Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/02/2025, 16:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1171221884562587691/1171222232928890991/ZFy00Zb.rar?ex=67a34474&is=67a1f2f4&hm=b70b79b4d5ab317c25206d8808c3dd56f75ed54dfb33519a559050aae485229c&
Resource
win11-20241007-en
General
-
Target
https://cdn.discordapp.com/attachments/1171221884562587691/1171222232928890991/ZFy00Zb.rar?ex=67a34474&is=67a1f2f4&hm=b70b79b4d5ab317c25206d8808c3dd56f75ed54dfb33519a559050aae485229c&
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5602729079:AAHue5HGrezQGgwKeWyn3WQgaqOZM5nlF_c/sendMessage?chat_id=6067717150
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
xworm
3.0
127.0.0.1:7000
GNOz84rYzSmQkcXF
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Asyncrat family
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/files/0x001900000002abcf-482.dat family_xworm behavioral1/files/0x001a00000002abd7-493.dat family_xworm behavioral1/memory/4712-495-0x00000000002B0000-0x00000000002BE000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/files/0x001c00000002ab4b-271.dat family_stormkitty behavioral1/memory/2300-273-0x0000000000C40000-0x0000000000C8A000-memory.dmp family_stormkitty -
Stormkitty family
-
Xworm family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x001c00000002ab4b-271.dat family_asyncrat -
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/files/0x001900000002ab97-212.dat net_reactor behavioral1/memory/4856-213-0x000001FAFB2C0000-0x000001FAFB9EA000-memory.dmp net_reactor -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 3 IoCs
pid Process 4856 XWorm V3.0.exe 2300 Builder.exe 4712 XClient.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Drops desktop.ini file(s) 9 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Builder.exe File opened for modification C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Builder.exe File opened for modification C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Builder.exe File opened for modification C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Builder.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 30 pastebin.com 13 pastebin.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 icanhazip.com 12 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Builder.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 2924 cmd.exe 2140 netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Builder.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Builder.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 50 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0 = 6a003100000000009656af7c100058574f524d567e312e30424900004e0009000400efbe445a4f83445a4f832e00000046ab0200000019000000000000000000000000000000a0dccc00580057006f0072006d002000560033002e0030002000420069006e0000001c000000 XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\MRUListEx = 00000000ffffffff XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 6000310000000000655795b3100058574f524d567e312e300000460009000400efbe445a4f83445a4f832e00000041ab020000001b0000000000000000000000000000007066d900580057006f0072006d002000560033002e00300000001a000000 XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 = 6a003100000000009656af7c100058574f524d567e312e30424900004e0009000400efbe445a4f83445a4f832e00000045ab020000001c000000000000000000000000000000e29bcf00580057006f0072006d002000560033002e0030002000420069006e0000001c000000 XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0\MRUListEx = ffffffff XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 6000310000000000445a4f8310005a465930305a7e310000480009000400efbe445a4f83445a4f832e00000004ab020000001a0000000000000000000000000000005cc8df005a0046007900300030005a0062002000280031002900000018000000 XWorm V3.0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0\NodeSlot = "8" XWorm V3.0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" XWorm V3.0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0 XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\MRUListEx = 00000000ffffffff XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 XWorm V3.0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0 XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0 = 6a0031000000000096562b7d100058574f524d567e312e30424900004e0009000400efbe445a4f83445a4f832e00000047ab0200000019000000000000000000000000000000b4052801580057006f0072006d002000560033002e0030002000420069006e0000001c000000 XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags XWorm V3.0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" XWorm V3.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000 XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff XWorm V3.0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" XWorm V3.0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" XWorm V3.0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ XWorm V3.0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" XWorm V3.0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" XWorm V3.0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 XWorm V3.0.