File name:

WormExploit.exe

Full analysis: https://app.any.run/tasks/2d683020-40bc-4353-b915-4b21135e9733
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 12, 2025, 11:48:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sheetrat
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

5AB1ED7BA5193C2E446D881302EBC867

SHA1:

776ABE9CCD5038B38EAD5C7906FE90B948C5B14D

SHA256:

10BDFB8CF11EF2E103FDDF4BF99BB353A9DC1574C1FF32179285190DD11685ED

SSDEEP:

12288:DYInR4xK9PmqZcI7DoWUeSJjJZE61XkKRJ9XRhg09j:DHR4xK9+O/7DoWUe6jJZEqko

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • WormExploit.exe (PID: 5244)

    • Adds path to the Windows Defender exclusion list

      • WormExploit.exe (PID: 5244)

    • Changes the autorun value in the registry

      • WormExploit.exe (PID: 5244)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5776)

    • SHEETRAT mutex has been found

      • atata.exe (PID: 6824)

    • Changes Windows Defender settings

      • WormExploit.exe (PID: 5244)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WormExploit.exe (PID: 5244)

    • Reads the date of Windows installation

      • WormExploit.exe (PID: 5244)

    • Executable content was dropped or overwritten

      • WormExploit.exe (PID: 5244)
      • atata.exe (PID: 6824)

    • Starts POWERSHELL.EXE for commands execution

      • WormExploit.exe (PID: 5244)

    • Connects to unusual port

      • atata.exe (PID: 6824)

    • Application launched itself

      • WormExploit.exe (PID: 5244)

    • Script adds exclusion path to Windows Defender

      • WormExploit.exe (PID: 5244)

  • INFO

    • Reads the machine GUID from the registry

      • WormExploit.exe (PID: 5244)
      • atata.exe (PID: 6824)

    • Reads the computer name

      • WormExploit.exe (PID: 5244)
      • atata.exe (PID: 6824)
      • WormExploit.exe (PID: 5640)

    • Checks supported languages

      • WormExploit.exe (PID: 5244)
      • atata.exe (PID: 6824)
      • WormExploit.exe (PID: 5640)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5776)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5776)

    • Create files in a temporary directory

      • WormExploit.exe (PID: 5244)

    • Failed to create an executable file in Windows directory

      • atata.exe (PID: 6824)

    • Process checks computer location settings

      • WormExploit.exe (PID: 5244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:06 14:38:27+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 240640
InitializedDataSize: 140800
UninitializedDataSize: -
EntryPoint: 0x3cb1e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription: WormExploit
FileVersion: 1.0.0.0
InternalName: XBinderOutput.exe
LegalCopyright: Copyright © 2025
OriginalFileName: XBinderOutput.exe
ProductName: WormExploit
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wormexploit.exe wormexploit.exe no specs powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs #SHEETRAT atata.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3268\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5244"C:\Users\admin\AppData\Local\Temp\WormExploit.exe" C:\Users\admin\AppData\Local\Temp\WormExploit.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WormExploit
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\wormexploit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5640"C:\Users\admin\AppData\Local\Temp\WormExploit.exe" C:\Users\admin\AppData\Local\Temp\WormExploit.exeWormExploit.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WormExploit
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\wormexploit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5776"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\atata.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWormExploit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6516C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
6824"C:\Users\admin\AppData\Local\Temp\atata.exe" C:\Users\admin\AppData\Local\Temp\atata.exe
WormExploit.exe
User:
admin
Company:
VLC Media Player
Integrity Level:
MEDIUM
Description:
Bitdefender Antivirus
Version:
199.299.7.262
Modules
Images
c:\users\admin\appdata\local\temp\atata.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
6 813
Read events
6 811
Write events
2
Delete events
0

Modification events

(PID) Process:(5244) WormExploit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:atata
Value:
C:\Users\admin\AppData\Local\Temp\atata.exe
(PID) Process:(6824) atata.exeKey:HKEY_CURRENT_USER\SOFTWARE
Operation:writeName:hwid
Value:
MUFFQ0EyRTVDODhDMzgzNkJFQkZBM0M=
Executable files
2
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5244WormExploit.exeC:\Users\admin\AppData\Local\Temp\atata.exeexecutable
MD5:244456A2BD94A231848EB644D8545B4B
SHA256:FDA9422E275B1C3C27D345361ACE290524AF3EACBE2BC99AA800FE3FA8E93D3E
5776powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_votpgtlr.ncd.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5776powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:2CD1EA32BABB27883DAA5C9AEA38EE8E
SHA256:2EB40389DC27EF8BE7FCF75D6C17EB17287BCD5249B76BCA7D9DE1733FC53F3F
5776powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mgbdpfoa.3wc.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6824atata.exeC:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exeexecutable
MD5:244456A2BD94A231848EB644D8545B4B
SHA256:FDA9422E275B1C3C27D345361ACE290524AF3EACBE2BC99AA800FE3FA8E93D3E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
13
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6372
SIHClient.exe
GET
200
104.123.41.162:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6372
SIHClient.exe
GET
200
104.123.41.162:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6656
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5496
MoUsoCoreWorker.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.18.121.147
  • 2.18.121.139
whitelisted
google.com
  • 172.217.16.206
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.131
  • 20.190.160.4
  • 20.190.160.5
  • 20.190.160.67
  • 20.190.160.128
  • 40.126.32.68
  • 20.190.160.14
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 104.123.41.162
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
please-jet.gl.at.ply.gg
  • 147.185.221.23
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2196
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WormExploit.exe