File name: | explorer.exe |
Full analysis: | https://app.any.run/tasks/e53277b6-e3a0-4684-9497-edd7cb703fb2 |
Verdict: | Malicious activity |
Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
Analysis date: | April 15, 2025, 18:05:50 |
OS: | Windows 10 Professional (build: 19044, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
MD5: | 73158E52A6BF29A478D6443F8CB2D2B5 |
SHA1: | 515EF7E1BB30F05ABF6A8D27A1C7A02C2053386C |
SHA256: | B1C0DA596252D2322AF646035E21951A7EE16982249AAEF52FB74C8C6EAF65A1 |
SSDEEP: | 6144:+Ek9NQnodizj0u2qUmMrV5GRcYNDH0PC/A6aJz/rbBQq:+VQnAizj+mY7GRcYNDH0a/AZJzpt |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
---|---|---|
.exe | | | Win64 Executable (generic) (21.3) |
.scr | | | Windows screen saver (10.1) |
.dll | | | Win32 Dynamic Link Library (generic) (5) |
.exe | | | Win32 Executable (generic) (3.4) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2090:10:05 05:32:40+00:00 |
ImageFileCharacteristics: | Executable, Large address aware |
PEType: | PE32 |
LinkerVersion: | 48 |
CodeSize: | 254464 |
InitializedDataSize: | 5120 |
UninitializedDataSize: | - |
EntryPoint: | 0x4003e |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 6 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.0.0.0 |
ProductVersionNumber: | 1.0.0.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
Comments: | - |
CompanyName: | - |
FileDescription: | - |
FileVersion: | 1.0.0.0 |
InternalName: | MasonRootkit.exe |
LegalCopyright: | - |
LegalTrademarks: | - |
OriginalFileName: | MasonRootkit.exe |
ProductName: | - |
ProductVersion: | 1.0.0.0 |
AssemblyVersion: | 1.0.0.0 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
468 | C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSM | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
644 | C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
648 | "C:\Program Files\Microsoft Update Health Tools\uhssvc.exe" | C:\Program Files\Microsoft Update Health Tools\uhssvc.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Update Health Service Version: 10.0.19041.3626 (WinBuild.160101.0800) Modules
| |||||||||||||||
668 | C:\WINDOWS\System32\svchost.exe -k WerSvcGroup | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
756 | C:\WINDOWS\system32\lsass.exe | C:\Windows\System32\lsass.exe | wininit.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Local Security Authority Process Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
860 | C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
956 | "ctfmon.exe" | C:\Windows\System32\ctfmon.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: CTF Loader Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1036 | C:\Windows\System32\RuntimeBroker.exe -Embedding | C:\Windows\System32\RuntimeBroker.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Runtime Broker Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
1044 | C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvc | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1128 | C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding | C:\Windows\System32\wbem\WmiPrvSE.exe | svchost.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Provider Host Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
|
(PID) Process: | (2112) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment |
Operation: | write | Name: | refreshAfter |
Value: CFFAEA33FAAEDB01 | |||
(PID) Process: | (2112) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment |
Operation: | delete value | Name: | ETag |
Value: | |||
(PID) Process: | (2112) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment |
Operation: | delete value | Name: | refreshAfter |
Value: 𢡊㏪껺Ǜ | |||
(PID) Process: | (2112) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables |
Operation: | write | Name: | WaaSOutOfDateState |
Value: 0 | |||
(PID) Process: | (2112) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables |
Operation: | write | Name: | WaasAssessmentCheckTimestamp |
Value: 5022810931AEDB01 | |||
(PID) Process: | (2112) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables |
Operation: | write | Name: | UpToDateStatusRecalcTimestamp |
Value: 5022810931AEDB01 | |||
(PID) Process: | (2112) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables |
Operation: | write | Name: | ActiveHoursStart |
Value: 10 | |||
(PID) Process: | (2112) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables |
Operation: | write | Name: | ActiveHoursEnd |
Value: 18 | |||
(PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
Operation: | write | Name: | CheckSetting |
Value: 23004100430042006C006F00620000000000000000000000010000006D0073006D000000 | |||
(PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop |
