File name:

986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6.exe

Full analysis: https://app.any.run/tasks/1b0d0717-94c1-4f32-8de3-b00444a4ac9a
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: October 03, 2025, 16:30:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pastebin
xworm
auto
rat
auto-reg
auto-startup
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:

D19B7B2959E83F7DF04647751132FED6

SHA1:

42D1D2C7EF8EA8C19D027496B40DBF05C3BE58E5

SHA256:

986DBE75F3C52CD7B3EF0E8A53618A64D0D2AE5A689321EC80E855F053AF5FC6

SSDEEP:

24576:rhpXkpXuRZ3FtuoUx7Zc0rsP/OYfhZ+IEpzwV0ZhHe:dpXkpXuRZtUx7Znr0OYfhZ+IEpzwV0ZI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XWORM has been found (auto)

      • 986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6.exe (PID: 2232)
      • audiodg.exe (PID: 5356)

    • XWORM mutex has been found

      • audiodg.exe (PID: 5356)
      • audiodg.exe (PID: 1644)
      • winlogon (PID: 2004)

    • Changes the autorun value in the registry

      • audiodg.exe (PID: 5356)

    • Create files in the Startup directory

      • audiodg.exe (PID: 5356)

    • XWORM has been detected (YARA)

      • audiodg.exe (PID: 5356)
      • shost.exe (PID: 6940)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6.exe (PID: 2232)

    • Executable content was dropped or overwritten

      • 986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6.exe (PID: 2232)
      • shost.exe (PID: 6940)
      • audiodg.exe (PID: 5356)

    • Starts itself from another location

      • 986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6.exe (PID: 2232)

    • Process drops legitimate windows executable

      • shost.exe (PID: 6940)

    • Connects to unusual port

      • audiodg.exe (PID: 5356)

  • INFO

    • Checks supported languages

      • 986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6.exe (PID: 2232)
      • audiodg.exe (PID: 5356)
      • shost.exe (PID: 6940)
      • 986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6..exe (PID: 1992)
      • audiodg.exe (PID: 1644)
      • RUXIMICS.exe (PID: 3984)
      • winlogon (PID: 2004)

    • Reads the computer name

      • audiodg.exe (PID: 5356)
      • 986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6..exe (PID: 1992)
      • audiodg.exe (PID: 1644)
      • winlogon (PID: 2004)

    • Reads the machine GUID from the registry

      • audiodg.exe (PID: 1644)
      • audiodg.exe (PID: 5356)
      • winlogon (PID: 2004)

    • The sample compiled with english language support

      • shost.exe (PID: 6940)

    • Creates files in the program directory

      • RUXIMICS.exe (PID: 3984)
      • shost.exe (PID: 6940)

    • Create files in a temporary directory

      • shost.exe (PID: 6940)

    • Reads Environment values

      • audiodg.exe (PID: 5356)

    • Disables trace logs

      • audiodg.exe (PID: 5356)

    • Checks proxy server information

      • audiodg.exe (PID: 5356)
      • BackgroundTransferHost.exe (PID: 2276)
      • slui.exe (PID: 4484)

    • Launching a file from the Startup directory

      • audiodg.exe (PID: 5356)

    • Launching a file from a Registry key

      • audiodg.exe (PID: 5356)

    • Creates files or folders in the user directory

      • audiodg.exe (PID: 5356)
      • BackgroundTransferHost.exe (PID: 2276)
      • shost.exe (PID: 6940)

    • Reads the software policy settings

      • audiodg.exe (PID: 5356)
      • BackgroundTransferHost.exe (PID: 2276)
      • slui.exe (PID: 4484)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 3404)
      • BackgroundTransferHost.exe (PID: 2276)
      • BackgroundTransferHost.exe (PID: 7776)
      • BackgroundTransferHost.exe (PID: 4432)
      • BackgroundTransferHost.exe (PID: 5440)

    • Manual execution by a user

      • winlogon (PID: 2004)

    • The sample compiled with bulgarian language support

      • shost.exe (PID: 6940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(5356) audiodg.exe
C2https://pastebin.com/raw/Fxzr3jeT:<666666>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeXWorm V5.6
USB drop nameUSB.exe
MutexteEgLm0aeViE3IZi
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:08:14 13:36:06+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 218112
InitializedDataSize: 164864
UninitializedDataSize: -
EntryPoint: 0x1a924
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
180
Monitored processes
14
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XWORM 986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6.exe #XWORM audiodg.exe #XWORM shost.exe 986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6..exe no specs #XWORM audiodg.exe no specs ruximics.exe no specs svchost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe #XWORM winlogon no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1644"C:\Users\admin\Documents\diagnostics\audiodg.exe"C:\Users\admin\Documents\diagnostics\audiodg.exe
shost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
1992"C:\Users\admin\Desktop\986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6..exe"C:\Users\admin\Desktop\986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6..exe986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
2004C:\Users\admin\AppData\Local\winlogonC:\Users\admin\AppData\Local\winlogon
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
2232"C:\Users\admin\Desktop\986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6.exe" C:\Users\admin\Desktop\986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2276"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
2428C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
3404"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
3984%ProgramFiles%\RUXIM\RUXIMICS.EXE /nonetworkC:\Program Files\RUXIM\RUXIMICS.exePLUGScheduler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Reusable UX Interaction Manager
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
4432"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
4484C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
871
Suspicious files
50
Text files
136
Unknown types
0

