File name:	wininit.exe
Full analysis:	https://app.any.run/tasks/963c4120-543d-4aa6-9bf4-7d34e017c030
Verdict:	Malicious activity
Threats:	XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 00:49:24
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion xworm remote
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	965839C40BB66FC7C28C19989A11F62A
SHA1:	5E14AC814C6072B02939989CB49531A928EA0241
SHA256:	6C2DFBADC024192E92D8CE451101697ACBF40559DED7B7F88B673A80BF733B2B
SSDEEP:	1536:rZEm15p8to7FQrbvJ0gTELXdbED3Lm46ZHv2SpuOV0O7tR:d5p6TELtbE2v2SIOB7f

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:03:05 01:16:59+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	74752
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x1432e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	wininit.exe
LegalCopyright:
OriginalFileName:	wininit.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
7304	wininit.exe	C:\ProgramData\.Net Runtime x64.exe		executable
		MD5:965839C40BB66FC7C28C19989A11F62A	SHA256:6C2DFBADC024192E92D8CE451101697ACBF40559DED7B7F88B673A80BF733B2B
6564	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6564		binary
		MD5:366B140BAFC863B7E366AA1E51604759	SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
6564	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING		binary
		MD5:DC84B0D741E5BEAE8070013ADDCC8C28	SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
7304	wininit.exe	C:\Users\admin\AppData\Local\Temp\tmp7368.tmp.bat		text
		MD5:793A2C7A3A904BC0734BD41B53DF33EB	SHA256:EB8BAFB1B0F2C2A8EED9A31D8C97392D6A77C222A04C1BF7414C614740A09C60
812	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst		binary
		MD5:366B140BAFC863B7E366AA1E51604759	SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
6564	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json		binary
		MD5:837C1211E392A24D64C670DC10E8DA1B	SHA256:8013AC030684B86D754BBFBAB8A9CEC20CAA4DD9C03022715FF353DC10E14031
7304	wininit.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.Net Runtime x64.lnk		binary
		MD5:F5CE9444E61357D5BD9E5D207C6CE1B2	SHA256:8B21D74DC096ABA76EDC9DE6A0AA88F043465DEBA2917629F7EA20CD4CCA1064
6620	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old		text
		MD5:2EF1F7C0782D1A46974286420D24F629	SHA256:D3A9BB7E09E1F4B0C41FF7808E930DDACF5DB3BACD98ECCF5BC7DB4863D1FCF5
6620	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0		binary
		MD5:665C33C05FE15AF569F1AC16FDF17C24	SHA256:5F2951CCEED447AE36ADD86AB362C2E95C4909B8B4F633616E605AD0E4A2B63B
6564	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents		binary
		MD5:20F8B7BD524A5A4971000BF1042B5AA9	SHA256:42442040209B06A20209C4CAE768A89990891A2782BF47BDB165726B64AE53C4

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7304	wininit.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	whitelisted
—	—	OPTIONS	204	34.237.241.83:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=GB&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	—	—	—
—	—	GET	200	18.213.11.84:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=GB&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	—	—	—
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	GET	200	23.35.236.137:443	https://geo2.adobe.com/	unknown	text	50 b	whitelisted
—	—	GET	200	23.50.131.87:443	https://acroipm2.adobe.com/23/rdr_64x/ENU/win/nooem/none/consumer/message.zip	unknown	compressed	168 Kb	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	GET	200	2.23.180.142:443	https://armmf.adobe.com/onboarding/smskillreader.txt	unknown	text	120 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7304	wininit.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	whitelisted
7304	wininit.exe	147.185.221.26:42702	countries-discovery.gl.at.ply.gg	PLAYIT-GG	US	malicious
668	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7256	AcroCEF.exe	23.35.236.137:443	geo2.adobe.com	AKAMAI-AS	DE	whitelisted
7256	AcroCEF.exe	54.224.241.105:443	p13n.adobe.io	AMAZON-AES	US	whitelisted
7256	AcroCEF.exe	2.23.180.142:443	armmf.adobe.com	AKAMAI-AS	DE	whitelisted
812	Acrobat.exe	23.50.131.75:443	acroipm2.adobe.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.186.142	whitelisted
ip-api.com	208.95.112.1	whitelisted
countries-discovery.gl.at.ply.gg	147.185.221.26	unknown
activation-v2.sls.microsoft.com	40.91.76.224 20.83.72.98	whitelisted
geo2.adobe.com	23.35.236.137	whitelisted
p13n.adobe.io	54.224.241.105 18.213.11.84 34.237.241.83 50.16.47.176	whitelisted
armmf.adobe.com	2.23.180.142	whitelisted
acroipm2.adobe.com	23.50.131.75 23.50.131.87	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
7304	wininit.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
7304	wininit.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196	svchost.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2196	svchost.exe	Misc activity	ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2196	svchost.exe	Potentially Bad Traffic	ET INFO playit .gg Tunneling Domain in DNS Lookup
7304	wininit.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm TCP Packet

General Info

wininit.exe

965839C40BB66FC7C28C19989A11F62A

5E14AC814C6072B02939989CB49531A928EA0241

6C2DFBADC024192E92D8CE451101697ACBF40559DED7B7F88B673A80BF733B2B

1536:rZEm15p8to7FQrbvJ0gTELXdbED3Lm46ZHv2SpuOV0O7tR:d5p6TELtbE2v2SIOB7f

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Task Scheduler to run other applications

Create files in the Startup directory

XWORM has been detected (YARA)

XWORM has been detected (SURICATA)

Changes the autorun value in the registry

SUSPICIOUS

Checks for external IP

Executable content was dropped or overwritten

Connects to unusual port

Executing commands from a ".bat" file

Contacting a server suspected of hosting an CnC

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Reads the date of Windows installation

Deletes scheduled task without confirmation

Uses TIMEOUT.EXE to delay execution

The process executes via Task Scheduler

INFO

Reads the machine GUID from the registry

Checks supported languages

Reads Environment values

Disables trace logs

Reads the computer name

Checks proxy server information

Creates files in the program directory

Process checks computer location settings

Creates files or folders in the user directory

Reads Microsoft Office registry keys

Create files in a temporary directory

Application launched itself

Autorun file from Startup directory

Reads security settings of Internet Explorer

Reads the software policy settings

Malware configuration

XWorm

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files