File name:	sewi.exe
Full analysis:	https://app.any.run/tasks/958db82a-0726-4fc5-851e-54f2dc696ddd
Verdict:	Malicious activity
Threats:	XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	March 26, 2026, 16:53:31
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	iqvw64-sys vuln-driver procexp-sys xworm
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	22885F81A98018DCDB4D8198664C82E2
SHA1:	418C0116785CEF14B0D63EC5D902A3E9FD19DFE4
SHA256:	47E63F7B23F5B2DC490C963CFCCF55904755C16707B0DDB63B4E4897B98F5824
SSDEEP:	98304:ZO3PROr/2OpvlkoCdqJncwoXRGs0/cojR0B2sM3G22kHvZ5aavo86efEjavo86eC:UBnQ

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe	\|	Win64 Executable (generic) (23.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)
.exe	\|	Generic Win/DOS Executable (1.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2026:03:26 16:21:07+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	2229248
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x22228e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	sewi.exe
LegalCopyright:
OriginalFileName:	sewi.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(5384) sewi.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(5384) sewi.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(5384) sewi.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(5384) sewi.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4136) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing
(PID) Process:	(7636) sDQ0X.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NalDrv
Operation:	write	Name:	ImagePath
Value: \??\C:\Users\admin\Desktop\NalDrv.sys
(PID) Process:	(7636) sDQ0X.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152
Operation:	write	Name:	ErrorControl
Value: 1
(PID) Process:	(7636) sDQ0X.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152
Operation:	write	Name:	Type
Value: 1
(PID) Process:	(7636) sDQ0X.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152
Operation:	write	Name:	Start
Value: 3
(PID) Process:	(7636) sDQ0X.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152
Operation:	write	Name:	ImagePath
Value: \??\C:\Users\admin\AppData\Local\Temp\PROCEXP152.sys

PID	Process	Filename		Type
7712	Sewi.exe	C:\Windows\SoftwareDistribution\Download\hOogK.sys		binary
		MD5:657C2A27E4038AE1041474FB901540FA	SHA256:19066DF50EB8B7C76D06552CCBD6248A6384A45A7F04500C6DE4AB37149BAC54
5384	sewi.exe	C:\Users\admin\AppData\Roaming\Sewi.exe		binary
		MD5:2CA19D0F12D1F16F6D08B34C48593826	SHA256:29BDF43AF7FCE4A48A4699F01BA35A9D23EC72109F9A8D59B84788610066B715
5384	sewi.exe	C:\Users\admin\AppData\Roaming\XClient.exe		binary
		MD5:E1E562D474FB6FA1A728EB98CD903E26	SHA256:9EA44A571244B57D5F8FF3CF3410974247F6D15C335F3681599F401B99E3F0C0
7712	Sewi.exe	C:\Windows\SoftwareDistribution\Download\sDQ0X.exe		binary
		MD5:083C6C05AC5875D0B6E997E894CA07BC	SHA256:03AEFD40698CAFBD48138784F362FB9A36F726FB50F262CA40695729F7B553CA
7636	sDQ0X.exe	C:\Users\admin\Desktop\NalDrv.sys		binary
		MD5:1898CEDA3247213C084F43637EF163B3	SHA256:4429F32DB1CC70567919D7D47B844A91CF1329A6CD116F582305F3B7B60CD60B
7636	sDQ0X.exe	C:\Users\admin\AppData\Local\Temp\PROCEXP152.sys		binary
		MD5:C06DDA757B92E79540551EFD00B99D4B	SHA256:9B6A84F7C40EA51C38CC4D2E93EFB3375E9D98D4894A85941190D94FBE73A4E4

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
680	svchost.exe	GET	200	95.100.102.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	95.100.102.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
680	svchost.exe	GET	200	23.216.77.8:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
4136	slui.exe	POST	500	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	text	512 b	whitelisted
3280	svchost.exe	GET	200	95.100.102.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl	US	binary	813 b	whitelisted
3280	svchost.exe	GET	200	95.100.102.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl	US	binary	400 b	whitelisted
4136	slui.exe	POST	500	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	text	512 b	whitelisted
3280	svchost.exe	GET	200	95.100.102.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	US	binary	401 b	whitelisted
3280	svchost.exe	GET	200	23.216.77.30:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	NL	binary	824 b	whitelisted
3280	svchost.exe	GET	200	95.100.102.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	US	binary	814 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
680	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
5276	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	92.123.104.52:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
8124	slui.exe	48.192.1.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
680	svchost.exe	23.216.77.8:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
680	svchost.exe	95.100.102.101:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	95.100.102.101:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59	whitelisted
www.bing.com	92.123.104.52 92.123.104.50 92.123.104.45 92.123.104.39 92.123.104.30 92.123.104.29 92.123.104.47 92.123.104.37 92.123.104.26	whitelisted
activation-v2.sls.microsoft.com	48.192.1.65	whitelisted
google.com	142.251.110.102 142.251.110.139 142.251.110.100 142.251.110.138 142.251.110.113 142.251.110.101	whitelisted
crl.microsoft.com	23.216.77.8 23.216.77.20 23.216.77.19 23.216.77.30 23.216.77.36 23.216.77.38 23.216.77.42 23.216.77.28 23.216.77.18 23.216.77.35 23.216.77.15 23.216.77.6 23.216.77.22	whitelisted
www.microsoft.com	95.100.102.101	whitelisted
self.events.data.microsoft.com	13.89.179.11	whitelisted

General Info

sewi.exe

22885F81A98018DCDB4D8198664C82E2

418C0116785CEF14B0D63EC5D902A3E9FD19DFE4

47E63F7B23F5B2DC490C963CFCCF55904755C16707B0DDB63B4E4897B98F5824

98304:ZO3PROr/2OpvlkoCdqJncwoXRGs0/cojR0B2sM3G22kHvZ5aavo86efEjavo86eC:UBnQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Vulnerable driver has been detected

XWORM has been detected (YARA)

SUSPICIOUS

Reads the date of Windows installation

Drops a system driver (possible attempt to evade defenses)

Creates or modifies Windows services

INFO

Checks supported languages

Create files in a temporary directory

Reads the machine GUID from the registry

Reads the computer name

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Malware configuration

XWorm

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

XWorm

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings