File name:

XWormV6.0.exe

Full analysis: https://app.any.run/tasks/882dedd2-e43b-466b-88e8-d55bfb495810
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: January 27, 2025, 13:07:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 8 sections
MD5:

9C78C30D1C6936B3B25CD8BBA4B593A3

SHA1:

71D6C72907F0C038CC51526D4FEE00D80C6AF8D4

SHA256:

666E3E7A8287B1FC975B5E46623E3A6E59F356101CD74F0138F750C61CB2C7BA

SSDEEP:

6144:c6jrdqI1uZxpbjgMfCHdvMTAa2IIaawYse7cVek9svXrH7Qm0V:J0r6MfudvMTAalIxj499svXb7B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 3680)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4764)

    • Adds path to the Windows Defender exclusion list

      • XWormV6.0.exe (PID: 3988)

    • Changes powershell execution policy (Bypass)

      • XWormV6.0.exe (PID: 3988)

    • Uses Task Scheduler to autorun other applications

      • wininit.exe (PID: 3816)

    • Application was injected by another process

      • lsass.exe (PID: 760)
      • svchost.exe (PID: 320)
      • svchost.exe (PID: 1076)
      • svchost.exe (PID: 1276)
      • svchost.exe (PID: 1316)
      • winlogon.exe (PID: 684)
      • svchost.exe (PID: 1260)
      • dwm.exe (PID: 912)
      • svchost.exe (PID: 1268)
      • svchost.exe (PID: 1068)
      • svchost.exe (PID: 1424)
      • svchost.exe (PID: 1660)
      • svchost.exe (PID: 1500)
      • svchost.exe (PID: 1364)
      • svchost.exe (PID: 1564)
      • svchost.exe (PID: 1452)
      • svchost.exe (PID: 1768)
      • svchost.exe (PID: 1776)
      • svchost.exe (PID: 1908)
      • svchost.exe (PID: 2064)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1880)
      • svchost.exe (PID: 2192)
      • svchost.exe (PID: 1972)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 2748)
      • svchost.exe (PID: 2364)
      • svchost.exe (PID: 2272)
      • svchost.exe (PID: 2372)
      • spoolsv.exe (PID: 2652)
      • svchost.exe (PID: 2500)
      • svchost.exe (PID: 2816)
      • OfficeClickToRun.exe (PID: 2884)
      • svchost.exe (PID: 2892)
      • svchost.exe (PID: 2944)
      • svchost.exe (PID: 3164)
      • svchost.exe (PID: 2660)
      • svchost.exe (PID: 2256)
      • svchost.exe (PID: 3824)
      • svchost.exe (PID: 4000)
      • svchost.exe (PID: 2852)
      • svchost.exe (PID: 3016)
      • svchost.exe (PID: 3704)
      • svchost.exe (PID: 3592)
      • dasHost.exe (PID: 3896)
      • svchost.exe (PID: 3600)
      • svchost.exe (PID: 3668)
      • svchost.exe (PID: 3160)
      • svchost.exe (PID: 2952)
      • sihost.exe (PID: 1712)
      • svchost.exe (PID: 4168)
      • svchost.exe (PID: 4436)
      • ctfmon.exe (PID: 4268)
      • RuntimeBroker.exe (PID: 4676)
      • explorer.exe (PID: 4488)
      • svchost.exe (PID: 4696)
      • dllhost.exe (PID: 5164)
      • UserOOBEBroker.exe (PID: 3004)
      • ApplicationFrameHost.exe (PID: 6108)
      • RuntimeBroker.exe (PID: 5820)
      • MoUsoCoreWorker.exe (PID: 4712)
      • dllhost.exe (PID: 5904)
      • svchost.exe (PID: 4456)
      • svchost.exe (PID: 3976)
      • RuntimeBroker.exe (PID: 4960)
      • uhssvc.exe (PID: 2908)
      • svchost.exe (PID: 1340)
      • svchost.exe (PID: 812)
      • svchost.exe (PID: 4200)
      • svchost.exe (PID: 1764)
      • svchost.exe (PID: 3056)
      • dllhost.exe (PID: 1816)
      • svchost.exe (PID: 1176)
      • svchost.exe (PID: 2224)
      • svchost.exe (PID: 376)
      • svchost.exe (PID: 1916)
      • svchost.exe (PID: 1612)
      • WmiPrvSE.exe (PID: 5200)
      • WmiPrvSE.exe (PID: 6716)
      • svchost.exe (PID: 4648)
      • svchost.exe (PID: 2340)
      • svchost.exe (PID: 2360)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 2288)
      • svchost.exe (PID: 4176)

