URL:

https://github.com/LunarProductionsLab/King-Fortnite-Hacks/blob/main/KingHacks.zip

Full analysis: https://app.any.run/tasks/640ae93e-5ed3-4d36-9dab-dc30b599c831
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: September 02, 2024, 13:01:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
xworm
api-base64
remote
Indicators:
MD5:

456D91BD309D166430BE064A7A8DBDF4

SHA1:

F5BF142BFB1263E15B37DB21F73AA73447A11599

SHA256:

D4741EDB1583E557FA99E91B39220DCFC737F60EBA41D609053E75F70CD8AA92

SSDEEP:

3:N8tEdycj/OHJMERS7Lc:2uccj/OHys3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2092)
      • powershell.exe (PID: 3256)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 2056)
      • cmd.exe (PID: 4820)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2092)
      • powershell.exe (PID: 2892)
      • powershell.exe (PID: 3256)
      • powershell.exe (PID: 5760)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6100)
      • powershell.exe (PID: 6580)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 6100)
      • powershell.exe (PID: 6580)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 6100)
      • powershell.exe (PID: 6580)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6100)
      • powershell.exe (PID: 6580)

    • XWORM has been detected (YARA)

      • powershell.exe (PID: 6580)

    • Connects to the CnC server

      • powershell.exe (PID: 6580)

    • XWORM has been detected (SURICATA)

      • powershell.exe (PID: 6580)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 2400)
      • wermgr.exe (PID: 6996)

    • Starts CMD.EXE for commands execution

      • King.exe (PID: 5760)
      • powershell.exe (PID: 2092)
      • cmd.exe (PID: 1060)
      • King.exe (PID: 6256)
      • powershell.exe (PID: 3256)
      • cmd.exe (PID: 6236)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 2092)
      • cmd.exe (PID: 1060)
      • cmd.exe (PID: 6236)
      • powershell.exe (PID: 3256)

    • Application launched itself

      • cmd.exe (PID: 1060)
      • powershell.exe (PID: 6100)
      • cmd.exe (PID: 6236)
      • powershell.exe (PID: 6580)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2056)
      • cmd.exe (PID: 1060)
      • powershell.exe (PID: 6100)
      • cmd.exe (PID: 4820)
      • cmd.exe (PID: 6236)
      • powershell.exe (PID: 6580)

    • The process executes Powershell scripts

      • cmd.exe (PID: 2056)
      • cmd.exe (PID: 4820)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 2092)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 2092)
      • powershell.exe (PID: 3256)

    • Cryptography encrypted command line is found

      • cmd.exe (PID: 6132)
      • cmd.exe (PID: 5052)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6100)
      • powershell.exe (PID: 6580)

    • Connects to unusual port

      • powershell.exe (PID: 6580)

    • Contacting a server suspected of hosting an CnC

      • powershell.exe (PID: 6580)

  • INFO

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 6568)
      • WinRAR.exe (PID: 2400)
      • chrome.exe (PID: 7132)

    • Manual execution by a user

      • WinRAR.exe (PID: 2400)
      • WinRAR.exe (PID: 5744)
      • King.exe (PID: 5760)
      • King.exe (PID: 6256)

    • Reads Microsoft Office registry keys

      • chrome.exe (PID: 6556)

    • The process uses the downloaded file

      • chrome.exe (PID: 6704)
      • WinRAR.exe (PID: 2400)
      • powershell.exe (PID: 2092)
      • powershell.exe (PID: 6100)
      • powershell.exe (PID: 3256)
      • powershell.exe (PID: 6580)
      • powershell.exe (PID: 5760)
      • powershell.exe (PID: 2892)

    • Checks supported languages

      • King.exe (PID: 5760)
      • King.exe (PID: 6256)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 6100)
      • powershell.exe (PID: 2892)
      • powershell.exe (PID: 6580)
      • powershell.exe (PID: 5760)

    • Application launched itself

      • chrome.exe (PID: 6556)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6100)
      • powershell.exe (PID: 6580)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6100)
      • powershell.exe (PID: 6580)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6100)
      • powershell.exe (PID: 6580)

    • Checks proxy server information

      • wermgr.exe (PID: 6996)

    • Reads the software policy settings

      • wermgr.exe (PID: 6996)
      • slui.exe (PID: 7072)

    • Creates files in the program directory

      • powershell.exe (PID: 6100)

    • Potential dynamic function import (Base64 Encoded 'GetProcAddress')

      • powershell.exe (PID: 6580)

    • Potential library load (Base64 Encoded 'LoadLibrary')

      • powershell.exe (PID: 6580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(6580) powershell.exe
C2azure-winsecure.com:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
Mutexh9qQSpdEYO2OKLY4
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
173
Monitored processes
40
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs sppextcomobj.exe no specs slui.exe rundll32.exe no specs winrar.exe no specs winrar.exe king.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs wermgr.exe king.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs #XWORM powershell.exe powershell.exe no specs chrome.exe no specs slui.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1060C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\zwdykfz2.ggg.bat" "C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1360C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1440\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1680C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2056C:\WINDOWS\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File calc.ps1C:\Windows\System32\cmd.exeKing.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2092powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File calc.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2400"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\KingHacks.zip" C:\Users\admin\Downloads\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2468C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2892"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3256powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File calc.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
Total events
58 986
Read events
58 859
Write events
121
Delete events
6

Modification events

(PID) Process:(6556) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6556) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6556) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(6556) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(6556) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6556) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(6556) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6556) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(6556) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(6556) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid
Value:
Executable files
7
Suspicious files
88
Text files
44
Unknown types
228

Dropped files

PID
Process
Filename
Type
6556chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6556chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6556chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6556chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF12ac07.TMP
MD5:
SHA256:
6556chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6556chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF12ac17.TMP
MD5:
SHA256:
6556chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old
MD5:
SHA256:
6556chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
6556chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datbinary
MD5:FC81892AC822DCBB09441D3B58B47125
SHA256:FB077C966296D02D50CCBF7F761D2A3311A206A784A7496F331C2B0D6AD205C8
6556chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:19D1A06251A8678F85D8DE5BFAB83807
SHA256:AA6E55DCF84CDAF0BD3F913E7B837F65500E9B71A5A7AA773D02FFBC18C7FF01
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
67
DNS requests
53
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6564
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6596
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpngbgcognadeebkilcpcaedhellh_2024.07.12.235938_all_a6r64uyugl6fjh3lupjqo6w7ai.crx3
unknown
whitelisted
6596
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpngbgcognadeebkilcpcaedhellh_2024.07.12.235938_all_a6r64uyugl6fjh3lupjqo6w7ai.crx3
unknown
whitelisted
6596
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpngbgcognadeebkilcpcaedhellh_2024.07.12.235938_all_a6r64uyugl6fjh3lupjqo6w7ai.crx3
unknown
whitelisted
6596
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3
unknown
whitelisted
6596
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpngbgcognadeebkilcpcaedhellh_2024.07.12.235938_all_a6r64uyugl6fjh3lupjqo6w7ai.crx3
unknown
whitelisted
6596
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpngbgcognadeebkilcpcaedhellh_2024.07.12.235938_all_a6r64uyugl6fjh3lupjqo6w7ai.crx3
unknown
whitelisted
6596
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhduz7bl65az7bglitjhwo7b5oa_1062/efniojlnjndmcbiieegkicadnoecjjef_1062_all_adeocrbltt6ccaniukpklryf3ibq.crx3
unknown
whitelisted
6596
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpngbgcognadeebkilcpcaedhellh_2024.07.12.235938_all_a6r64uyugl6fjh3lupjqo6w7ai.crx3
unknown
whitelisted
6596
svchost.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhduz7bl65az7bglitjhwo7b5oa_1062/efniojlnjndmcbiieegkicadnoecjjef_1062_all_adeocrbltt6ccaniukpklryf3ibq.crx3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5796
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4276
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4440
chrome.exe
140.82.121.4:443
github.com
GITHUB
US
shared
6556
chrome.exe
239.255.255.250:1900
whitelisted
4440
chrome.exe
108.177.127.84:443
accounts.google.com
GOOGLE
US
whitelisted
4440
chrome.exe
185.199.108.154:443
github.githubassets.com
FASTLY
US
whitelisted
4440
chrome.exe
185.199.109.133:443
avatars.githubusercontent.com
FASTLY
US
shared
4440
chrome.exe
140.82.114.21:443
collector.github.com
GITHUB
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
github.com
  • 140.82.121.4
shared
accounts.google.com
  • 108.177.127.84
whitelisted
github.githubassets.com
  • 185.199.108.154
  • 185.199.109.154
  • 185.199.110.154
  • 185.199.111.154
whitelisted
avatars.githubusercontent.com
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.111.133
whitelisted
github-cloud.s3.amazonaws.com
  • 52.216.211.249
  • 52.216.59.49
  • 3.5.28.33
  • 54.231.135.17
  • 52.217.226.49
  • 52.217.171.249
  • 3.5.28.88
  • 16.182.64.233
shared
user-images.githubusercontent.com
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.108.133
whitelisted
collector.github.com
  • 140.82.114.21
whitelisted
content-autofill.googleapis.com
  • 142.250.185.202
  • 142.250.181.234
  • 142.250.186.74
  • 142.250.185.170
  • 142.250.185.74
  • 142.250.74.202
  • 216.58.212.170
  • 172.217.16.138
  • 142.250.184.234
  • 142.250.185.106
  • 142.250.185.138
  • 172.217.18.10
  • 142.250.186.170
  • 142.250.186.42
  • 142.250.186.106
  • 142.250.185.234
whitelisted

Threats

PID
Process
Class
Message
4440
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
4440
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
6580
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
18 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/LunarProductionsLab/King-Fortnite-Hacks/blob/main/KingHacks.zip