Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10bin/antvms.dll
windows7-x64
1bin/antvms.dll
windows10-2004-x64
1bin/debug/AnyDesk.exe
windows7-x64
5bin/debug/AnyDesk.exe
windows10-2004-x64
5bin/debug/...in.exe
windows7-x64
10bin/debug/...in.exe
windows10-2004-x64
10bin/releas...se.exe
windows7-x64
10bin/releas...se.exe
windows10-2004-x64
10bin/traffi...or.dll
windows7-x64
1bin/traffi...or.dll
windows10-2004-x64
1bin/xfcmain.dll
windows7-x64
1bin/xfcmain.dll
windows10-2004-x64
1bin/xfcstart.dll
windows7-x64
1bin/xfcstart.dll
windows10-2004-x64
1debugger.exe
windows7-x64
10debugger.exe
windows10-2004-x64
10execution.dll
windows7-x64
1execution.dll
windows10-2004-x64
1injectprint.dll
windows10-2004-x64
3lz4.dll
windows7-x64
1lz4.dll
windows10-2004-x64
1offsets.dll
windows7-x64
1offsets.dll
windows10-2004-x64
1topware.inject.js
windows7-x64
3topware.inject.js
windows10-2004-x64
3topware.py
windows7-x64
3topware.py
windows10-2004-x64
3xxhash.dll
windows7-x64
1xxhash.dll
windows10-2004-x64
1zinl1.dll
windows7-x64
1zinl1.dll
windows10-2004-x64
1zlib1.dll
windows7-x64
1General
-
Target
topware-beta.rar
-
Size
7.6MB
-
Sample
240707-dv8kcsvcqh
-
MD5
cbab2799ab5ed6e4cfd0e90732f8c753
-
SHA1
864db886d8fc8ef3f506681d9a8715c9b7d5ec4d
-
SHA256
e55752ce0e4bdc9426430bf580efd1559864d24c3c0f118d58ff513e6d618fd1
-
SHA512
9a396e4e1a6fb54f1b9eec652da7f906768360953f312bf4d705bd39b406157aa87f8ae8785696eaa538272f769ecbf97f5cd80f87b0ff95319e7ca1f40e5214
-
SSDEEP
196608:kTFmL8iYNZoL66tULFG9BSZmvnHv3t04+VdqhGIEfpx:kxMWZ++LF/ZmvHv3S4+rqhCpx
Behavioral task
behavioral1
Sample
bin/antvms.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bin/antvms.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
bin/debug/AnyDesk.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
bin/debug/AnyDesk.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
bin/debug/debug.main.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
bin/debug/debug.main.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
bin/release/release.exe
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
bin/release/release.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral9
Sample
bin/trafficencryptor.dll
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
bin/trafficencryptor.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
bin/xfcmain.dll
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
bin/xfcmain.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral13
Sample
bin/xfcstart.dll
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
bin/xfcstart.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral15
Sample
debugger.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
debugger.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral17
Sample
execution.dll
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
execution.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral19
Sample
injectprint.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral20
Sample
lz4.dll
Resource
win7-20240508-en
Behavioral task
behavioral21
Sample
lz4.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral22
Sample
offsets.dll
Resource
win7-20240704-en
Behavioral task
behavioral23
Sample
offsets.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral24
Sample
topware.inject.js
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
topware.inject.js
Resource
win10v2004-20240704-en
Behavioral task
behavioral26
Sample
topware.py
Resource
win7-20240705-en
Behavioral task
behavioral27
Sample
topware.py
Resource
win10v2004-20240704-en
Behavioral task
behavioral28
Sample
xxhash.dll
Resource
win7-20240704-en
Behavioral task
behavioral29
Sample
xxhash.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral30
