File name:	66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe
Full analysis:	https://app.any.run/tasks/554f58c4-b66d-4207-8556-c2b72d214ca4
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	October 03, 2025, 16:20:12
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	xworm pastebin auto-reg auto rat auto-startup
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:	BB873A06B39EB1CDA3E85581609ECE01
SHA1:	33FD21541E70AEB7CB88D44BFB1BA7B71000D92E
SHA256:	66F60766133A50418795E0459FB5350BE14946E5F6BD8572F2C8DF6271177E0F
SSDEEP:	6144:Xv/ru9qf3zU15Fk99jxPYtOLHPJXzbflyyJG8/nNg48v2AtS2uWOXZizOtbzWAT5:rhrpXPlyCNg48v2AtSRZi6FFoPsuhPC

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2025:08:14 13:36:06+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14
CodeSize:	218112
InitializedDataSize:	164864
UninitializedDataSize:	-
EntryPoint:	0x1a924
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(6244) audiodg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\audiodg_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6244) audiodg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\audiodg_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6244) audiodg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\audiodg_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6244) audiodg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\audiodg_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6244) audiodg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\audiodg_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6244) audiodg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\audiodg_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6244) audiodg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\audiodg_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6244) audiodg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\audiodg_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6244) audiodg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\audiodg_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6244) audiodg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\audiodg_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
5356	66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe	C:\Users\admin\Desktop\66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f..exe		executable
		MD5:808BD3E084E73BB76DD5FA82E0B210A3	SHA256:C8C7865BD9FF472BC8CD8069F4AA84A25E20948329982B078B39C0E657A09B63
5356	66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe	C:\Users\admin\Documents\diagnostics\shost.exe		executable
		MD5:E461ECB73EEC06F911F6CB6249795531	SHA256:F6F0F9DAE7FD6185D07A8D249B3DA11461C8529761AA4B4D5ABFA9E50CBB8FC5
7276	shost.exe	C:\Users\admin\AppData\Local\Temp\PROGRA~~1\474640784729.exe		—
		MD5:—	SHA256:—
7276	shost.exe	C:\Users\admin\AppData\Local\Temp\RCX1D66.tmp		—
		MD5:—	SHA256:—
7276	shost.exe	C:\Users\admin\AppData\Local\Temp\PROGRA~~1\996578802657..exe		—
		MD5:—	SHA256:—
7276	shost.exe	C:\Users\admin\AppData\Local\Temp\PROGRA~~1\107480036346.ico		image
		MD5:FC7387DEE6FCD172DECBAE102437CE30	SHA256:E3530D306F7F383C6C3DCEAD7C0C5A0B8FBACB6B85B067AF05E98F4C6F502D61
7276	shost.exe	C:\Users\admin\AppData\Local\Temp\PROGRA~~1\706454051162.exe		executable
		MD5:8E28D0B408C981B517CF90D6DCE6BD29	SHA256:FE03F76CD7ED1782E58FA77C12576042F56FC494C94163E9C74E33B11D4EAA14
7276	shost.exe	C:\Users\admin\AppData\Local\Temp\PROGRA~~1\194396309776.exe		executable
		MD5:7E7FA62D67F6FE8E5510F09189E85743	SHA256:1D8F19DD0A92E36D572A944D451BA3E0CD4125129C5762AA121BE42EED961347
7276	shost.exe	C:\Users\admin\AppData\Local\Temp\RCX19B3.tmp		executable
		MD5:F467DF7005BF3B4AC835CD9356F0B422	SHA256:DE992882DDD38F68A40CDE4FD124CBBDECB5313489F8E0D92D7EC73DC0F17AB3
7276	shost.exe	C:\Users\admin\AppData\Local\Temp\PROGRA~~1\126362478549.exe		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	172.66.171.73:443	https://pastebin.com/raw/Fxzr3jeT	unknown	text	28 b	—
—	—	GET	200	2.18.29.232:443	https://www.bing.com/DSB/search?dsbmr=1&format=dsbjson&client=windowsminiserp&dsbschemaversion=1.1&dsbminiserp=1&q=q&cc=US&setlang=en-us&clientDateTime=10%2F3%2F2025%2C%204%3A20%3A27%20PM	unknown	—	59.0 Kb	—
—	—	POST	200	20.190.160.14:443	https://login.live.com/RST2.srf	unknown	xml	11.2 Kb	—
—	—	POST	200	20.190.160.14:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	—
—	—	POST	200	40.126.32.134:443	https://login.live.com/RST2.srf	unknown	xml	11.0 Kb	—
—	—	GET	200	2.18.29.176:443	https://www.bing.com/th?id=ODSWG.31bcf3d1-4df8-4c6a-9b3a-447ced8d6c39&pid=dsb	unknown	image	4.64 Kb	—
—	—	GET	200	2.18.29.232:443	https://www.bing.com/th?id=ODSWG.8229b0e5-fa8c-4e4a-af74-69717698b903&pid=dsb	unknown	image	4.62 Kb	—
—	—	POST	200	40.126.32.134:443	https://login.live.com/RST2.srf	unknown	xml	11.3 Kb	—
—	—	POST	200	40.126.32.76:443	https://login.live.com/RST2.srf	unknown	xml	11.3 Kb	—
—	—	GET	200	20.223.35.26:443	https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251003T162028Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=ff6fec202ccd4cb38cb73df9a76d42f0&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=16.3&dispvertres=768&fosver=16299&isu=0&lo=4245619&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1636149&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2	unknown	binary	3.20 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6016	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6864	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6016	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5948	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6244	audiodg.exe	104.20.29.150:443	pastebin.com	CLOUDFLARENET	—	whitelisted
5224	SearchApp.exe	2.18.29.176:443	www.bing.com	Akamai International B.V.	PL	whitelisted
7080	svchost.exe	20.190.159.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
8008	backgroundTaskHost.exe	2.18.29.176:443	www.bing.com	Akamai International B.V.	PL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208	whitelisted
google.com	142.250.185.78	whitelisted
pastebin.com	104.20.29.150 172.66.171.73	whitelisted
www.bing.com	2.18.29.176 2.18.29.185 2.18.29.170 2.18.29.168 2.18.29.218 2.18.29.192 2.18.29.195 2.18.29.131 2.18.29.139	whitelisted
login.live.com	20.190.159.73 40.126.31.130 40.126.31.73 40.126.31.129 20.190.159.0 20.190.159.130 40.126.31.1 20.190.159.4	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
arc.msn.com	20.223.36.55	whitelisted
also-body.gl.at.ply.gg	147.185.221.211	unknown
slscr.update.microsoft.com	74.178.240.61	whitelisted
www.microsoft.com	95.101.149.131	whitelisted

