File name:

Update.exe

Full analysis: https://app.any.run/tasks/94862bc9-2d67-492a-92a8-1397c086e609
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: February 06, 2026, 18:40:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xworm
auto-startup
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

25B7F16C1AB577950E8F4D10222C6C38

SHA1:

015D938994F75BD45B13C3AA61F20615DBAE67CA

SHA256:

97017E9FC6D17B551FA1C466B24E1C98A8F1C9859B00D65B717A6207DD2A91CA

SSDEEP:

384:hoxtzFC+nQsEEnsUVc2g0qcV2qHppWWup2Wm2pQ/j6R+gtFqBLTiZw/WNnvK9Ikt:CVc2FHpppwm2p+j6ZF29RVOYhoQ2ql

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • Update.exe (PID: 8064)

    • XWORM has been detected (YARA)

      • Update.exe (PID: 8064)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Update.exe (PID: 8064)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2292)

  • INFO

    • Launching a file from the Startup directory

      • Update.exe (PID: 8064)

    • Creates files or folders in the user directory

      • Update.exe (PID: 8064)

    • Reads the machine GUID from the registry

      • Update.exe (PID: 8064)

    • Reads the computer name

      • Update.exe (PID: 8064)

    • Checks supported languages

      • Update.exe (PID: 8064)

    • Checks proxy server information

      • slui.exe (PID: 888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(8064) Update.exe
C2 (1)topq12-50251.portmap.host:50251
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
Mutexx2rv4ZiAKYnh6gW6
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2026:02:07 05:30:09+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 29696
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x924e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.1.1.0
ProductVersionNumber: 1.1.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Update
CompanyName: Discord Inc.
FileDescription: Update
FileVersion: 1.1.1.0
InternalName: Update.exe
LegalCopyright: Copyright (c) 2026 Discord Inc. All rights reserved.
OriginalFileName: Update.exe
ProductName: Update
ProductVersion: 1.1.1.0
AssemblyVersion: 1.1.1.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XWORM update.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
888C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
8064"C:\Users\admin\Desktop\Update.exe" C:\Users\admin\Desktop\Update.exe
explorer.exe
User:
admin
Company:
Discord Inc.
Integrity Level:
MEDIUM
Description:
Update
Version:
1.1.1.0
Modules
Images
c:\users\admin\desktop\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(8064) Update.exe
C2 (1)topq12-50251.portmap.host:50251
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
Mutexx2rv4ZiAKYnh6gW6
Total events
3 947
Read events
3 947
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
8064Update.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnkbinary
MD5:01453FD037E2AD478E44000F27E12F3E
SHA256:53A9826A4396C72B40509F3E75D021FD82940A431917C1C48181E874D43B6EB0
8064Update.exeC:\Users\Public\Update.exeexecutable
MD5:25B7F16C1AB577950E8F4D10222C6C38
SHA256:97017E9FC6D17B551FA1C466B24E1C98A8F1C9859B00D65B717A6207DD2A91CA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
47
DNS requests
20
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3004
RUXIMICS.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=186&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
unknown
whitelisted
5536
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
5536
SIHClient.exe
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
5536
SIHClient.exe
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
5536
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5536
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
9088
svchost.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3004
RUXIMICS.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
9088
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3004
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.23.227.208:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
9088
svchost.exe
23.32.238.107:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.32.238.107:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3004
RUXIMICS.exe
23.32.238.107:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 20.73.194.208
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.221
whitelisted
self.events.data.microsoft.com
  • 20.189.173.7
  • 20.189.173.28
whitelisted
google.com
  • 142.251.208.14
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
  • 23.48.23.11
  • 23.48.23.35
whitelisted
topq12-50251.portmap.host
  • 193.161.193.99
unknown
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 2.23.246.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
9088
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
2292
svchost.exe
Potential Corporate Privacy Violation
ET INFO DNS Query to a Reverse Proxy Service Observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Update.exe