File name:	wininit.exe
Full analysis:	https://app.any.run/tasks/963c4120-543d-4aa6-9bf4-7d34e017c030
Verdict:	Malicious activity
Threats:	XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 00:49:24
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion xworm remote
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	965839C40BB66FC7C28C19989A11F62A
SHA1:	5E14AC814C6072B02939989CB49531A928EA0241
SHA256:	6C2DFBADC024192E92D8CE451101697ACBF40559DED7B7F88B673A80BF733B2B
SSDEEP:	1536:rZEm15p8to7FQrbvJ0gTELXdbED3Lm46ZHv2SpuOV0O7tR:d5p6TELtbE2v2SIOB7f

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:03:05 01:16:59+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	74752
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x1432e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	wininit.exe
LegalCopyright:
OriginalFileName:	wininit.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7304) wininit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wininit_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
6620	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0		binary
		MD5:DE7D7D610E8E98CC28505D56882A5ABB	SHA256:6D89839639BE10E49E77D71833299264899E342A047DF4AF8B39C622570326CF
812	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst		binary
		MD5:366B140BAFC863B7E366AA1E51604759	SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
6564	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal		binary
		MD5:B6AACA39B788D7D53490436FC28F8C16	SHA256:8B513A8E7FFC8F78D152F7CC0582851486BA1DE772C6F3ACEF090C942736B927
6564	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING		binary
		MD5:DC84B0D741E5BEAE8070013ADDCC8C28	SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
6620	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old		text
		MD5:2EF1F7C0782D1A46974286420D24F629	SHA256:D3A9BB7E09E1F4B0C41FF7808E930DDACF5DB3BACD98ECCF5BC7DB4863D1FCF5
6620	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF11d5db.TMP		text
		MD5:D012E5B4EB91B61F6E8AE2F8EC3C623E	SHA256:1BDA750084F20306722008016420E1912BA608CA8EFB9C661F7E7EFCF5E89673
6620	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old~RF11d687.TMP		text
		MD5:ED7D8AAE48211E2BFAF557130572C62A	SHA256:A5CF8D8ADC86DCA357396AF7E3A24A116072D5C1E5552EEB76601AE2673DED6E
6564	Acrobat.exe	C:\Users\admin\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt		text
		MD5:CDE99CE0AAE3DAF0C0736BE2D10B5915	SHA256:368693814C5060B36F7B0B7C8682E220B2AF1BA5CFF463A7F71E9609C4CDFC74
7304	wininit.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.Net Runtime x64.lnk		binary
		MD5:F5CE9444E61357D5BD9E5D207C6CE1B2	SHA256:8B21D74DC096ABA76EDC9DE6A0AA88F043465DEBA2917629F7EA20CD4CCA1064
6564	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json		binary
		MD5:837C1211E392A24D64C670DC10E8DA1B	SHA256:8013AC030684B86D754BBFBAB8A9CEC20CAA4DD9C03022715FF353DC10E14031

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7304	wininit.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	whitelisted
—	—	OPTIONS	204	34.237.241.83:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=GB&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	—	—	unknown
—	—	GET	200	18.213.11.84:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=GB&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	—	—	unknown
—	—	GET	200	23.50.131.87:443	https://acroipm2.adobe.com/23/rdr_64x/ENU/win/nooem/none/consumer/message.zip	unknown	compressed	168 Kb	whitelisted
—	—	GET	200	23.35.236.137:443	https://geo2.adobe.com/	unknown	text	50 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	GET	200	2.23.180.142:443	https://armmf.adobe.com/onboarding/smskillreader.txt	unknown	text	120 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7304	wininit.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	whitelisted
7304	wininit.exe	147.185.221.26:42702	countries-discovery.gl.at.ply.gg	PLAYIT-GG	US	malicious
668	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7256	AcroCEF.exe	23.35.236.137:443	geo2.adobe.com	AKAMAI-AS	DE	whitelisted
7256	AcroCEF.exe	54.224.241.105:443	p13n.adobe.io	AMAZON-AES	US	whitelisted
7256	AcroCEF.exe	2.23.180.142:443	armmf.adobe.com	AKAMAI-AS	DE	whitelisted
812	Acrobat.exe	23.50.131.75:443	acroipm2.adobe.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.186.142	whitelisted
ip-api.com	208.95.112.1	whitelisted
countries-discovery.gl.at.ply.gg	147.185.221.26	unknown
activation-v2.sls.microsoft.com	40.91.76.224 20.83.72.98	whitelisted
geo2.adobe.com	23.35.236.137	whitelisted
p13n.adobe.io	54.224.241.105 18.213.11.84 34.237.241.83 50.16.47.176	whitelisted
armmf.adobe.com	2.23.180.142	whitelisted
acroipm2.adobe.com	23.50.131.75 23.50.131.87	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
7304	wininit.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
7304	wininit.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196	svchost.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2196	svchost.exe	Misc activity	ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2196	svchost.exe	Potentially Bad Traffic	ET INFO playit .gg Tunneling Domain in DNS Lookup
7304	wininit.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm TCP Packet

General Info

wininit.exe

965839C40BB66FC7C28C19989A11F62A

5E14AC814C6072B02939989CB49531A928EA0241

6C2DFBADC024192E92D8CE451101697ACBF40559DED7B7F88B673A80BF733B2B

1536:rZEm15p8to7FQrbvJ0gTELXdbED3Lm46ZHv2SpuOV0O7tR:d5p6TELtbE2v2SIOB7f

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

Create files in the Startup directory

XWORM has been detected (YARA)

XWORM has been detected (SURICATA)

SUSPICIOUS

Checks for external IP

Executable content was dropped or overwritten

Reads the date of Windows installation

Reads security settings of Internet Explorer

Connects to unusual port

Contacting a server suspected of hosting an CnC

Deletes scheduled task without confirmation

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Uses TIMEOUT.EXE to delay execution

The process executes via Task Scheduler

INFO

Reads Environment values

Disables trace logs

Checks supported languages

Process checks computer location settings

Checks proxy server information

Reads the machine GUID from the registry

Creates files in the program directory

Autorun file from Startup directory

Creates files or folders in the user directory

Reads the computer name

Reads Microsoft Office registry keys

Application launched itself

Create files in a temporary directory

Reads security settings of Internet Explorer

Reads the software policy settings

Malware configuration

XWorm

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files