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 6a003100000000009656af7c100058574f524d567e312e30424900004e0009000400efbe445a4f83445a4f832e00000044ab020000001900000000000000000000000000000087bad300580057006f0072006d002000560033002e0030002000420069006e0000001c000000 XWorm V3.0.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 XWorm V3.0.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\ZFy00Zb (1).rar:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\ZFy00Zb.rar:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4408 msedge.exe 4408 msedge.exe 3232 msedge.exe 3232 msedge.exe 1128 identity_helper.exe 1128 identity_helper.exe 3764 msedge.exe 3764 msedge.exe 2972 msedge.exe 2972 msedge.exe 872 msedge.exe 872 msedge.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 4856 XWorm V3.0.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 2300 Builder.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4856 XWorm V3.0.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeRestorePrivilege 4564 7zG.exe Token: 35 4564 7zG.exe Token: SeSecurityPrivilege 4564 7zG.exe Token: SeSecurityPrivilege 4564 7zG.exe Token: 33 1076 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1076 AUDIODG.EXE Token: SeDebugPrivilege 2300 Builder.exe Token: SeDebugPrivilege 4712 XClient.exe Token: SeDebugPrivilege 4712 XClient.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
pid Process 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 4564 7zG.exe 4856 XWorm V3.0.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 4856 XWorm V3.0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4856 XWorm V3.0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3232 wrote to memory of 4300 3232 msedge.exe 79 PID 3232 wrote to memory of 4300 3232 msedge.exe 79 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 2936 3232 msedge.exe 80 PID 3232 wrote to memory of 4408 3232 msedge.exe 81 PID 3232 wrote to memory of 4408 3232 msedge.exe 81 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82 PID 3232 wrote to memory of 1460 3232 msedge.exe 82
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1171221884562587691/1171222232928890991/ZFy00Zb.rar?ex=67a34474&is=67a1f2f4&hm=b70b79b4d5ab317c25206d8808c3dd56f75ed54dfb33519a559050aae485229c&1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa08613cb8,0x7ffa08613cc8,0x7ffa08613cd82⤵PID:4300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1840 /prefetch:22⤵PID:2936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:82⤵PID:1460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:3376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:12⤵PID:4728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:12⤵PID:484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:12⤵PID:1044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2536 /prefetch:12⤵PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:12⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:12⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5524 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3896
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4864
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2268
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1680
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ZFy00Zb (1)\" -ad -an -ai#7zMap19573:84:7zEvent23751⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4564
-
C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe"C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4856 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fvbucpng\fvbucpng.cmdline"2⤵PID:4704
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AF3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAEAEE0A88C94CA1A2B085232349314A.TMP"3⤵PID:3408
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:652
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004EC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2924 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:992
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2140
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
- System Location Discovery: System Language Discovery
PID:4560
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- System Location Discovery: System Language Discovery
PID:652 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:1260
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4376
-
-
-
C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XClient.exe"C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XClient.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4712
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\System\Process.txt
Filesize4KB
MD5a2e48691f372f212255e25c3fd74adae
SHA193a7c5bf0c4c182c4939e2b14b79ad0d7589ab20
SHA25677bcb4bec693bdc439847461607db85c26b1834dc2164fd4a1e506bcfd1d79a7
SHA512a9cf2e178177008ac1ee043573b7c6dcbf68b2267e573caca47ad5834d0f4a9cf770a72be713a6235a917dda852072b2bc13ab0497d2ffdeae042e2256763bd0
-
Filesize
10KB
MD58234458561db73d69234fbc3242e3e5e
SHA1809d13ab892b84a87ab40d8f6e1b095b7e6d0bed
SHA2562887954ef78010f6e58efff7cfb4529199a2bfd68a605edb1c5eaa4477630019
SHA5126dc12d4a16dc47bc0077d788cd078ac2434b3d373400a944a4a51407289c4a776592339bfd19383f0a853207ff180c0306aeec1ebb7c24d4598cbab600f90878
-
Filesize
152B
MD5fdee96b970080ef7f5bfa5964075575e
SHA12c821998dc2674d291bfa83a4df46814f0c29ab4
