File name:

66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe

Full analysis: https://app.any.run/tasks/554f58c4-b66d-4207-8556-c2b72d214ca4
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: October 03, 2025, 16:20:12
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xworm
pastebin
auto-reg
auto
rat
auto-startup
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:

BB873A06B39EB1CDA3E85581609ECE01

SHA1:

33FD21541E70AEB7CB88D44BFB1BA7B71000D92E

SHA256:

66F60766133A50418795E0459FB5350BE14946E5F6BD8572F2C8DF6271177E0F

SSDEEP:

6144:Xv/ru9qf3zU15Fk99jxPYtOLHPJXzbflyyJG8/nNg48v2AtS2uWOXZizOtbzWAT5:rhrpXPlyCNg48v2AtSRZi6FFoPsuhPC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • XWORM has been found (auto)

      • 66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe (PID: 5356)
      • audiodg.exe (PID: 6244)
    • XWORM mutex has been found

      • audiodg.exe (PID: 6780)
      • audiodg.exe (PID: 6244)
      • winlogon (PID: 2692)
    • Changes the autorun value in the registry

      • audiodg.exe (PID: 6244)
    • Create files in the Startup directory

      • audiodg.exe (PID: 6244)
    • XWORM has been detected (YARA)

      • audiodg.exe (PID: 6244)
      • shost.exe (PID: 7276)
  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe (PID: 5356)
    • Starts itself from another location

      • 66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe (PID: 5356)
    • Executable content was dropped or overwritten

      • 66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe (PID: 5356)
      • shost.exe (PID: 7276)
      • audiodg.exe (PID: 6244)
    • Process drops legitimate windows executable

      • shost.exe (PID: 7276)
    • Connects to unusual port

      • audiodg.exe (PID: 6244)
  • INFO

    • Checks supported languages

      • 66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe (PID: 5356)
      • shost.exe (PID: 7276)
      • 66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f..exe (PID: 8084)
      • audiodg.exe (PID: 6780)
      • audiodg.exe (PID: 6244)
      • RUXIMICS.exe (PID: 2864)
      • winlogon (PID: 2692)
    • Reads the computer name

      • audiodg.exe (PID: 6244)
      • audiodg.exe (PID: 6780)
      • winlogon (PID: 2692)
    • Reads the machine GUID from the registry

      • audiodg.exe (PID: 6780)
      • audiodg.exe (PID: 6244)
      • winlogon (PID: 2692)
    • The sample compiled with english language support

      • 66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe (PID: 5356)
      • shost.exe (PID: 7276)
    • Creates files in the program directory

      • RUXIMICS.exe (PID: 2864)
      • shost.exe (PID: 7276)
    • Create files in a temporary directory

      • shost.exe (PID: 7276)
    • Creates files or folders in the user directory

      • audiodg.exe (PID: 6244)
      • shost.exe (PID: 7276)
    • Reads Environment values

      • audiodg.exe (PID: 6244)
    • Launching a file from a Registry key

      • audiodg.exe (PID: 6244)
    • Checks proxy server information

      • audiodg.exe (PID: 6244)
      • slui.exe (PID: 7220)
    • Launching a file from the Startup directory

      • audiodg.exe (PID: 6244)
    • Disables trace logs

      • audiodg.exe (PID: 6244)
    • Reads the software policy settings

      • audiodg.exe (PID: 6244)
      • slui.exe (PID: 7220)
    • The sample compiled with bulgarian language support

      • shost.exe (PID: 7276)
    • Manual execution by a user

      • winlogon (PID: 2692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(6244) audiodg.exe
C2https://pastebin.com/raw/Fxzr3jeT:<666666>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeXWorm V5.6
USB drop nameUSB.exe
MutexteEgLm0aeViE3IZi
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:08:14 13:36:06+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 218112
InitializedDataSize: 164864
UninitializedDataSize: -
EntryPoint: 0x1a924
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
174
Monitored processes
9
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XWORM 66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe #XWORM audiodg.exe #XWORM shost.exe 66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f..exe no specs #XWORM audiodg.exe no specs ruximics.exe no specs #XWORM winlogon no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2428C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
2692C:\Users\admin\AppData\Local\winlogonC:\Users\admin\AppData\Local\winlogon
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
2864%ProgramFiles%\RUXIM\RUXIMICS.EXE /nonetworkC:\Program Files\RUXIM\RUXIMICS.exePLUGScheduler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Reusable UX Interaction Manager
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
5356"C:\Users\admin\Desktop\66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe" C:\Users\admin\Desktop\66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
6244"C:\Users\admin\Documents\diagnostics\audiodg.exe"C:\Users\admin\Documents\diagnostics\audiodg.exe
66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
XWorm
(PID) Process(6244) audiodg.exe
C2https://pastebin.com/raw/Fxzr3jeT:<666666>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeXWorm V5.6
USB drop nameUSB.exe
MutexteEgLm0aeViE3IZi
6780"C:\Users\admin\Documents\diagnostics\audiodg.exe"C:\Users\admin\Documents\diagnostics\audiodg.exe
shost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
7220C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
7276"C:\Users\admin\Documents\diagnostics\shost.exe"C:\Users\admin\Documents\diagnostics\shost.exe
66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
8084"C:\Users\admin\Desktop\66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f..exe"C:\Users\admin\Desktop\66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f..exe66f60766133a50418795e0459fb5350be14946e5f6bd8572f2c8df6271177e0f.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat SpeedLauncher
Exit code:
0
Version:
24.5.20320.0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
881
Suspicious files
47
Text files
137
Unknown types
0