Sample
zinl1.dll
Resource
win7-20240704-en
Behavioral task
behavioral31
Sample
zinl1.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral32
Sample
zlib1.dll
Resource
win7-20240705-en
Malware Config
Extracted
xworm
79.110.49.233:4444
-
Install_directory
%AppData%
-
install_file
VSREDIST.exe
Targets
-
-
Target
bin/antvms.dll
-
Size
319KB
-
MD5
0867c6c53da333c4a0572e64b2d7466f
-
SHA1
41aced5a92ab64c178177adf12ede86c4a42d1fd
-
SHA256
8372b3b2bd6d1bb1c8beb2780989554dd5599625981d7f297c38e5a870f703cc
-
SHA512
0c2dc57f1c93b51233ccd33fca871a6bac8dd002deb8b7d1b86fca5d4433255dd51928947069f99936e4099b779bd47ae3dcb20de4cccef282ee0fa2f9975ce3
-
SSDEEP
6:kdYZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ9:kdG
Score1/10 -
-
-
Target
bin/debug/AnyDesk.exe
-
Size
5.1MB
-
MD5
aee6801792d67607f228be8cec8291f9
-
SHA1
bf6ba727ff14ca2fddf619f292d56db9d9088066
-
SHA256
1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
-
SHA512
09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
-
SSDEEP
98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR
Score5/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
bin/debug/debug.main.exe
-
Size
64KB
-
MD5
36969de6b4bf8de24684de1bb71f624f
-
SHA1
0327d7d9d7f739e4b09bab680249ed997a281c9b
-
SHA256
57035572212814c4666994f1a0d2b6955b0951a8f1e9e1686dead895de5f64cf
-
SHA512
cd8eae1b19c8ae9a2d22b999e85e86625a1e74630e6f3155ff63965b8f116e62f79dcc23b88c92f51fa42ee26f7bd87cad22a21f32f16306890576e309dfe548
-
SSDEEP
1536:TTodvW06WoBsscJSbigiYUVkaNW6PmqCO26erLq:UenWissBbigHmkaRmHO26erLq
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
bin/release/release.exe
-
Size
64KB
-
MD5
36969de6b4bf8de24684de1bb71f624f
-
SHA1
0327d7d9d7f739e4b09bab680249ed997a281c9b
-
SHA256
57035572212814c4666994f1a0d2b6955b0951a8f1e9e1686dead895de5f64cf
-
SHA512
cd8eae1b19c8ae9a2d22b999e85e86625a1e74630e6f3155ff63965b8f116e62f79dcc23b88c92f51fa42ee26f7bd87cad22a21f32f16306890576e309dfe548
-
SSDEEP
1536:TTodvW06WoBsscJSbigiYUVkaNW6PmqCO26erLq:UenWissBbigHmkaRmHO26erLq
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
bin/trafficencryptor.dll
-
Size
346KB
-
MD5
5a188b7f782eb697fb5e12c630bcbea2
-
SHA1
ed665dddb109b219c91d494d1a3433dedab6381e
-
SHA256
8582cd4cfffb6fd4c99ee69ad316c737c9e72d96e6b9c4a470f43743d0f431e9
-
SHA512
3fd5dd66fa12bf4870ed78bd20d6a8f1e9effbee8022455206bae24b635d380cccda9f47d472ebd0e8062981a0a0a4428d277a392c7ea1c351b28af9eccbfd4a
-
SSDEEP
6:kdYZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZO:kdR7l
Score1/10 -
-
-
Target
bin/xfcmain.dll
-
Size
326KB
-
MD5
ba72f62f7cdb4935d667925625df9559
-
SHA1
908b431bea3fc6b65941276a7662c69266e15490
-
SHA256
b33b11b3033529ff05539ff55c8c3cb476fedb28c3e62df8235ba6ff3b3b20c9
-
SHA512
abaad730a6e099bf6d584a15e397efc4e6e357da31975b9cee8e4a60e4a0301723714fb473c31fbaa1a1b374e3cc648b0b75fdf75d8368722eaa2aab24a073be
-
SSDEEP
6:kdYZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZk:kd7dz1
Score1/10 -
-
-
Target
bin/xfcstart.dll
-
Size
339KB
-
MD5
88768a731826f71373c397cf874046de
-
SHA1
c90a75c75986e55a3c358f2056df810560c84612
-
SHA256
f434f0d8a67c84bbc9baf18bcbfdff3ce338da3442d135067a22b87c238d6675
-
SHA512
930f754dd59f31c5ef9710104e40f6024c5a49c0d76c16902562b90c887024d3053695a10ba7c8303be441d71d0150d02dc76b6059afb614f83339dad90508b1
-
SSDEEP
6:kdYZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ9:kdG
Score1/10 -
-
-
Target
debugger.exe
-
Size
64KB
-
MD5
36969de6b4bf8de24684de1bb71f624f
-
SHA1
0327d7d9d7f739e4b09bab680249ed997a281c9b
-
SHA256
57035572212814c4666994f1a0d2b6955b0951a8f1e9e1686dead895de5f64cf
-
SHA512
cd8eae1b19c8ae9a2d22b999e85e86625a1e74630e6f3155ff63965b8f116e62f79dcc23b88c92f51fa42ee26f7bd87cad22a21f32f16306890576e309dfe548
-
SSDEEP
