144e0112e2509c1ddd3cf290c4ed10541d9f2b276ff22492111c9951d0ccf98a

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shadowdoingmiddlefinger.jpg
Size

115KB
MD5

6c262d8af7b689e1ee119128ab5c6744
SHA1

957a2cc72802a4d6855e38d8a666eec5613bbd8d
SHA256

144e0112e2509c1ddd3cf290c4ed10541d9f2b276ff22492111c9951d0ccf98a
SHA512

9eebfccd59de4db42618a22eeac1546f163cc8ef58a0a2001e133fece84bce2125d466dd0362ca9519f385e38c8728e5f47deb2f08060f0c716de7a4e21556ea
SSDEEP

3072:7XgQupmjDCVSS44xZVWu3hknxdTADaeEHBDpqHBB:E4eVquKxK8ehB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3712	XWorm V3.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133373150524775097"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
60	chrome.exe
60	chrome.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe
388	chrome.exe
388	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3712	XWorm V3.1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
4456	7zG.exe
3712	XWorm V3.1.exe
3712	XWorm V3.1.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
3712	XWorm V3.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 4576	60	chrome.exe	85
PID 60 wrote to memory of 4576	60	chrome.exe	85
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 1684	60	chrome.exe	89
PID 60 wrote to memory of 2244	60	chrome.exe	88
PID 60 wrote to memory of 2244	60	chrome.exe	88
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90
PID 60 wrote to memory of 2228	60	chrome.exe	90

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\shadowdoingmiddlefinger.jpg
1⤵
PID:4040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb3b0e9758,0x7ffb3b0e9768,0x7ffb3b0e9778
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=640 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:2
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3224 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4680 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4936 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5192 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5316 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3364 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3292 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5264 --field-trial-handle=2000,i,10738394172653703453,15151059484972187606,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:388

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:564

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4472

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm-V3.1-main\XWorm-V3.1-main\XWorm.V3.1\" -ad -an -ai#7zMap27899:144:7zEvent2062
1⤵
- Suspicious use of FindShellTrayWindow
PID:4456

C:\Users\Admin\Downloads\XWorm-V3.1-main\XWorm-V3.1-main\XWorm.V3.1\XWorm V3.1.exe
"C:\Users\Admin\Downloads\XWorm-V3.1-main\XWorm-V3.1-main\XWorm.V3.1\XWorm V3.1.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3712

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3656

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x4b0
1⤵
PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2b0b2bcc1f7c9ed0ba3c4b86d12bf38c

SHA1
326dc1621864e4ca01ea43d7ddd4f282b7bdcac8

SHA256
df31db4a807b525b95b4c84939e6f2c37c0f6b5bb373ee1b03bda7932baf384b

SHA512
25a51ddde466fef481917e67191b9d7eb90c381dfcfb795d33871e3651c81fd9360e2d31ad79dc04bc3751e991c8872508bb36727f6daf57676bf87dfd621e45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8f8cb9544e99b5f613872071df78d8d2

SHA1
bd24d23b9a74056dffe4f411e44e3d97dc559c6c

SHA256
7bf51ef073a287f8eb582e189ec5dc5f6d38b78167435d384762600b2e8519d0

SHA512
ec9645f1416c658b6002ee5a519a498665929ca6672d0feadd4d3ad6343c49c2850b376ab4052fea2aacc43ba6f0e2d71e21f37ba609c32237d31b8323353bf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
13a645f9a976358f2cd306e3da03c388

SHA1
8d4fd17502a2b94c9225189bdf0755a1d278b574

SHA256
f16501034d9057e463f051c6d7f882b279c9bf6f6b57434799594a63603e1a85

SHA512
86c005f02bfd86019b0f02dff121f384f05a318fa5055c021c7ecbcea56e070346bf07c1b2425cb0b5a8521401c8a0bd368b28a07cf51ef25bb383f56dafb277

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
127161763858cca7b69e6e103b4bc3b4

SHA1
dc636176f6f986725215c4740913b83b09c443a6

SHA256
628793269bee11434b523d9b30746dc462a3d9fd76e9de877d9d1841d44cf770

SHA512
2a43945567e983baa53c679f7588793fd0ebab986cd32356c37dbd55a7eaa5152f7f22a820329827e4a6d0da3169293037f2a92c588966b3d2ed090eb70693a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e238f6dd0c088fc06cb211b536323d40

SHA1
2f5b63b6657a22dc7b439fda24126ce9b02833f0

SHA256
5ebffc6d35e59471b95a033e819f55101c73fbaa613e811c87aeb440d18183a8

SHA512
666841ef16c7fb473fc161f1cde5c83de02f28d3c035923e1b6f0a356266b49feeaa3092dab77b7a7ced6571a235c879197a7ec2a6acbedf0c9d342770145cf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d6005de1fe66f0089c233a98c712324d

SHA1
9723338af4610fca84ad26f9617fb6ea938f7bf1

SHA256
74b1235238e84639f8e420267d4c96ea634a53810d9c9e854dcda4baa6c597c7

SHA512
e38e1e8d2738687ae375cb6bb4379aedfb65f47d28a40729bdef7654532f65ef461ee07b48b29b46050383bfa5f5478a73fe0987939b70b31367ec5b00005850

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ccec7db4d20545cab190dc1f494c7a73

SHA1
b1b485d41240d23075d68036f1d41cd81cb31732

SHA256
998f458fe49e2949b48b9576a2237ea62bd16b8ea0ebe802a765c24e0b4b7bb1

SHA512
cffd3a0ea92b6ef12f4480e6bda08485b964272f8de8beb2d242fe8c53755d3a6bec99dab68e48d62b072078c5e838b7bd58acb918071099beccfb44798f3d90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3e3be8c6e1a05ba89f91100f714968b3

