E7CC0431BC3 | SHA256:63C20B51C3A15603A37169EBD48EC55D7F3EDB6AAE287B9B140A13806932B8EC | |||
7304 | xWormClient.exe | C:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:557405C47613DE66B111D0E2B01F2FDB | SHA256:913EAAA7997A6AEE53574CFFB83F9C9C1700B1D8B46744A5E12D76A1E53376FD | |||
7304 | xWormClient.exe | C:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-console-l1-1-0.dll | executable | |
MD5:07EBE4D5CEF3301CCF07430F4C3E32D8 | SHA256:8F8B79150E850ACC92FD6AAB614F6E3759BEA875134A62087D5DD65581E3001F | |||
7304 | xWormClient.exe | C:\Users\admin\AppData\Local\Temp\_MEI73042\_socket.pyd | executable | |
MD5:02330613585155BAA15B57E33B6A1753 | SHA256:5E850AA502E15B8DC02DD44095E112BB97AA9BE12D21E73025AF323413C03F81 | |||
7304 | xWormClient.exe | C:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-debug-l1-1-0.dll | executable | |
MD5:624401F31A706B1AE2245EB19264DC7F | SHA256:58A8D69DF60ECBEE776CD9A74B2A32B14BF2B0BD92D527EC5F19502A0D3EB8E9 | |||
7304 | xWormClient.exe | C:\Users\admin\AppData\Local\Temp\_MEI73042\api-ms-win-core-file-l1-1-0.dll | executable | |
MD5:0F7D418C05128246AFA335A1FB400CB9 | SHA256:5C9BC70586AD538B0DF1FCF5D6F1F3527450AE16935AA34BD7EB494B4F1B2DB9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.153:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7904 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
7904 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
7508 | xWormConnection.exe | GET | 200 | 193.38.34.5:80 | http://freegifts.com.tr/apps/roblox.exe | unknown | — | — | — |
4040 | roblox.exe | POST | — | 172.232.216.95:80 | http://ozmo54.a.pinggy.link/Collector/2.0/settings/ | unknown | — | — | — |
4040 | roblox.exe | POST | — | 172.232.216.95:80 | http://ozmo54.a.pinggy.link/Collector/2.0/settings/ | unknown | — | — | — |
4040 | roblox.exe | POST | — | 172.232.216.95:80 | http://ozmo54.a.pinggy.link/Collector/2.0/settings/ | unknown | — | — | — |
4040 | roblox.exe | POST | — | 172.232.216.95:80 | http://ozmo54.a.pinggy.link/Collector/2.0/settings/ | unknown | — | — | — |
4040 | roblox.exe | POST | — | 172.232.216.95:80 | http://ozmo54.a.pinggy.link/Collector/2.0/settings/ | unknown | — | — | — |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2104 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.48.23.153:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 20.190.160.67:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 2.23.77.188:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
7904 | SIHClient.exe | 52.149.20.212:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7904 | SIHClient.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
canarytokens.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Python Suspicious User Agent |
— | — | Potential Corporate Privacy Violation | INFO [ANY.RUN] Request to Canary Token Service Has Been Detected |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
— | — | Malware Command and Control Activity Detected | ET MALWARE Havoc Demon CnC Request |
— | — | Malware Command and Control Activity Detected | ET MALWARE Havoc Demon CnC Request |
— | — | Malware Command and Control Activity Detected | ET MALWARE Havoc Demon CnC Request |
— | — | Malware Command and Control Activity Detected | ET MALWARE Havoc Demon CnC Request |
— | — | Malware Command and Control Activity Detected | ET MALWARE Havoc Demon CnC Request |
— | — | Malware Command and Control Activity Detected | ET MALWARE Havoc Demon CnC Request |