Malware Analysis Report

2024-11-15 08:31

Sample ID 240407-nrb24abg9x
Target XWorm V5.0_Cracked.7z
SHA256 23e06f8822165853f973fd3414cd084027e1181fecb7fa15d791c22bc35531fb
Tags
agilenet agenttesla
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23e06f8822165853f973fd3414cd084027e1181fecb7fa15d791c22bc35531fb

Threat Level: Known bad

The file XWorm V5.0_Cracked.7z was found to be: Known bad.

Malicious Activity Summary

agilenet agenttesla

AgentTesla payload

Contains code to disable Windows Defender

Agenttesla family

Obfuscated with Agile.Net obfuscator

Unsigned PE

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 11:37

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240319-en

Max time kernel

129s

Max time network

141s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\ProcessManager.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\ProcessManager.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

130s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\NAudio.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\NAudio.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

130s

Max time network

141s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\FileSeacher.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\FileSeacher.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

134s

Max time network

136s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\HVNC.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\HVNC.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

75s

Max time network

83s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Informations.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Informations.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

134s

Max time network

146s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\MessageBox.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\MessageBox.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

130s

Max time network

143s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Ransomware.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Ransomware.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

130s

Max time network

143s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Recovery.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Recovery.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

79s

Max time network

82s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Mono.Cecil.Pdb.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Mono.Cecil.Pdb.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

76s

Max time network

80s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\MonoMod.Backports.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\MonoMod.Backports.dll",#1

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:41

Platform

win10-20240404-en

Max time kernel

124s

Max time network

138s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\MonoMod.Iced.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\MonoMod.Iced.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

125s

Max time network

141s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\HVNCMemory.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\HVNCMemory.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:38

Platform

win10-20240404-en

Max time kernel

35s

Max time network

38s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Mono.Cecil.Mdb.dll",#1

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4924 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4924 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4924 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4924 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4924 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4924 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4924 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4924 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4924 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4924 wrote to memory of 5028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 3392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 3392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5028 wrote to memory of 3392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Mono.Cecil.Mdb.dll",#1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.0.1243318081\1215043186" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40d6576e-3c43-4019-b73c-8c25ac045cc3} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 1796 201d93d9e58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.1.420503794\433420976" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfca690b-72ee-45e1-a49b-9456c9bf2b81} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 2152 201c6d72558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.2.597577449\340148217" -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 3060 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {156b0d9c-9cd7-4c89-b461-0e963cfe0b86} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 2848 201dd49be58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.3.574625870\370867071" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {496d59a6-9856-4d58-aebd-7998982ccb62} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 3504 201c6d62b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.4.1942085002\1464252934" -childID 3 -isForBrowser -prefsHandle 4200 -prefMapHandle 4196 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28fda15c-c140-4e67-94be-2dee18bf8097} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 3256 201c6d69358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.5.279377489\1473760144" -childID 4 -isForBrowser -prefsHandle 4732 -prefMapHandle 4728 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce73f68a-9ff9-4da6-94ae-62251aa13c9b} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 4716 201df8bf258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.6.364073343\525516213" -childID 5 -isForBrowser -prefsHandle 4872 -prefMapHandle 4876 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afc16e98-c758-4fb4-abe5-295df11410e2} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 4864 201df8bfe58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.7.604467966\739666953" -childID 6 -isForBrowser -prefsHandle 5084 -prefMapHandle 5144 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f8e4839-80a2-4adb-9201-6553ae62f4b5} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 5136 201df8c2558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.8.541032723\38259035" -childID 7 -isForBrowser -prefsHandle 5656 -prefMapHandle 5652 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a14ea20-0b27-4632-8abe-09d3713b88c1} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 5668 201e12dc758 tab

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3aeb855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
N/A 127.0.0.1:49757 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 54.245.32.185:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49764 tcp
US 8.8.8.8:53 185.32.245.54.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
DE 172.217.16.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 196.16.217.172.in-addr.arpa udp
DE 172.217.16.196:443 www.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 67.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\791e6820-8334-49c3-b5d5-97ebc2008093

MD5 cffe5c10d5f328f5db7ebc796bc79666
SHA1 a40bb1b8cfe9245903e3431d5242d20d6433a9a7
SHA256 a4d66bc5c88cbe12fc40c071450984a63b4eefdba0068a250ef86ff9414cfeb6
SHA512 526701af2e3bd7d25b98402d556a54d53704c6ab9ee9082f2e6d81b36f625f58e6109b676e9ce5c590c9d1090c9d07f862d388cac341ec26b329b904cdd19684

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\b46368f7-ba37-4a2c-b47a-144c10663cb5

MD5 8a5bfe2ae68de0c158147c3c4a50bb7d
SHA1 d3ef7104dc4aa632b016eb468d016fd18c8cdc45
SHA256 b15ebaf400892118d1b607b40494ec1a36182304c1c52ae908f501e6c059406a
SHA512 32e69b0d6d79fb181a87bb9cc85a571dd573c6de775fd13b89594dafa5cc6075b6a98ee1182bc9016a93b82e631800cb0f069c8b86454ed6e7be39da4d0d62f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

MD5 8d8dabdf24215494e3b131d13a37503c
SHA1 b9596bd35d3f5d03bed139b39911591bc76abd50
SHA256 764387b74776ab40f148ba259322d735a95021617d0c9d7ee9ce1a9b0188f9a9
SHA512 5d1ad74e47d0393cb3a1106916493d7065143543223be433a026ba29cbc676441762418d1680fbdeff2365830c90c72624503ebd0ed94a938243c533e369bc59

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

MD5 5227db9712d17ce11a5369309ce710b4
SHA1 6a9153997dc82f44622967a8ed1af1c2f3de8440
SHA256 4fd2777a43aa5b3e369dbd1ce74d5f8bb95e4050328589f47665bccd6054ae11
SHA512 7b79a79eaa7c6617356a535c1031cba7c8051a6c4ee209f82490d4b52bedc49b82067fffd05467343228bb182538d639f2acc6390eb3b8c004953a4c011c87bd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 5c19871bf50d4d6a5e0e16feb14c54e8
SHA1 5b42858ecc2e52182cf6e749a58029b2a657ce50
SHA256 d01b3f10154b0e65c343f1f845ef0aa6c558c84c45c094b069159ddef30b1b71
SHA512 86cde32197e4c3f0b25425d02140ed47f29bdec0f0cf169e5d9be54aa0f05715edc7246a8b3d637e81271f6b5d38bed07dad144f878e00a42f9332e0c3cf39cf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 ec0c7a80444485e746140c2369181cb3
SHA1 8ec49527f612f5ba46a89e71fbdba802a02f1f72
SHA256 47c7a08a87fe47176f21cf9a8eae072abad366473718bbb64c77ee9dad27bfa8
SHA512 1e2f9b32bc7acac40d4d28d1be97004b70568b4a6ea34e3f1f95ff13543ea1afe747e07a7f64a9409bdfc914d63d25ff3bea08bb68f6b83c158457d0c7b67578

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4

MD5 9a0d82eeb9b1c9584e899e2dcf04e280
SHA1 0e5cd2f0580b698174cca8af7a123c0e27572dc1
SHA256 ad3419214d5b4c6e6ed0f001a3f461ae381bb81a5b7c510014f395270da6b365
SHA512 0c26de426e090cceafa39e485686ec2351bbb55a23ee1280f1063d76639460615888c21108d1f760d870e69468c3dee99d2c3517fe35cb61ec3bd979778cf9b6

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

134s

Max time network

142s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Mono.Cecil.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Mono.Cecil.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 205.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

134s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\ActiveWindows.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\ActiveWindows.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240319-en

Max time kernel

129s

Max time network

141s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\HRDP.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\HRDP.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

134s

Max time network

136s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\FileManager.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\FileManager.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

134s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Maps.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Maps.dll",#1

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

134s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Options.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Options.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

129s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Pastime.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Pastime.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

133s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Mono.Cecil.Rocks.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Mono.Cecil.Rocks.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

134s

Max time network

145s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Ngrok-Disk.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Ngrok-Disk.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

127s

Max time network

141s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\MonoMod.Utils.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\MonoMod.Utils.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

134s

Max time network

136s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\All-In-One.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\All-In-One.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

132s

Max time network

144s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Clipboard.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Clipboard.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

136s

Max time network

139s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Microphone.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Microphone.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

120s

Max time network

130s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Performance.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Performance.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

134s

Max time network

136s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\MonoMod.Core.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\MonoMod.Core.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

127s

Max time network

136s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\MonoMod.ILHelpers.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\MonoMod.ILHelpers.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

134s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Chat.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Chat.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

134s

Max time network

136s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Keylogger.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Keylogger.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-04-07 11:37

Reported

2024-04-07 11:40

Platform

win10-20240404-en

Max time kernel

129s

Max time network

140s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Programs.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0_Cracked\XWorm V5.0\Plugins\Programs.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

N/A