SHA1
4670e2f147004ba61c72ff06c1123b93c18fa2c3

SHA256
2b25e38bb04335dcfdda6fae46e261e9f79daa40929d08d7b4c724595739cb15

SHA512
4a0aa5b7df132f84d79eb61e324155e7f574dbba392a892980fb85d7d1b452ba4913a1b5e17ce393a3cce8e711e0501a39de115ec46b63e7f58138237472a636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
177KB

MD5
4c8f5bd3abe10824e281a2b0017d6a1d

SHA1
7fe876e7fb71b1fd938a632a427c97b79b0a5865

SHA256
25c0fa1aa47e77effab22012553372eb138d5dbb57a69100001ee6d098c44470

SHA512
02dde93a3bf1c3553599815578035d18d88e386827ee5ce304dd63a99db3c9546d40e5018e166db6cbe7bd4be6c51af58659440a44b9ca972ab69712cc83c616

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
b8ce5601f6f1a3655378e625b08cbc1d

SHA1
06b25dbce9f12d6aa3dcfce3518a915617801af2

SHA256
43c56aa8524b618128bdd6bce1d680f112667076bcbdd9339cf56f1d40ed8a69

SHA512
ead768b196de0355d9bbb168dd919dfedc364693dea8fc877954ee68d66d8d3a51470862570487ed69b059ee3985bc071ec0a00ce4f0ed9e12b18f8ea4e48f94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581f2b.TMP

Filesize
97KB

MD5
1b72d1561e619af2af88c2d08a846bb1

SHA1
ed4bbe4f2abd5769629f14cb963be368f2f9aaf2

SHA256
4247b1d64143fc1eb42119d17e13571ea9d69fc973362e83245e9e9929131d15

SHA512
d2eb8c348cab97b93305da0f2071d52986bd0a1b90c9d6fa048ac93c1b682a7e02ca137d2d1cb79d2dddbd1bd6a249bfb465b0ec385ca0b867e5befeabd9134a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\XWorm-V3.1-main.zip

Filesize
24.3MB

MD5
c62c2acc11b0b428811596a106b4b515

SHA1
5ef29c1bf32ad7c4a3d7400e8d06247e2b920409

SHA256
ac8caebe03bc2c3c903e6ceaa1020c1d362d4f8524d7c4f18670cba802f4f598

SHA512
adff2d54a4cc7d9e8b6fad20f001558e5cdf343595dcc504e6be50eadc37b05f4b9fc4bef95808825adf801640997f889b019a5b2b466a644358443a7d5e7a3a

Download Submit
C:\Users\Admin\Downloads\XWorm-V3.1-main\XWorm-V3.1-main\XWorm.V3.1\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Downloads\XWorm-V3.1-main\XWorm-V3.1-main\XWorm.V3.1\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\XWorm-V3.1-main\XWorm-V3.1-main\XWorm.V3.1\Intro.wav

Filesize
1.7MB

MD5
dc28d546b643c5a33c292ae32d7cf43b

SHA1
b1f891265914eea6926df765bce0f73f8d9d6741

SHA256
20dcc4f50eb47cafda7926735df9ef8241598b83e233066ea495d4b8aa818851

SHA512
9d8c1bb61b6f564044aad931e685387df9bc00a92ab5efe7191b94a3d45c7d98a6f71d8ae5668252d6a7b5b44ab6704464d688772aedac8bdb2773d5765d4d56

Download Submit
C:\Users\Admin\Downloads\XWorm-V3.1-main\XWorm-V3.1-main\XWorm.V3.1\XWorm V3.1.exe

Filesize
7.0MB

MD5
b7a300c6953f42f199c2ff903feac72f

SHA1
8f7d38270d33ae7f1b1fa49cd03ecfc63576a8b8

SHA256
f40b8ef92f828123c81a8b275ab0e29e44b44b3a175e452eea72a475f6cfaf80

SHA512
80ef310b54e8c54b80649651acb58c07251bdcf1cde9ead0b85123fee2922e40958a78cc029bb28a69c8ea993952c4cf973b4448b9d24580c535a7460dfbca47

Download Submit
C:\Users\Admin\Downloads\XWorm-V3.1-main\XWorm-V3.1-main\XWorm.V3.1\XWorm V3.1.exe

Filesize
7.0MB

MD5
b7a300c6953f42f199c2ff903feac72f

SHA1
8f7d38270d33ae7f1b1fa49cd03ecfc63576a8b8

SHA256
f40b8ef92f828123c81a8b275ab0e29e44b44b3a175e452eea72a475f6cfaf80

SHA512
80ef310b54e8c54b80649651acb58c07251bdcf1cde9ead0b85123fee2922e40958a78cc029bb28a69c8ea993952c4cf973b4448b9d24580c535a7460dfbca47

Download Submit
C:\Users\Admin\Downloads\XWorm-V3.1-main\XWorm-V3.1-main\XWorm.V3.1\XWorm V3.1.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
memory/3712-489-0x0000000000230000-0x0000000000942000-memory.dmp

Filesize
7.1MB

Download
memory/3712-490-0x00007FFB35EE0000-0x00007FFB369A1000-memory.dmp

Filesize
10.8MB

Download
memory/3712-492-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/3712-493-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/3712-495-0x00007FFB35EE0000-0x00007FFB369A1000-memory.dmp

Filesize
10.8MB

Download
memory/3712-496-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/3712-497-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/3712-498-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/3712-500-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download