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2428	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Online Pastebin Text Storage
2428	svchost.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2428	svchost.exe	Misc activity	ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2428	svchost.exe	Potentially Bad Traffic	ET INFO playit .gg Tunneling Domain in DNS Lookup

General Info

66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe

BB873A06B39EB1CDA3E85581609ECE01

33FD21541E70AEB7CB88D44BFB1BA7B71000D92E

66F60766133A50418795E0459FB5350BE14946E5F6BD8572F2C8DF6271177E0F

6144:Xv/ru9qf3zU15Fk99jxPYtOLHPJXzbflyyJG8/nNg48v2AtS2uWOXZizOtbzWAT5:rhrpXPlyCNg48v2AtSRZi6FFoPsuhPC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

XWORM mutex has been found

XWORM has been found (auto)

Changes the autorun value in the registry

Create files in the Startup directory

XWORM has been detected (YARA)

SUSPICIOUS

The process creates files with name similar to system file names

Starts itself from another location

Executable content was dropped or overwritten

Process drops legitimate windows executable

Connects to unusual port

INFO

Checks supported languages

The sample compiled with english language support

Create files in a temporary directory

Reads the machine GUID from the registry

Creates files or folders in the user directory

Creates files in the program directory

Launching a file from the Startup directory

Launching a file from a Registry key

Reads Environment values

Checks proxy server information

Reads the software policy settings

Reads the computer name

The sample compiled with bulgarian language support

Disables trace logs

Manual execution by a user

Malware configuration

XWorm

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

XWorm

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings