Malware Analysis Report

2024-10-18 21:30

Sample ID 240808-ybxnzayblk
Target XWorm v5.6 Edition Cracked By @Drcrypt0r.zip
SHA256 c5ac8ed1214c7eb71d2940ce96775f650202ac4e1f4766236196e95d5ac66dab
Tags
discovery agenttesla stormkitty
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5ac8ed1214c7eb71d2940ce96775f650202ac4e1f4766236196e95d5ac66dab

Threat Level: Known bad

The file XWorm v5.6 Edition Cracked By @Drcrypt0r.zip was found to be: Known bad.

Malicious Activity Summary

discovery agenttesla stormkitty

Contains code to disable Windows Defender

AgentTesla payload

StormKitty payload

Stormkitty family

Agenttesla family

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-08 19:37

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

96s

Max time network

206s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (17).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (17).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

188s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\Chromium.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\Chromium.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

205s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (7).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (7).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

300s

Max time network

203s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Logs\ErrorLogs.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Logs\ErrorLogs.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

204s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (1).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (1).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

206s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (14).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (14).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

204s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\Cmstp-Bypass.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\Cmstp-Bypass.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 40.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

204s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\FilesSearcher.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\FilesSearcher.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

278s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (6).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (6).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

207s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\ActiveWindows.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\ActiveWindows.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

188s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Newtonsoft.Json.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Newtonsoft.Json.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

203s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\Clipboard.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\Clipboard.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

272s

Max time network

204s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Sounds\Chat.wav"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\unregmp2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-523280732-2327480845-3730041215-1000\{342C8CF5-4A7D-4842-9B55-935118E33DCA} C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Sounds\Chat.wav"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2cc

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 musicmatch-ssl.xboxlive.com udp
GB 2.19.88.7:443 musicmatch-ssl.xboxlive.com tcp
US 8.8.8.8:53 7.88.19.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 5433eab10c6b5c6d55b7cbd302426a39
SHA1 c5b1604b3350dab290d081eecd5389a895c58de5
SHA256 23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA512 207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5 90be2701c8112bebc6bd58a7de19846e
SHA1 a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512 d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 987a07b978cfe12e4ce45e513ef86619
SHA1 22eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256 f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA512 39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 67b4a64882248900c4a186951a1070d9
SHA1 179bce11e3ecd06da56b0cba8d6430a109bc165f
SHA256 672eeee013cbd9c75d762612ae9266bc5522e9a44330e212480f578ab6b55c77
SHA512 4b941fb1cd2ba131e8d6e69ce0eea7d6645a0fb35982f9dcb6b20ee887b6dfc9ef95bc677f53aaf865b1c33fd4a325e412abe3d138102217b05b268e4f0b4a56

memory/1144-30-0x0000000007370000-0x0000000007380000-memory.dmp

memory/1144-29-0x0000000007370000-0x0000000007380000-memory.dmp

memory/1144-28-0x0000000007370000-0x0000000007380000-memory.dmp

memory/1144-27-0x0000000007370000-0x0000000007380000-memory.dmp

memory/1144-32-0x0000000007370000-0x0000000007380000-memory.dmp

memory/1144-31-0x0000000007370000-0x0000000007380000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 fe5f50dfb0dce9d757c2c6a5cd917560
SHA1 6f30c8997848adc5277f11530237f024af6dd97e
SHA256 803b78286206e61f538b8927e88fd9b3aa3db797572daf6e3c6673df524f1f94
SHA512 ac5bb95843a96dcafd2a0ad9c2444eed534bba0afcf9e4e004f19f9681109cdd331ac3deb789e235d3d7f02ea6e08f1dc217832f59b5573a32e6693ff62d266c

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 dd12be02d5bf13e4d864f38be6aad763
SHA1 a22a6a5c931fa5898257c029c2107ec44150b954
SHA256 314f4e5527ecacb60ccf06488652e83b620ccd99828d05fa8660cc01e86dc524
SHA512 31d89b5f60869f72e8cfb9174c9ffed1215809cc0f2ad5a9b0d2836ce166d994e9a36d3180f92815a01dd7c9a7bf9344b37436518bf6edd564921149f70e5810

memory/1144-47-0x0000000007CD0000-0x0000000007CE0000-memory.dmp

memory/1144-54-0x0000000007CD0000-0x0000000007CE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

203s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\GeoIP.dat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\GeoIP.dat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 20.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

204s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (3).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (3).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

203s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (4).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (4).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

203s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\NAudio.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\NAudio.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

234s

Max time network

249s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\FileManager.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\FileManager.dll",#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3000,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

203s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\HBrowser.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\HBrowser.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 34.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

272s

Max time network

204s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Sounds\Intro.wav"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\unregmp2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{48B4954A-C3E2-4769-B3F6-9E2AE600AF88} C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Sounds\Intro.wav"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2f4 0x470

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 20.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5 90be2701c8112bebc6bd58a7de19846e
SHA1 a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512 d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 987a07b978cfe12e4ce45e513ef86619
SHA1 22eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256 f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA512 39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 2057dfab95452bc568188f08dacfd76d
SHA1 c19106bca30b0ce58d804d620592c4c806003141
SHA256 7eaae7d823ab580ce3a34c547f46c5b52896e4a6eed49dd6b868365eaf5d0fc6
SHA512 a08deb795db84474853f3d6ef14b40ae7e2b899b9070a271a1f399023994c1de36d165cf5351b2cdfecf322ed14f906b9cb4670ee3e90005feb2bca56d5acb5e

memory/1400-33-0x0000000004560000-0x0000000004570000-memory.dmp

memory/1400-31-0x0000000004560000-0x0000000004570000-memory.dmp

memory/1400-32-0x0000000004560000-0x0000000004570000-memory.dmp

memory/1400-34-0x0000000004560000-0x0000000004570000-memory.dmp

memory/1400-36-0x0000000004560000-0x0000000004570000-memory.dmp

memory/1400-35-0x0000000004560000-0x0000000004570000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 8ec692343872f4eaf8cfee54f929e23e
SHA1 9c76e4f80a1d73069c6ea86c847e9804d0099ada
SHA256 440bff28f08e486b5b6fc3fa5f3d57df1ea81ee353708c4f5cb0a243684f4940
SHA512 34c22bdb5404eb420b07d0180609e1442e2668b83be304ef8e757e9362af3b4def60dbda068b6a32d34ee047f3392efcd358d691a14035240e6e9c81d98a6f0e

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 9e42db252f9788b6a1bb9d6d6a6b2143
SHA1 eb5837bd5cda4aaa55ff6c079e1c6409c7399522
SHA256 022b43cce5ed1a022fbf1507b82d0fa1f38a146f9452e45c4a6243dab9348e93
SHA512 e4d062a316e19e6ceb73db5ae347d7ea013c3258e23fb2928cdfb4928d3d67bc2c945426fe784d1ec8fac269b019f53ec07a048085aaaa899cd2845dd6c4d879

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

300s

Max time network

286s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r.zip"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133676195322442762" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 3628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 3628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 3120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 3120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd6267cc40,0x7ffd6267cc4c,0x7ffd6267cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2072,i,1663927411219935926,9796542376831572131,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2056 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,1663927411219935926,9796542376831572131,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2164 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,1663927411219935926,9796542376831572131,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2144 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,1663927411219935926,9796542376831572131,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,1663927411219935926,9796542376831572131,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3404 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,1663927411219935926,9796542376831572131,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3732 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,1663927411219935926,9796542376831572131,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4836 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,1663927411219935926,9796542376831572131,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4852 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4972,i,1663927411219935926,9796542376831572131,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4748 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 202.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
NL 172.217.23.206:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
NL 172.217.23.206:443 clients2.google.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 chrome.google.com udp
NL 142.250.179.174:443 chrome.google.com tcp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp

Files

\??\pipe\crashpad_1104_QNZXXNFEOZWDLGLV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a8e27ff791a0afe0d8afc499e81e7ef9
SHA1 626cdb0e240adaa993338b855afcc22d3e833267
SHA256 f4fb091421ebfe5e77b2831602735c2d3d5d16be41e0c35452d5873ad77c1f8c
SHA512 742d5a3014c3f68f9a8fd2f4aa6a3afc64b8ab839afd1cf10a55b7ee37621b0a6d9110d32d3d9aec58c8338b3be8dfa703a194d417525926246899be93ab9df5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5d9c3ceffed98a0f273f1f6a5cb2ef86
SHA1 69dd2da38f2e5951d28725a9dc11e27f8ea73304
SHA256 e7050064d89cf470210cfa7d9fdd6f68b2e21f038a9f98438252b7585704364d
SHA512 3d53b0cff35d1c17f448c58ece4a2b9bb66b45e48d6e47235eefdeecae9f6039c8be9b3cb1304026cd4a7f9980551ed54b50f0e1c4197f1d12f85e2c226568b2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f775b13294601136bb42e02ed695c2f6
SHA1 25723088bb3ef4b91d7f4ef0f9845d26c452da05
SHA256 ab6c488a77eceecb87219dad382d91fea58b8c2cbd5b069881c08d726b57a039
SHA512 728ec5c967eaec13bb2efbcb7c0939d9141d2c61c8f0f22d219b84dc19fc90c8582d1f1f6b33ef27e8573f1265ff6537c588520b9d3dd52293c00fce002b2bbe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 6c16417901a5e31f9099c05cacb46409
SHA1 ccc761581d56362237a15ffc4ffeb39c21649473
SHA256 5371889f0e3a02e218b47d9f0e7f356255f21c0a7baac6aa0ce9c089ee57913e
SHA512 6a2f25468bfa20cfc390fa7726ce05b9b92e69fe9d87668871279060693ee43cc933066132eb11f98b882c668a4ffe18844685b70b5eb10f0ad792745f0cf922

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 80f9ef8593778438554fde4bdc8f0dff
SHA1 075398ce04ab98fe626a653f630e7f597049cc4c
SHA256 1967b7a03100be71ce30c22b611ddd98e010a67d76c881fced5163675d11d758
SHA512 7b54262f2f06af1b1b1d7f4afebde3fe483719c4cb200dda4ed8f63e699ee21ba6e44ced820b3e70dfeb6052ed4a7a37791625d7000529bf4071762790b75a2b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d0e2b8650cccbdd27f8de445804c4e7f
SHA1 3047359192320243b825a384287f7b2ea326bf84
SHA256 34c772175d11cf244f243a7bf33e2cebc8aeb45d464db588ae1c7a012f1cf551
SHA512 d65a625f6c9d21199a56eeb7158e66855864118f3ec5fa7e28a268e1804ddaacc6e700397bd537bfe3a0faaad67043c1c84baf5775ee5068f81c86d838841b5e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\30985c5d-5355-49bc-a4b5-de003d3471eb.tmp

MD5 53bb22252ac8c3a9669ad2b23fd1ced7
SHA1 867abaa669c5a6e70c5555f5b207de3e738ed174
SHA256 37faaac0b9f0340f8c4c1d7b14d5ff60c5bbfe5e41bbb72236dccb82e2a4929c
SHA512 f2fc17a2014013a98662e6298f79ba00120ccc67c44662cb2549df558627c0233565ced1f48fd7f014e221a3a166939a69d23c9b2644eb17868dbb10d36803b1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 83c3c1cc64349c817942aea993d4d281
SHA1 282b14be3e41260bf25b0978c422c128a5375833
SHA256 bf4059611b622efe3cf581f025356fd3c68dc48795a0b0eda0ff7a5979138564
SHA512 c64ff932f7821d4a16433325d33ffcf6b02c4e41edac9086efcfc1703ae095ac31e0c713b96408735f655c3fcb3419c9ac8bee673634e2799602a1aa2c9093d1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6838ec92611d2bb3147a3c5531d91312
SHA1 a88d4a892d81574ac5ceb0dd86b3dd89492afc5e
SHA256 8cd77216f5d998d9b81d9f7a24d3887f89ba6c56244731752d1259ca33a25334
SHA512 fcaee7b93dfbca579e2b0b9587b035e73a0f15ebd890607faa8b212d21e9df45eec0601b3bd87ceb257d48bf3106ca978d13b306eb2f00bcb5638787ce2fd5fa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 69cc35805efe19c8098bb90411fb3794
SHA1 2d1701f3e081cd094a8930fe08aa02089105d3b6
SHA256 ecb752aaaa05f2644edd4c3a449d228c762c4739bbe5e6f9d9fdfd0563f66ccd
SHA512 aaa9bc583feb8e72e93be1885229514aa381756ddd7fdbaed6a381c55fdbd35588f90230c4009fa3ea8aaa6d4b202a9678d5e630b9eaa1dff44ac4017e711ce3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 458f0cc39926777b64e22033a56aa0d3
SHA1 bd87514bddab02cf5391e52e84f04f2c7147a06a
SHA256 c6d0723cc56c81c951db4bf107754ef4386f4e74add3ad7fb9a77d914764a57c
SHA512 9689de1546a7f5b5503ebc22fd97587e9c9a4a3ba00c603316ecf28e40736ce1c88a784b1f438abfe22bfef00e48c88bb5b71646ea70521b06ec2f7dac3661d3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6e07f3e391e5a4dde6e4c52ad164dd55
SHA1 cdc9100c412cedb3fbd4c99758d9b07837becc22
SHA256 3d7d85c76a81cc236afe1934e218f05e6e19ca809948aea1ccf77ea77890d046
SHA512 a0f6f7a27e3e96f24f6909cfd199edcecc5d5fea3933af5a343cdbb02914b8d0521fa2fd85bf958fbb9824a524bd366423051ec0dcf75386b5614d8070c88f05

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 91baa1bfa20131ae86a7bd2e5f8070cd
SHA1 b87685622d343b413463cc6960aa9b3c2203b8d1
SHA256 6f57b6cace018b7706816ff3551cdec5cd7c352ec1579fb5fcd22e25ff22208a
SHA512 6b76fee538f36aba0f1076bb4a26e61eb60f18f14156a60157e4486260d2e454324fc2a0c1bf5664d1102364abe15bd07159fdec6af7f34e69cdeafd92d1180a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 505160730624f65e73049a1d6dad4ffc
SHA1 cf3c97050088fa1ac20852e883db025e8d0582a6
SHA256 461762dcfd60f9bba39961a315a0a3f4b4e415d8f24498002907e19de2cacbd4
SHA512 380259a736498107da70044d3f1e4292a1c8a8b78bdd503fe7e9a8ba61875d373c7800a43fa0b02d5963f95680c1932fe3bf3702dfd97594f40abac8fdbd2272

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 94def88121ed0f08be4b0f05f8270db6
SHA1 8b1002013a5bc113acf2b1a998fc60b360698af7
SHA256 bcc2450f56e2e7aa92a23a024d6b275ccb80b65a94830594e4186b2d527be100
SHA512 e63c3f189ebb8efd596b7319308f7f544087bd0a94fdcd9008ae4380bedf7679dbbff888c1e76958c60806284e9dc710994d5137fb162f1f2b032f0b53ce3ae5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 266395ef0adcdb97262e03157836522d
SHA1 02691e256d070cede41defe55f602a4f9d088296
SHA256 5b3c3ddbfde52c77bae63f63de1f25a035138dd2a5b3ca16b5c99d059737a42d
SHA512 1d245f6e5194300f806183a35ceab7c0776207ccdb925128dd488431437f678f551594dbe7a19a6e636ff4163f9543840466a87c792875c77c16541831b43cab

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b4bc3537c6c21735e9682b34dc0870da
SHA1 53da68e1ae612a6411855acc9cc3f25cac3abdcb
SHA256 44b4c4b4475f2d73ab150aa9480716895416c3aed20e5752bebf55cabb5b08da
SHA512 e45a4825718350f741c98df22a38dc7a42857609293406b974322c233a448ec875c1487b749f7189172af071cdbaef50141e01cea1ef8e872f414a863066c414

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 cbdba6b97bad35b522923ceb3c9187d0
SHA1 d346bfae6c5612b0a1cca668e9a5bc8e519488d3
SHA256 438ba4bebbd98bb77947b5248eede765b407027c49edc0643d41d50a3c93fe02
SHA512 85f815a26c7dfe6eaa84ad5e8167dbc8a40bbd413c1a19f4dfe597b337f58838edc37353ab36efd39a2212aa147b0deb546f4150e63cb623d80f79961e78d444

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f0fd460548dfa3861c16956f17a9598c
SHA1 a9d53343e3ca44d08ecf1d66307c234556af7ea0
SHA256 f2cf646bbd6d88738dfedbcceace28150e3441f8f223bdaef61a806a14bca3db
SHA512 d1177784a3738030d477de684678ce950d6628faca9eb5602080396517875d202373d532a2296608623afd339fb1a21426ecf45264d1af899e7c1ce344e7a693

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7a220e19f8f7aeeb93cd691a0b352dc5
SHA1 382c90c3651a215c837650bdaa21c4fbc15c384a
SHA256 a2428426e8daef3f5932b825f0922dabedaf513e85edb1cac9c328769d6a462e
SHA512 95390a145dfa1c04a7ce0ec06d1ae331ad0c4e72343773a18b21b89721b670b895c31821a90fdb7effd81bb02aa7e1ce50a2e1d7a23163e550bd0d8dfda8362d

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

233s

Max time network

253s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (2).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (2).ico"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3668,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

272s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (11).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (11).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

203s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (15).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (15).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

204s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (13).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (13).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

203s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (9).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (9).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

203s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\Chat.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Plugins\Chat.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

91s

Max time network

207s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (10).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (10).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

300s

Max time network

206s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (5).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (5).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 104.208.16.90:443 tcp
SE 192.229.221.95:80 tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

203s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (8).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (8).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

205s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (12).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (12).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-08 19:37

Reported

2024-08-08 19:43

Platform

win10v2004-20240802-en

Max time kernel

300s

Max time network

203s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (16).ico"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By @Drcrypt0r\Icons\icon (16).ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A