    • Runs injected code in another process

      • pf2b1vmd.xly.exe (PID: 4576)

    • XWORM has been detected (SURICATA)

      • wininit.exe (PID: 3816)

    • XWORM has been detected (YARA)

      • wininit.exe (PID: 3816)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • XWormV6.0.exe (PID: 5652)
      • wininit.exe (PID: 3816)
      • XWormV6.0.exe (PID: 3988)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • XWormV6.0.exe (PID: 5652)

    • Reads the date of Windows installation

      • XWormV6.0.exe (PID: 5652)
      • XWormV6.0.exe (PID: 3988)
      • wininit.exe (PID: 3816)

    • Script adds exclusion path to Windows Defender

      • XWormV6.0.exe (PID: 3988)

    • Executable content was dropped or overwritten

      • XWormV6.0.exe (PID: 3988)
      • wininit.exe (PID: 3816)

    • Starts POWERSHELL.EXE for commands execution

      • XWormV6.0.exe (PID: 3988)

    • Uses TASKKILL.EXE to kill process

      • mshta.exe (PID: 2928)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 2928)

    • Contacting a server suspected of hosting an CnC

      • wininit.exe (PID: 3816)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2192)

    • Connects to unusual port

      • wininit.exe (PID: 3816)

  • INFO

    • Reads the software policy settings

      • lsass.exe (PID: 760)

    • Reads the computer name

      • XWormV6.0.exe (PID: 5652)
      • XWormV6.0.exe (PID: 3988)
      • wininit.exe (PID: 3816)
      • pf2b1vmd.xly.exe (PID: 4576)

    • Checks supported languages

      • XWormV6.0.exe (PID: 5652)
      • XWormV6.0.exe (PID: 3988)
      • pf2b1vmd.xly.exe (PID: 4576)
      • wininit.exe (PID: 3816)

    • Reads the machine GUID from the registry

      • XWormV6.0.exe (PID: 5652)
      • XWormV6.0.exe (PID: 3988)
      • wininit.exe (PID: 3816)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 436)

    • Process checks computer location settings

      • XWormV6.0.exe (PID: 5652)
      • XWormV6.0.exe (PID: 3988)
      • wininit.exe (PID: 3816)

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 4712)
      • dllhost.exe (PID: 3680)

    • Create files in a temporary directory

      • XWormV6.0.exe (PID: 3988)
      • wininit.exe (PID: 3816)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4764)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2928)

    • Disables trace logs

      • cmstp.exe (PID: 436)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4764)

    • Reads Windows Product ID

      • WmiPrvSE.exe (PID: 6716)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 2884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(3816) wininit.exe
C2Specter1-33484.portmap.host:33484
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameRooT Kit Specter !!
Mutex59UHbFVQCyQOp4NN
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:24 13:29:45+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 253440
InitializedDataSize: 42496
UninitializedDataSize: -
EntryPoint: 0x400a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.2.19041.4842
ProductVersionNumber: 6.2.19041.4842
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: XCoder
FileDescription: XWorm
FileVersion: 6.0.0.0
InternalName: XWorm.exe
LegalCopyright: Copyright Specter© 2025
OriginalFileName: XWorm
ProductName: XWorm
ProductVersion: 6.0.0.0
AssemblyVersion: 6.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
100
Malicious processes
4
Suspicious processes
86

Behavior graph

Click at the process to see the details
start xwormv6.0.exe no specs cmstp.exe no specs CMSTPLUA xwormv6.0.exe powershell.exe no specs conhost.exe no specs wmiprvse.exe #XWORM wininit.exe mshta.exe no specs pf2b1vmd.xly.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmiprvse.exe svchost.exe svchost.exe winlogon.exe lsass.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe svchost.exe svchost.exe svchost.exe svchost.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe uhssvc.exe svchost.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe ctfmon.exe svchost.exe svchost.exe explorer.exe svchost.exe runtimebroker.exe svchost.exe mousocoreworker.exe runtimebroker.exe dllhost.exe runtimebroker.exe dllhost.exe applicationframehost.exe

Process information

PID
CMD
Path
Indicators
Parent process
320C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
376C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHostC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
436"C:\WINDOWS\system32\cmstp.exe" /au C:\WINDOWS\temp\nkdxm1fd.infC:\Windows\System32\cmstp.exeXWormV6.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile Installer
Exit code:
1
Version:
7.2.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmstp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
684winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
760C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
812C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
912"dwm.exe"C:\Windows\System32\dwm.exe
winlogon.exe
User:
DWM-1
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Desktop Window Manager
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1068C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1076C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s DsmSvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1176C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
28 512
Read events
27 984
Write events
282
Delete events
246

Modification events

(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:writeName:SecureTimeHigh
Value:
A75D0DB407D9DA01
(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:writeName:SecureTimeEstimated
Value:
A7F54852FFD8DA01
(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:writeName:SecureTimeLow
Value:
A78D84F0F6D8DA01
(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime
Operation:writeName:SecureTimeTickCount
Value:
C779130000000000
(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime
Operation:writeName:SecureTimeConfidence
Value:
0
(PID) Process:(1340) svchost.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:writeName:C:\Users\admin\Desktop\XWormV6.0.exe
Value:
534143500100000000000000070000002800000000880400230705000100000000000000000001050010000050BB64EDDDACD5010000000000000000
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator
Operation:writeName:NextRefreshTime
Value:
A2A906AD94010000
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\WOSC
Operation:writeName:ETag
Value:
"14B6668685A86B8B3340E54F72D5299AE61E827C825447B3AD621BDEC5D8860D3D8C46FDAC15AF89"
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\WOSC
Operation:delete valueName:ETagBackup
Value:
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\WOSC
Operation:writeName:LastUpdated
Value:
0707428EFED8DA01
Executable files
3
Suspicious files
46
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
1768svchost.exeC:\Windows\Prefetch\UPFC.EXE-BDDF79D6.pfbinary
MD5:AF348D88B00F15773DC90EA3D05144CD
SHA256:A6CA3827BD2D63A07A8A6776055B218002715A8E341AEB23FED6E3856C76D662
1768svchost.exeC:\Windows\Prefetch\SPPSVC.EXE-B0F8131B.pfbinary
MD5:5AF993E66899C70AB6ECDD32BD0F1BAD
SHA256:6330CD5B628D5F3D2503AFB7C99914AE5B96C701524006A7BC65558C467CADE3
1276svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scanxml
MD5:11954764DE4745B35A42219A7C5E2DCA
SHA256:997FCF971A38394C30D9E5CA0C6B36E782630E83B52D2664C56F1DEFBA54CB6C
1276svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Workxml
MD5:5FADF13CCFBDCC5DD728380F7A615B28
SHA256:FF1F73395F6B5B22D5FDA367521FE0DCC31FF252849B7FA85FA346B953A40451
1768svchost.exeC:\Windows\Prefetch\SVCHOST.EXE-6C525542.pfbinary
MD5:A6380ECE9F8872201F062AC8F97AE75B
SHA256:8C5FFC3A4CF43E948BEA4EE729A9D3AF63F00F3E2B7711DFDA442179D9EF6AA7
1768svchost.exeC:\Windows\Prefetch\XWORMV6.0.EXE-7E8DF417.pfbinary
MD5:D9ABC24CFE42957C886AE1021F4E0CDC
SHA256:E9CD2AFC9DCAB65FB946497F5F9E8CA8BE420AB441B18DC6E2B4BC99F03C105B
1768svchost.exeC:\Windows\Prefetch\CONSENT.EXE-531BD9EA.pfbinary
MD5:01FE3697416F3DD641ABFC5509CC5014
SHA256:0A9A0B9EF5E617EAE23325FA6AFEC000AB7687E5FE0F702CCBA5351210D0FD7B
4712MoUsoCoreWorker.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:42A8CC729DD416086A544722F5940CEE
SHA256:5F19C7376D31CAD98AEE9A6E83BC88B276C38AA2ED49EE3F610FCD7605E84CEC
1768svchost.exeC:\Windows\Prefetch\CMSTP.EXE-E47801D3.pfbinary
MD5:D3A89C756F26DC22B903B50EC0919C57
SHA256:3219C300B0421C9AD84D14A693560E4AD4F90E83073B0A4CEF3DC18B6FCD12A2
4712MoUsoCoreWorker.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:FA84E4BCC92AA5DB735AB50711040CDE
SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
9
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
Specter1-33484.portmap.host
  • 193.161.193.99
malicious
self.events.data.microsoft.com
  • 20.42.73.31
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potential Corporate Privacy Violation
ET INFO DNS Query to a Reverse Proxy Service Observed
2192
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
3816
wininit.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
XWormV6.0.exe