File name:

6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338

Full analysis: https://app.any.run/tasks/5c77d216-3b70-4612-9dad-1ee92f459838
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: September 03, 2025, 16:26:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xworm
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

40E7F9319D64559C2BC3AB6595F419F3

SHA1:

4F5DA8030B4DCC5774D7E8BD967614E77510DFB1

SHA256:

6DD41BFC65FEFF17A243F97340729B3472F519C1029127C5E9FEE03BAFCDE338

SSDEEP:

24576:Xua/vnEYdBVfUJ178S4KwIRZEPDr67F9pg9K/a:XuanEYdBVfUJ178S4KwIRZ6Dr67F9pgV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 892)

    • XWORM has been detected (YARA)

      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 892)

    • XWORM has been detected (SURICATA)

      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 892)

  • SUSPICIOUS

    • Application launched itself

      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 3656)

    • Executable content was dropped or overwritten

      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 892)

    • Connects to unusual port

      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 892)

    • Contacting a server suspected of hosting an CnC

      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 892)

  • INFO

    • Checks supported languages

      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 3656)
      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 892)

    • Reads the computer name

      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 3656)
      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 892)

    • Reads the machine GUID from the registry

      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 3656)
      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 892)

    • Creates files or folders in the user directory

      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 892)

    • Launching a file from the Startup directory

      • 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe (PID: 892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(892) 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe
C2104.250.180.178:7061
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.2
MutexXczLagvCjDnYaiUQ
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:04:12 07:30:42+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 453632
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x70a26
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: EP2_Filosofos
FileVersion: 1.0.0.0
InternalName: rpUB.exe
LegalCopyright: Copyright © 2015
LegalTrademarks: -
OriginalFileName: rpUB.exe
ProductName: EP2_Filosofos
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe no specs 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe no specs #XWORM 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
892"C:\Users\admin\AppData\Local\Temp\6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe"C:\Users\admin\AppData\Local\Temp\6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe
6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe
User:
admin
Integrity Level:
MEDIUM
Description:
EP2_Filosofos
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
XWorm
(PID) Process(892) 6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe
C2104.250.180.178:7061
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.2
MutexXczLagvCjDnYaiUQ
2532"C:\Users\admin\AppData\Local\Temp\6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe"C:\Users\admin\AppData\Local\Temp\6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe
User:
admin
Integrity Level:
MEDIUM
Description:
EP2_Filosofos
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3656"C:\Users\admin\AppData\Local\Temp\6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe" C:\Users\admin\AppData\Local\Temp\6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
EP2_Filosofos
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4948C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
1 156
Read events
1 156
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
8926dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exeC:\Users\admin\AppData\Roaming\XClient.exeexecutable
MD5:40E7F9319D64559C2BC3AB6595F419F3
SHA256:6DD41BFC65FEFF17A243F97340729B3472F519C1029127C5E9FEE03BAFCDE338
8926dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkbinary
MD5:1AF26A9FB14F864EB68561977002B020
SHA256:F996216D2CD03DCEF228A95CB76648185B1F77CD9EAA5959368D3EFFF963C9E3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
21
DNS requests
16
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3540
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
1268
svchost.exe
GET
200
2.16.164.48:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
2492
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
407 b
whitelisted
2492
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7124
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3540
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3540
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
2.16.164.48:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
whitelisted
login.live.com
  • 20.190.160.128
  • 40.126.32.140
  • 40.126.32.76
  • 20.190.160.20
  • 20.190.160.5
  • 20.190.160.17
  • 20.190.160.2
  • 40.126.32.134
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 2.16.164.48
  • 2.16.164.120
  • 2.16.164.35
  • 2.16.164.72
  • 2.16.164.25
  • 2.16.164.74
  • 2.16.164.131
  • 2.16.164.66
  • 2.16.164.98
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
slscr.update.microsoft.com
  • 135.232.92.137
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
self.events.data.microsoft.com
  • 20.42.73.25
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
892
6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338