File name:

Squidward.exe

Full analysis: https://app.any.run/tasks/0e7632f0-5ad0-4eb1-ac6b-3e32f6772321
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: April 26, 2025, 23:20:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xworm
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

75EB4BC3CF60DB6166CA18DDDB8DD9E2

SHA1:

FF6764239503E0FB76539934E12B4E561B2BEF4C

SHA256:

728D11C18659CAA7BB067DC364BC7B43BA2B1A7D1318567D44AC1243DB40D07F

SSDEEP:

98304:IetTtxIjle13m3VLaSMWP81j8GyL/nkLV3ohCrw3CINp9JRekeL7BNYE9ZjAhgGf:kly+1YCRHAvCeRrcI0n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XWORM has been detected (YARA)

      • COM Surrogate.exe (PID: 7392)

    • XWORM has been detected (SURICATA)

      • COM Surrogate.exe (PID: 7392)

    • Uses Task Scheduler to run other applications

      • COM Surrogate.exe (PID: 7392)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Squidward.exe (PID: 7340)
      • squidward.exe (PID: 7432)

    • Reads security settings of Internet Explorer

      • Squidward.exe (PID: 7340)
      • COM Surrogate.exe (PID: 7392)

    • Reads the date of Windows installation

      • COM Surrogate.exe (PID: 7392)
      • Squidward.exe (PID: 7340)

    • Contacting a server suspected of hosting an CnC

      • COM Surrogate.exe (PID: 7392)

    • Connects to unusual port

      • COM Surrogate.exe (PID: 7392)

    • There is functionality for taking screenshot (YARA)

      • squidward.exe (PID: 7476)

    • Process drops legitimate windows executable

      • squidward.exe (PID: 7432)

  • INFO

    • Reads the computer name

      • COM Surrogate.exe (PID: 7392)
      • Squidward.exe (PID: 7340)
      • squidward.exe (PID: 7476)

    • Reads the machine GUID from the registry

      • Squidward.exe (PID: 7340)
      • COM Surrogate.exe (PID: 7392)

    • Checks supported languages

      • squidward.exe (PID: 7476)
      • Squidward.exe (PID: 7340)
      • COM Surrogate.exe (PID: 7392)
      • squidward.exe (PID: 7432)

    • Creates files in the program directory

      • Squidward.exe (PID: 7340)

    • The sample compiled with english language support

      • Squidward.exe (PID: 7340)
      • squidward.exe (PID: 7432)

    • Process checks computer location settings

      • Squidward.exe (PID: 7340)
      • COM Surrogate.exe (PID: 7392)

    • Checks proxy server information

      • slui.exe (PID: 8184)

    • Reads the software policy settings

      • slui.exe (PID: 8184)

    • Create files in a temporary directory

      • squidward.exe (PID: 7432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(7392) COM Surrogate.exe
C2147.185.221.27:61136
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
MutexY8v0E7bbFqT9Sg5T
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:26 19:40:51+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 8472576
InitializedDataSize: 5632
UninitializedDataSize: -
EntryPoint: 0x8167ce
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: Squidward.exe
LegalCopyright:
OriginalFileName: Squidward.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start squidward.exe #XWORM com surrogate.exe squidward.exe squidward.exe no specs schtasks.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7340"C:\Users\admin\Desktop\Squidward.exe" C:\Users\admin\Desktop\Squidward.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\squidward.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7392"C:\ProgramData\COM Surrogate.exe" C:\ProgramData\COM Surrogate.exe
Squidward.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
6.2.26100.1
Modules
Images
c:\programdata\com surrogate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(7392) COM Surrogate.exe
C2147.185.221.27:61136
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
MutexY8v0E7bbFqT9Sg5T
7432"C:\ProgramData\squidward.exe" C:\ProgramData\squidward.exe
Squidward.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\programdata\squidward.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7476C:\Users\admin\AppData\Local\Temp\IXP000.TMP\squidward.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\squidward.exesquidward.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\squidward.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7756"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "COM Surrogate" /tr "C:\ProgramData\COM Surrogate.exe"C:\Windows\System32\schtasks.exeCOM Surrogate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
7764\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8184C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 787
Read events
4 780
Write events
7
Delete events
0