1536:TTodvW06WoBsscJSbigiYUVkaNW6PmqCO26erLq:UenWissBbigHmkaRmHO26erLq
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
execution.dll
-
Size
1.3MB
-
MD5
09cba584aa0aae9fc600745567393ef6
-
SHA1
bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279
-
SHA256
0babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5
-
SHA512
5f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1
-
SSDEEP
24576:5Ac2t6Twn/0ke6ruDPMY0BQJzTzAC991g44ekgpqc4CQKZi5P9xh0gsWLgiHesms:q6TmQJrXg44ekgpqc4CQKZi5P9xh0gsI
Score1/10 -
-
-
Target
injectprint.dll
-
Size
3.9MB
-
MD5
3b4647bcb9feb591c2c05d1a606ed988
-
SHA1
b42c59f96fb069fd49009dfd94550a7764e6c97c
-
SHA256
35773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7
-
SHA512
00cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50
-
SSDEEP
49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd
Score3/10 -
-
-
Target
lz4.dll
-
Size
117KB
-
MD5
f7e2f224f8dbe22012c7ff20590b8770
-
SHA1
99775e038e306a2b5f73f6e7d8d42a5799ace824
-
SHA256
c62f829bc0f820bca6bf14b380b285a169cd1395df864bbec692f8ca31bc4e70
-
SHA512
96d2938cd77b48e4efdc7212a92327ac5ce43ad757fcff88eb5cbd3eb2fac1bbcaa2e119881f3cb902c634db8ef16e69146ebfe972ab0ecb2cf3b769e0818f89
-
SSDEEP
1536:FVP0R6tS1m4baJ1ocCcl+DBZD5C3gTg60bEior69ggjpA38Ajcqv:Fxy9bs1oTfBZDugTgpbEXh0A38AYk
Score1/10 -
-
-
Target
offsets.dll
-
Size
1021B
-
MD5
d0b33be30e3ef0fe9e272061a12ee79a
-
SHA1
d4e62e1bf492a991537659c469ebabcb75b4d49f
-
SHA256
8d4cdee0284fbede0c15b61d79d3ff85c1a00a30cc99a469def972e0a044c36d
-
SHA512
c6f25b7d2b32bcfafb25e7e21fb0cc346bf844cbae2e27b78bede4939eb39647e6eed97da3699bd2d5f07e7cc0c1005c6ca6840136a729974c10ffdd6438f247
Score1/10 -
-
-
Target
topware.inject.dll
-
Size
17KB
-
MD5
690738776ba844a6d7d98d8c2ca97737
-
SHA1
c852b8a53e895248b1a182bd4f737bc2a3f1ea3b
-
SHA256
e5b4c0d091db6e95151fa55843b57639e78e2af97d55177fe9e628955f1fc900
-
SHA512
ca05b797535703c8f369d3b7fb5d82813a20d4ea8cd03e7fa26ce2c7059a30fdfc5ffb7317eab9330e161f0fc5196730424720c8c816c3ab90b3703e43ee98d4
-
SSDEEP
192:YWUl1a80XXXPll3iYskmr3COA4TJr6cdcvGxTq6bdxTOZU+OVkWLPisOI7pTh:YWUl1aJHPll3iLdJrrdcvGpQ9kn
Score3/10 -
-
-
Target
topware.py
-
Size
1KB
-
MD5
a8c73f5f04db064ac16b41efaa8b591c
-
SHA1
4da291c845b26e199131c746829e9f04eb5198d3
-
SHA256
264cae1900046b4f1fb0294f852e67e94d226b84ef75b6388cfd5c762197f843
-
SHA512
d2ec2c603fd9cf58becd6698faaf182434b4c23d22bfc1cc456a841e92f32e15dd038442e54d854edd2c2c1e2ba8465d200d971b7a381cd319c5ac797a651b7a
Score3/10 -
-
-
Target
xxhash.dll
-
Size
45KB
-
MD5
161bd3d60228dd16c54a927250af3e49
-
SHA1
463243c3cc2e0bca16f3ced2c3b70c13a0e97fa6
-
SHA256
ecb5aa2bf0ff355a7b36bb3a991264655e13e0f2c9e88b9dfa39d7fe4c5142a7
-
SHA512
3716ce34c1e9931007f374685a6588bc355e942872e7a42eaa4c5be9a0fdc93f081a1dc5c3d8fec4a4563dbd556f4d046f7bf3d50840c02d8aa822eaca7a577b
-
SSDEEP
768:I9otvM7DZ1LMDJdj+LVvgFlJus4zBOQdlyR0/A:I9UEDLMDJxKM0scUS
Score1/10 -
-
-
Target
zinl1.dll
-
Size
1.2MB
-
MD5
a396ee8375252d04da31676fe1b3ff75
-
SHA1
57aee1e5b69a85d0e0b7d5a103ddb683f0204cce
-
SHA256
7dc3aeda7518abb376a6932583669e7e1595a656edeae65af1397807322e8a25
-
SHA512
ff755bed789869a8cc2adc05b7a3b234ef93997b1774cc719d506ce4dd03fcd0ed6d320a13d815e27a21ebdf99f3308ea47a8de6b9a25ca4eaa8fb4045fbb0db
-
SSDEEP
24576:yoCqsxtqSepCBr5fFrHodqht+tmiw9P9TsdJRV5Wodh8NHmoz:3CzASep0r5fFrHoUht+tU9TsrRV5WodE
Score1/10 -
-
-
Target
zlib1.dll
-
Size
87KB
-
MD5
f6fc96cfccdd9958a157546faa4c13a9
-
SHA1
ae8e4171a0583a761ae4428e5757daeedaf2a157
-
SHA256
231e29c228652e9d6504e608a1cc53311e762cd4c78deb7c9ef11bc27f13d3da
-
SHA512
fb983083b5c620616d2547a7903f8ebfd2ad52ed9bdde8264b6e555fb47644c488779d3ade52f5e601dbc31e67f40ea973f41f45af242790dc5d8a91c163c8dc
-
SSDEEP
1536:Q7wjHHWwn1rhEzjEp70E2thqlz4bqIOcIOZFkGnd02H:QcjH2w1EjEpIq6b4SZFfndjH
Score1/10 -