File name:	awp.gg.exe
Full analysis:	https://app.any.run/tasks/61c602f5-2604-48ef-9a72-7c3f48f3155c
Verdict:	Malicious activity
Threats:	XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	February 19, 2025, 14:46:30
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	roblox evasion remote xworm
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
MD5:	EE8945C63BBD30C8204D181E33F5947C
SHA1:	1BD4CE53521F0DF5619E6CCC676A3778C7790B23
SHA256:	388760280F235E469A54589041C820FB0E2D14D116CD0331534EF0BA76C7446B
SSDEEP:	98304:vW+Ujw/vR3ehcyQEzYWO3zBxEJPON5RRNdf/3yXx+EqTFlDoWsnJ+mUSH+Ln6GaC:j5cJFUeWGcxA45Ll

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2025:02:19 10:29:15+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	11
CodeSize:	7928832
InitializedDataSize:	23552
UninitializedDataSize:	-
EntryPoint:	0x0000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	awp.gg.exe
LegalCopyright:
OriginalFileName:	awp.gg.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(6368) awp.gg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	XClient
Value: C:\Users\admin\AppData\Local\Temp\XClient.exe
(PID) Process:	(7040) tool.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\RobloxExec
Operation:	write	Name:	settings
Value: 1
(PID) Process:	(7012) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7012) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7012) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7012) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(7012) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(7012) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(7012) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(7012) XClient.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\XClient_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0

PID	Process	Filename		Type
7012	XClient.exe	C:\Users\admin\AppData\Local\DAX3API		executable
		MD5:4D2442BFBF19FAB8C001F3F4EF7A6061	SHA256:CA5D485DC576F6DC284E426F46D555822F71DDB31F190340892C33686F42E0EC
6368	awp.gg.exe	C:\Users\admin\AppData\Local\Temp\tool.exe		executable
		MD5:DCFB3864861147A02575AEDA7AC48DBB	SHA256:38917AFBF4FD34AF26909651D9A0C5808E18F8655186B475880B7E3E45D32EBA
7012	XClient.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DAX3API.lnk		binary
		MD5:82F234D1F32771996B97D5F04C388618	SHA256:D37C01095A844A42E0E4779517AA312DF2CF8D8800B991066DFDB98528AE5D23
7012	XClient.exe	C:\Users\admin\AppData\Local\Temp\tmp633D.tmp.bat		text
		MD5:7246157DC54838CA14E15F717369B049	SHA256:5622448BFF241F8DECD17B5B244AAB051CAA17181FE65556EDE715D096B5E45F
6484	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zgx4t0vp.f5j.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6484	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mkqudrog.exd.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6484	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:E644867C939344EEA3DA85DCC9FDD342	SHA256:62D38EE64D18962E7EA381743F2E395411D9D5AC9517F6DA47554C18BA4894AA
6368	awp.gg.exe	C:\Users\admin\AppData\Local\Temp\XClient.exe		executable
		MD5:4D2442BFBF19FAB8C001F3F4EF7A6061	SHA256:CA5D485DC576F6DC284E426F46D555822F71DDB31F190340892C33686F42E0EC

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7012	XClient.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	whitelisted
—	—	POST	204	2.16.110.123:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
3976	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7012	XClient.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	whitelisted
5064	SearchApp.exe	2.16.110.121:443	www.bing.com	Akamai International B.V.	DE	whitelisted
7012	XClient.exe	147.185.221.25:62843	doing-pupils.gl.at.ply.gg	PLAYIT-GG	US	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	2.19.11.105 2.19.11.120	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
ip-api.com	208.95.112.1	whitelisted
www.bing.com	2.16.110.121 2.16.110.193 2.16.110.170 2.16.110.123	whitelisted
doing-pupils.gl.at.ply.gg	147.185.221.25	malicious
self.events.data.microsoft.com	104.208.16.95	whitelisted

PID	Process	Class	Message
—	—	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
—	—	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
—	—	A Network Trojan was detected	MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
—	—	Potentially Bad Traffic	ET INFO playit .gg Tunneling Domain in DNS Lookup
—	—	Misc activity	ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
—	—	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm TCP Packet

General Info

awp.gg.exe

EE8945C63BBD30C8204D181E33F5947C

1BD4CE53521F0DF5619E6CCC676A3778C7790B23

388760280F235E469A54589041C820FB0E2D14D116CD0331534EF0BA76C7446B

98304:vW+Ujw/vR3ehcyQEzYWO3zBxEJPON5RRNdf/3yXx+EqTFlDoWsnJ+mUSH+Ln6GaC:j5cJFUeWGcxA45Ll

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Adds path to the Windows Defender exclusion list

Changes powershell execution policy (Bypass)

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

Create files in the Startup directory

XWORM has been detected (SURICATA)

XWORM has been detected (YARA)

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Executable content was dropped or overwritten

Connects to unusual port

Checks for external IP

Starts CMD.EXE for commands execution

Uses TIMEOUT.EXE to delay execution

Contacting a server suspected of hosting an CnC

Deletes scheduled task without confirmation

Executing commands from a ".bat" file

INFO

Reads the computer name

Checks supported languages

Process checks computer location settings

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Reads the machine GUID from the registry

ROBLOX mutex has been found

Create files in a temporary directory

Reads Environment values

Disables trace logs

Checks proxy server information

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files