Operation: | write | Name: | IconLayouts |
Value: 00000000000000000000000000000000030001000100010013000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C0000001400000000000000630061006C006C0065006400760061006C007500650073002E0070006E0067003E00200020000000150000000000000063006F006D0070007500740065007200730074006F006E0065002E007200740066003E00200020000000150000000000000063006F00720070006F007200610074006500730065006C0066002E006A00700067003E0020002000000016000000000000006500780069007300740069006E0067006500660066006500630074002E0070006E0067003E002000200000001700000000000000680065006100720064006E0061007600690067006100740069006F006E002E006A00700067003E0020002000000011000000000000006D006F007300740061006C00620075006D002E006A00700067003E00200020000000120000000000000070006F007300690074006900760065006D0064002E007200740066003E0020002000000010000000000000007200650061006C0061007700610079002E007200740066003E002000200000001000000000000000730074006100660066007000610079002E0070006E0067003E002000200000000F000000000000007700650065006B007900650073002E007200740066003E0020002000000010000000000000006500780070006C006F007200650072002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001300000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A0401100000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000000001200 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1772 | svchost.exe | C:\Windows\Prefetch\CONSENT.EXE-531BD9EA.pf | binary | |
MD5:2A02A912A188CF2B44E0B2600F480460 | SHA256:55D2C36A6B4CC23868462D36570F997E39634C411EB4C287B15485CACC17299C | |||
1260 | svchost.exe | C:\Windows\System32\Tasks\Masonexplorer.exe | binary | |
MD5:DF72B9094A390993052B0A9A4842AEF3 | SHA256:2107FF0241489D0FBF0604EF65CFFCE5A618BAF902921E09EB40C786FD5F65CA | |||
6896 | dllhost.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk | binary | |
MD5:E313E6FAE3209AADA08F9555EC656479 | SHA256:17394B7C7540B44894D2DFBE714EF25BD03C5C8AD8DC8FA2464735C0FF908131 | |||
4620 | explorer.exe | C:\Users\admin\AppData\Local\Temp\yqkoflp4.25c.exe | executable | |
MD5:94F1AB3A068F83B32639579EC9C5D025 | SHA256:879CC20B41635709BB304E315AAA5CA4708B480A1BFC2F4935FCF2215188EFB0 | |||
1772 | svchost.exe | C:\Windows\Prefetch\SCHTASKS.EXE-5CA45734.pf | binary | |
MD5:10A99989F896A73319D2F7CE51DD3FDE | SHA256:13E855FD508E58FF87FC67D746DF07B9E0995F51D2839C2AD70365A636BE21BF | |||
1772 | svchost.exe | C:\Windows\Prefetch\HOST.EXE-F5D74C61.pf | binary | |
MD5:F0728865EBC4FCB519B073B4FA03C3C2 | SHA256:16B3ED604BF0B75C4289300A8F7BE30D32DD523A9598061189C41A32DD1EE819 | |||
1772 | svchost.exe | C:\Windows\Prefetch\TASKHOSTW.EXE-3E0B74C8.pf | binary | |
MD5:C7C6C488F79A311C12690604999E7FD7 | SHA256:E261F63BBE4CCDAAC9CDAFE79CCF8FC6EB6EF6B8888937A281C267E0C43920D2 | |||
1772 | svchost.exe | C:\Windows\Prefetch\UPFC.EXE-BDDF79D6.pf | binary | |
MD5:23B9E867DDDFD72EC29957846B43BBFF | SHA256:BBC56FCC66679B786318B3D4730B59736D433158E23D82F046D731F0C63DBC91 | |||
1260 | svchost.exe | C:\Windows\System32\Tasks\XClient | binary | |
MD5:F548F1F65447D85DE26FDEFC47C0F00B | SHA256:C597733EE9BE23008C83F6D22FB898F26A82E25C6D70FE87E810B50DF1F6CCD0 | |||
4620 | explorer.exe | C:\Users\admin\AppData\Roaming\XClient.exe | executable | |
MD5:73158E52A6BF29A478D6443F8CB2D2B5 | SHA256:B1C0DA596252D2322AF646035E21951A7EE16982249AAEF52FB74C8C6EAF65A1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.19.11.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 304 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
7416 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 20.242.39.171:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | — |
7416 | SIHClient.exe | GET | 200 | 23.48.23.193:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
7416 | SIHClient.exe | GET | 200 | 23.48.23.193:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
7416 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
7416 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
7416 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
7416 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2112 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 2.19.11.120:80 | crl.microsoft.com | Elisa Oyj | NL | whitelisted |
— | — | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 20.190.159.2:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
2104 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
iraq-roses.gl.at.ply.gg |
| unknown |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg) |
— | — | Potentially Bad Traffic | ET INFO playit .gg Tunneling Domain in DNS Lookup |
— | — | Misc activity | ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg) |
— | — | Malware Command and Control Activity Detected | REMOTE [ANY.RUN] Xworm TCP Packet |