Dropped files

PID
Process
Filename
Type
6940shost.exeC:\Users\admin\Documents\logs.txttext
MD5:4D1810D60AB878181AD26B222777860C
SHA256:48D2A83C0C0FB0418063AA69D2F0831CD4CDE48BDD1490AB544DE09AF87183AF
6940shost.exeC:\Users\admin\AppData\Local\Temp\PROGRA~~1\928031946801.exeexecutable
MD5:0FE7B22CBF619CF188638A6025B81DEB
SHA256:B4DD76CDCFE1DDBD6F4F8436EEF5919D46A06EAE7FD26081E503B77DB450B7CF
6940shost.exeC:\Users\admin\AppData\Local\Temp\PROGRA~~1\524431998488.exe
MD5:
SHA256:
6940shost.exeC:\Users\admin\AppData\Local\Temp\RCX1FA8.tmp
MD5:
SHA256:
6940shost.exeC:\Users\admin\AppData\Local\Temp\PROGRA~~1\982833232947..exe
MD5:
SHA256:
2232986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6.exeC:\Users\admin\Documents\diagnostics\audiodg.exeexecutable
MD5:9367EAFEFD3471A59DF9EE9FFA198573
SHA256:76957A7DB92ABF1667474A4E45477CEA7297E9A25C78C1FADD94795FC5390833
2232986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6.exeC:\Users\admin\Documents\diagnostics\shost.exeexecutable
MD5:E461ECB73EEC06F911F6CB6249795531
SHA256:F6F0F9DAE7FD6185D07A8D249B3DA11461C8529761AA4B4D5ABFA9E50CBB8FC5
6940shost.exeC:\Users\admin\AppData\Local\Temp\PROGRA~~1\183482494534.exeexecutable
MD5:7E7FA62D67F6FE8E5510F09189E85743
SHA256:1D8F19DD0A92E36D572A944D451BA3E0CD4125129C5762AA121BE42EED961347
6940shost.exeC:\Users\admin\AppData\Local\Temp\PROGRA~~1\710149369225..exeexecutable
MD5:0FE7B22CBF619CF188638A6025B81DEB
SHA256:B4DD76CDCFE1DDBD6F4F8436EEF5919D46A06EAE7FD26081E503B77DB450B7CF
6940shost.exeC:\Users\admin\AppData\Local\Temp\PROGRA~~1\914585670607..exeexecutable
MD5:7E7FA62D67F6FE8E5510F09189E85743
SHA256:1D8F19DD0A92E36D572A944D451BA3E0CD4125129C5762AA121BE42EED961347
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
52
DNS requests
17
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
20.190.160.65:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
GET
200
92.123.104.22:443
https://www.bing.com/th?id=ODSWG.31bcf3d1-4df8-4c6a-9b3a-447ced8d6c39&pid=dsb
unknown
image
4.64 Kb
POST
200
20.190.160.64:443
https://login.live.com/RST2.srf
unknown
xml
11.3 Kb
POST
200
20.190.160.22:443
https://login.live.com/RST2.srf
unknown
xml
11.3 Kb
GET
200
104.20.29.150:443
https://pastebin.com/raw/Fxzr3jeT
unknown
text
28 b
POST
204
92.123.104.16:443
https://www.bing.com/web/xlsc.aspx?t=5&dl=1&wsbc=1
unknown
GET
200
92.123.104.19:443
https://www.bing.com/th?id=OADD2.1361195395705932_16F6RJMMW3GNBDO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90
unknown
image
921 b
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6016
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
8012
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5948
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5356
audiodg.exe
172.66.171.73:443
pastebin.com
US
whitelisted
5224
SearchApp.exe
2.16.241.218:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1536
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3464
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1388
backgroundTaskHost.exe
20.31.169.57:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 172.217.16.142
whitelisted
pastebin.com
  • 172.66.171.73
  • 104.20.29.150
whitelisted
www.bing.com
  • 2.16.241.218
  • 2.16.241.205
  • 2.16.241.201
  • 2.16.241.207
  • 2.16.241.222
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.67
  • 20.190.160.128
  • 20.190.160.4
  • 40.126.32.72
  • 40.126.32.68
  • 20.190.160.131
  • 20.190.160.14
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
also-body.gl.at.ply.gg
  • 147.185.221.211
unknown
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2428
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
2428
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2428
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2428
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
986dbe75f3c52cd7b3ef0e8a53618a64d0d2ae5a689321ec80e855f053af5fc6.exe