Dropped files

PID
Process
Filename
Type
7276shost.exeC:\Users\admin\AppData\Local\Temp\RCX1AE0.tmpexecutable
MD5:14CB18CB96C594494F4E0A087C8632D8
SHA256:F06E9D264B053E82FFD10CB4DD23D7BEBD0B2AD30ABEDF04DF275AB7EBF08741
7276shost.exeC:\Users\admin\AppData\Local\Temp\PROGRA~~1\107480036346.icoimage
MD5:FC7387DEE6FCD172DECBAE102437CE30
SHA256:E3530D306F7F383C6C3DCEAD7C0C5A0B8FBACB6B85B067AF05E98F4C6F502D61
7276shost.exeC:\Users\admin\AppData\Local\Temp\PROGRA~~1\474640784729.exe
MD5:
SHA256:
7276shost.exeC:\Users\admin\AppData\Local\Temp\RCX1D66.tmp
MD5:
SHA256:
7276shost.exeC:\Users\admin\AppData\Local\Temp\PROGRA~~1\996578802657..exe
MD5:
SHA256:
7276shost.exeC:\Users\admin\AppData\Local\Temp\RCX1ADE.tmpexecutable
MD5:ACA0D96CE3BB1ED5ACDECEB73D84B619
SHA256:F1681BE557C22C911BC29987946ACFC5C187A35427C16936E29AE04C481C7C4D
7276shost.exeC:\Users\admin\AppData\Local\Temp\PROGRA~~1\044803054569..exeexecutable
MD5:7E7FA62D67F6FE8E5510F09189E85743
SHA256:1D8F19DD0A92E36D572A944D451BA3E0CD4125129C5762AA121BE42EED961347
7276shost.exeC:\Users\admin\AppData\Local\Temp\PROGRA~~1\848230142302..exeexecutable
MD5:0FE7B22CBF619CF188638A6025B81DEB
SHA256:B4DD76CDCFE1DDBD6F4F8436EEF5919D46A06EAE7FD26081E503B77DB450B7CF
7276shost.exeC:\Users\admin\AppData\Local\Temp\RCX19B3.tmpexecutable
MD5:F467DF7005BF3B4AC835CD9356F0B422
SHA256:DE992882DDD38F68A40CDE4FD124CBBDECB5313489F8E0D92D7EC73DC0F17AB3
7276shost.exeC:\Users\admin\AppData\Local\Temp\PROGRA~~1\126362478549.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
49
DNS requests
18
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.18.29.232:443
https://www.bing.com/th?id=ODSWG.8229b0e5-fa8c-4e4a-af74-69717698b903&pid=dsb
unknown
image
4.62 Kb
GET
200
172.66.171.73:443
https://pastebin.com/raw/Fxzr3jeT
unknown
text
28 b
POST
200
20.190.160.14:443
https://login.live.com/RST2.srf
unknown
xml
11.3 Kb
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251003T162028Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=a02e13ce88154754abc68abacec84578&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=134045512450000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=16.3&dispvertres=768&fosver=16299&isu=0&lo=4245619&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1636149&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
1.34 Kb
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
27.7 Kb
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251003T162028Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=ff6fec202ccd4cb38cb73df9a76d42f0&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=16.3&dispvertres=768&fosver=16299&isu=0&lo=4245619&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1636149&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
3.20 Kb
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251003T162028Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=59719269a9a54299b0bfa88ee506cfdd&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=16.3&dispvertres=768&fosver=16299&isu=0&lo=4245619&metered=false&nettype=ethernet&npid=sc-88000045&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1636149&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
3.21 Kb
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
POST
200
40.126.32.134:443
https://login.live.com/RST2.srf
unknown
xml
11.3 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6016
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6864
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6016
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5948
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6244
audiodg.exe
104.20.29.150:443
pastebin.com
CLOUDFLARENET
whitelisted
5224
SearchApp.exe
2.18.29.176:443
www.bing.com
Akamai International B.V.
PL
whitelisted
7080
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
8008
backgroundTaskHost.exe
2.18.29.176:443
www.bing.com
Akamai International B.V.
PL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.78
whitelisted
pastebin.com
  • 104.20.29.150
  • 172.66.171.73
whitelisted
www.bing.com
  • 2.18.29.176
  • 2.18.29.185
  • 2.18.29.170
  • 2.18.29.168
  • 2.18.29.218
  • 2.18.29.192
  • 2.18.29.195
  • 2.18.29.131
  • 2.18.29.139
whitelisted
login.live.com
  • 20.190.159.73
  • 40.126.31.130
  • 40.126.31.73
  • 40.126.31.129
  • 20.190.159.0
  • 20.190.159.130
  • 40.126.31.1
  • 20.190.159.4
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
also-body.gl.at.ply.gg
  • 147.185.221.211
unknown
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2428
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
2428
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2428
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2428
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
No debug info