| File name: | AppHost.exe |
| Full analysis: | https://app.any.run/tasks/3aedb2b4-ad4c-43e0-8b6f-b30a5b1824a5 |
| Verdict: | Malicious activity |
| Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
| Analysis date: | May 21, 2025, 22:08:45 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 6 sections |
| MD5: | 037B6246BFB5E3F237BA49FA266E97A6 |
| SHA1: | D788B7B52E9B05612101C77BC7AA1DFA94E5B76F |
| SHA256: | D56ACF53CF6D4C419DEDEEF42BB3058AFECFC467C60388D8F49505AC17582D31 |
| SSDEEP: | 3072:YBZza44Ygh3KFdjHWnGFXGRc07PExp/d3/7qpJeI:YBZza48KX+GFXGi+PExp/wn |
MALICIOUS
Script downloads file (POWERSHELL)
- powershell.exe (PID: 7736)
Changes settings for real-time protection
- powershell.exe (PID: 8172)
Changes Windows Defender settings
- cmd.exe (PID: 8116)
Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)
- powershell.exe (PID: 5008)
Changes settings for protection against network attacks (IPS)
- powershell.exe (PID: 7620)
Changes settings for reporting to Microsoft Active Protection Service (MAPS)
- powershell.exe (PID: 6108)
Changes settings for checking scripts for malicious actions
- powershell.exe (PID: 7176)
Changes settings for sending potential threat samples to Microsoft servers
- powershell.exe (PID: 7988)
XWORM has been detected (SURICATA)
- Adobe.exe (PID: 7932)
XWORM has been detected (YARA)
- Adobe.exe (PID: 7932)
SUSPICIOUS
Starts a new process with hidden mode (POWERSHELL)
- powershell.exe (PID: 7736)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 7736)
Starts POWERSHELL.EXE for commands execution
- AppHost.exe (PID: 7712)
- cmd.exe (PID: 8116)
Executing commands from a ".bat" file
- powershell.exe (PID: 7736)
Script disables Windows Defender's real-time protection
- cmd.exe (PID: 8116)
Starts CMD.EXE for commands execution
- powershell.exe (PID: 7736)
Script disables Windows Defender's behavior monitoring
- cmd.exe (PID: 8116)
Detected use of alternative data streams (AltDS)
- AppHost.exe (PID: 7712)
Executable content was dropped or overwritten
- AppHost.exe (PID: 7712)
- powershell.exe (PID: 7736)
Script disables Windows Defender's IPS
- cmd.exe (PID: 8116)
Modifies existing scheduled task
- schtasks.exe (PID: 664)
- schtasks.exe (PID: 4164)
- schtasks.exe (PID: 7084)
- schtasks.exe (PID: 684)
- schtasks.exe (PID: 6252)
Uses REG/REGEDIT.EXE to modify registry
- powershell.exe (PID: 5608)
- powershell.exe (PID: 744)
- cmd.exe (PID: 8116)
Found regular expressions for crypto-addresses (YARA)
- Adobe.exe (PID: 7932)
Contacting a server suspected of hosting an CnC
- Adobe.exe (PID: 7932)
Connects to unusual port
- Adobe.exe (PID: 7932)
INFO
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 7736)
Checks supported languages
- AppHost.exe (PID: 7712)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 7736)
- powershell.exe (PID: 8172)
- powershell.exe (PID: 904)
- powershell.exe (PID: 5008)
- powershell.exe (PID: 4448)
- powershell.exe (PID: 7480)
- powershell.exe (PID: 7620)
- powershell.exe (PID: 7176)
- powershell.exe (PID: 7988)
- powershell.exe (PID: 6108)
- powershell.exe (PID: 6032)
- powershell.exe (PID: 4652)
- powershell.exe (PID: 8184)
- powershell.exe (PID: 7276)
- powershell.exe (PID: 5400)
Disables trace logs
- powershell.exe (PID: 7736)
Checks proxy server information
- powershell.exe (PID: 7736)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 7736)
- powershell.exe (PID: 8172)
- powershell.exe (PID: 4448)
- powershell.exe (PID: 904)
- powershell.exe (PID: 4652)
- powershell.exe (PID: 7480)
- powershell.exe (PID: 7176)
- powershell.exe (PID: 7988)
- powershell.exe (PID: 5008)
- powershell.exe (PID: 6032)
- powershell.exe (PID: 5400)
- powershell.exe (PID: 8184)
- powershell.exe (PID: 7276)
- powershell.exe (PID: 6108)
Checks current location (POWERSHELL)
- powershell.exe (PID: 7736)
Found Base64 encoded access to Windows Defender via PowerShell (YARA)
- AppHost.exe (PID: 7712)
Found Base64 encoded file access via PowerShell (YARA)
- AppHost.exe (PID: 7712)
Found Base64 encoded JSON usage via PowerShell (YARA)
- AppHost.exe (PID: 7712)
The executable file from the user directory is run by the Powershell process
- Adobe.exe (PID: 7932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
XWorm
(PID) Process(7932) Adobe.exe
C280.85.154.131:2618
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexnukSxm2iZcVTHCHL
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:04:09 14:04:42+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.4 |
| CodeSize: | 70144 |
| InitializedDataSize: | 58880 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2160 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
184
Monitored processes
57
Malicious processes
4
Suspicious processes
6
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 664 | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable | C:\Windows\System32\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 684 | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable | C:\Windows\System32\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 744 | powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 904 | powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1300 | reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1568 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2340 | powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2644 | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4164 | schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable | C:\Windows\System32\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4300 | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
100 310
Read events
100 283
Write events
19
Delete events
8
Modification events
| (PID) Process: | (7712) AppHost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications |
| Operation: | write | Name: | DisableEnhancedNotifications |
Value: 1 | |||
| (PID) Process: | (7736) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\System32\cmd.exe.FriendlyAppName |
Value: Windows Command Processor | |||
| (PID) Process: | (7736) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\System32\cmd.exe.ApplicationCompany |
Value: Microsoft Corporation | |||
| (PID) Process: | (7712) AppHost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | HideExclusionsFromLocalAdmins |
Value: 1 | |||
| (PID) Process: | (5256) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (5256) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (5256) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (5256) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4896) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiSpyware |
Value: 1 | |||
| (PID) Process: | (5892) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiVirus |
Value: 1 | |||
Executable files
2
Suspicious files
2
Text files
37
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 8172 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_usweeio4.lxa.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7736 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4iwe5041.g3n.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5008 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_i50b1jjd.ymn.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4448 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3zk3nsrm.1fg.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 904 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_o3jhzycl.rwa.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 8172 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:D5E746159A65A848160453A6A84BB5DA | SHA256:F4B6E4B2D54A0EF931618EFE546EF17D34110DD248291AC840AC555F0DEDAA2A | |||
| 7736 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3pywezz0.tze.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7480 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pwgrf5gv.tbg.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6032 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_b4jrwzip.jv0.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4448 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_omswn02q.ali.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
24
DNS requests
9
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2104 | svchost.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6708 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 2.16.241.19:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2104 | svchost.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
2104 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7736 | powershell.exe | 140.82.121.4:443 | github.com | GITHUB | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
github.com |
| whitelisted |
objects.githubusercontent.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET INFO EXE - Served Attached HTTP |
— | — | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
7932 | Adobe.exe | Malware Command and Control Activity Detected | REMOTE [ANY.RUN] Xworm TCP Packet |