Modification events

(PID) Process:(7476) squidward.exeKey:HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0
Operation:writeName:GUID
Value:
50F8F007F522F0118001444553540000
(PID) Process:(7476) squidward.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\SQUIDWARD.EXE5AA7BF5700428E00
Operation:writeName:Name
Value:
SQUIDWARD.EXE
(PID) Process:(7476) squidward.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\SQUIDWARD.EXE5AA7BF5700428E00
Operation:writeName:UsesMapper
Value:
00000000
(PID) Process:(7476) squidward.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Name
Value:
SQUIDWARD.EXE
(PID) Process:(7476) squidward.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Id
Value:
SQUIDWARD.EXE5AA7BF5700428E00
(PID) Process:(7476) squidward.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Version
Value:
00080000
(PID) Process:(7476) squidward.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:MostRecentStart
Value:
965549CA01B7DB01
Executable files
5
Suspicious files
10
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7432squidward.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\data.win
MD5:
SHA256:
7432squidward.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\mus_squidboss2.oggbinary
MD5:9AF59FA3B6634F89C846D4CB42FB9030
SHA256:501D4EA9F2AEE91499546A35535215824CECBC56392C3782790AB6D4DE4BF14A
7432squidward.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\s_fart.oggbinary
MD5:EA86B74EAA3F0D47C43911136F62D049
SHA256:C4721582DC754C7D915854D265C93D78CA6EF06E373E91C897A58BE02B2E927E
7432squidward.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\squidward.exeexecutable
MD5:EBBEE5AF5B2BF640AC6B6AAD34C6CCA5
SHA256:39E553760B2B1FB6189DE1798E48431E1EDDAFC949C1F5A179656AD46B7F58AD
7432squidward.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\s_bossdialogue.oggbinary
MD5:C7A99EA54F5D19CF9C9669F1725E9CB2
SHA256:9ED05D57509C5D6B93B36FFDCA08E95415E005AAA639D3D50F32FC31ACC46AAE
7432squidward.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\mus_intro.oggbinary
MD5:B786D7B36FF460626B4BE63EB2D6ECBE
SHA256:E4D73178A53AFED1FA1BD79B70E270A1B589826CDED6CEA944CF5E033D8D1DC8
7432squidward.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\mus_level1.oggbinary
MD5:EF59B11CDDEB1079DACDF51B9047E939
SHA256:504575B3CD45523810D0B5CB4B4579A8CA34CBB7D79589E2A139E8382FEEEE0A
7432squidward.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\options.initext
MD5:396F73A1185A5642F5F1E2538B64396A
SHA256:E267293F58D257D2DD1E00AD25425BDB798FCBF75256A7D45B7D7086159DBC58
7432squidward.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\D3DX9_43.dllexecutable
MD5:86E39E9161C3D930D93822F1563C280D
SHA256:0B28546BE22C71834501F7D7185EDE5D79742457331C7EE09EFC14490DD64F5F
7432squidward.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\mus_squidboss1.oggbinary
MD5:CCEDE4F723FA54A1A9B73B3104DD5947
SHA256:9CA333DD99DAC1A620FA369DE6341AC0566AA260A2CD653F71EF79F121BAB201
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
25
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.55.236.70:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.12.150.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.55.236.70:80
crl.microsoft.com
AKAMAI-AS
US
whitelisted
2104
svchost.exe
23.12.150.96:80
www.microsoft.com
AKAMAI-AS
AR
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7392
COM Surrogate.exe
147.185.221.27:61136
PLAYIT-GG
US
malicious
7184
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.55.236.70
  • 23.55.236.72
whitelisted
www.microsoft.com
  • 23.12.150.96
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7392
COM Surrogate.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Initial Packet
7392
COM Surrogate.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Initial Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Squidward.exe