SHA256a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0
SHA51220875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff
-
Filesize
152B
MD546e6ad711a84b5dc7b30b75297d64875
SHA18ca343bfab1e2c04e67b9b16b8e06ba463b4f485
SHA25677b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f
SHA5128472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e
-
Filesize
18.3MB
MD5ab2f8e0256c255932825ac164dff3b2f
SHA14e39451f49758179b706a4770dd535ef19c772a2
SHA256c0bea2b4d19bf8677f5dd793987312e1119c9fad9d6cff33ced32f821c1f6658
SHA5127ea8b2414cb9d29c2a04d4fb9594b2c028be1c7a22f3587a1a9495d542e4e7df4d078ab520111d398d59b1b6fa833745af8e291e114b6438188b6397d5afa003
-
Filesize
20KB
MD5133acee096311f5bbdad0ab962270bec
SHA12ed2e4c8cd287a57e746cb3a73d34ed96ce24bc9
SHA2568f1ec7c84161d853f84679d10810b0f1d11e415ab2404c25b840fdfa2a58e27b
SHA512d3b407ee5f4883cb10441382af09a0517b0d53ec114d8d7c9018af30ef81b6c1008f47959f1a07b25d0b64ab98437387ae1611d773585246f04160cbb1401216
-
Filesize
116KB
MD58f0d97a3d270e6fa4fda7c4ca2b5f7b2
SHA13e35a820ab541e65e202458fa7c9faaccc95f483
SHA256f14af5f36b1151243c6fc524ca49fd161d93e20e58cf2fc4925d4d32a9aa719b
SHA5127ff4393afad915572c479ac59628d8b472f792ea2b62eb773f92a757297b20c07afd86d2bb8bfbeff8bee35f77175a1ee40cd47e201a21dcccd6009f9ee61adb
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
5KB
MD5898c9e7232bfe492303bb1333f3503b5
SHA19ac50ff592385d5fb0030a68d3977612754e821a
SHA25677b6a9505196d960bb68115037a1a4a9d562bd1fe54210e13d56340477e83617
SHA512273e27476213a00cae563d536d8a2cf16fa9fad08d52cab75df0f0eeb7c79cc2673fc058eae96c3f933a60cd960c638905e4f9118f9c1c56c136bdf204fd47b4
-
Filesize
5KB
MD5d552e609e157a6520880a86167635130
SHA1fc548420397dce9145111468165d28f8da410d97
SHA256f9e02f521f53af9772900ce88a21d07e145cd336332860b8572e38d543346993
SHA512e02163c13a83b63a9a85c9e20c6dd69af0f7b105df5d8def60aa750cdffabfe4a8dec1d6092f001593f91bd71c3c4c42c7bd17c996a0a5ce33f452e8756d964a
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD53d2abd2f3842dad4d69bee853c03c4df
SHA1b569fc61fe3a58ede6738e4d289baadfd4e272e9
SHA256b532d35ce3dbc287ef4911176ef4c8e90694b03ded3134a4aa957c90f546981e
SHA5127437e056865b452a441e32a31ec89c833cd8d040b18feb090c290e5dbbe3619db424402834a1c99541f1e062057ab44ab533171aaad54d5516b5ec9a0c1a4b26
-
Filesize
10KB
MD51dc3606bdd3366827aa8e634fc6f88cc
SHA17d8b8e7114e30139256624aac60de8eb3a0b4e11
SHA2564b7fb8a014b24d82f47b6ea63b588dad323ce8aac4f122fbdd99c9a11edffcdd
SHA5127e2711cb31d0b8fbafc79021e3bf31acbbbfbfdf58e79a8be99d3a38ba6a7c33df0b0ca6a1f9efcc22329c0e8a3a79d8e585b5a36640843ac7b2b4603fde33a1
-
Filesize
1KB
MD5a1df9d83373034bade49a36915c3a91a
SHA138e5e95618469f55dc2a7db35916929eee862a25
SHA256510844e7f55911f5a82857b71ca25738662c90f0247f2db6708fb26b5119f8c7
SHA512146e3de326c130962f5d9f584b59b73f4e18534a7f7de0e6bc8b7120bf2bf764b356411738e522a02556414ce9cede3a6f36ea2b5c45d9b83a50436fcaff044e
-
Filesize
72KB
MD58385205aa8e94112741a1f193fbdfe1e
SHA19cc84ccc9e8c7a2cd967c99317f57ddc98c62be2
SHA256ed5d79f28b90cf7e4a86d17d189a1b6a36e15e7d2c1c4990e07019012a742c7d
SHA51294d47fdc1d7df6f841471777ced4cb01e75fab11ff85cc45019982bd28621d8c8318fcb241bde6d776856b53f92f6a51d14e0d38aa8808e8e6a6fa7a6914c77d
-
Filesize
375B
MD5df4277a35da44ca5787f653cd8cf318b
SHA110d28abb2194e081cdd0728be3bd4a98bbc0f145
SHA2567a3511597ee00ecb7010df5afbc9e8422461da6c566417c5b9b70c8d8e6e5094
SHA5129c07f5e695fb1b2650da7389467f2188b8c7f36a342bac1bc968bf4f48a33a2173661236356f8addd21a1f97bd2792ee11285e75bec270a4b3445ea56e0627f2
-
Filesize
1KB
MD5d40c58bd46211e4ffcbfbdfac7c2bb69
SHA1c5cf88224acc284a4e81bd612369f0e39f3ac604
SHA25601902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca
SHA51248b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68
-
Filesize
219B
MD56e6ccc60e9bfbd35b27342913fe02d09
SHA1d7b62cde93d56b2c7822307068fa7e2fb6c17963
SHA2560eaccdf4b734a3ccac62cb14f4cf5047cfb3653cbbe03e27771bec05a1172bbd
SHA512c6c0e5cbf17284105f6e2684ddf8d06250025ce2c549fc518c1038592894438c53c18228cde0e7a60174e54e00de06693d05cc989193b284b9025a66394b1779
-
C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe
Filesize273KB
MD52a388e389df3136db839745d13a2bbd0
SHA11ba063842110c80d2a6bdf8280ec88b426b9d4ea
SHA256a2251164857af32d0a13d3d91c9cb17af07f5858ad935c666a4787f12d585622
SHA51201715c872281fffd8587f5cdabb5a9d80c720871424a6bf50ad0e8de7aae69536d0d4ffecb611ecfb8e98190e96b8ba896c96bf2dc0ebdda511f74909b5cb559
-
C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\GMap.NET.Core.dll
Filesize2.9MB
MD5819352ea9e832d24fc4cebb2757a462b
SHA1aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11
SHA25658c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86
SHA5126a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a
-
C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\GMap.NET.WindowsForms.dll
Filesize147KB
MD532a8742009ffdfd68b46fe8fd4794386
SHA1de18190d77ae094b03d357abfa4a465058cd54e3
SHA256741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365
SHA51222418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b
-
C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\GeoIP.dat
Filesize1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Icons\icon (15).ico
Filesize361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Intro.wav
Filesize1.7MB
MD5dc28d546b643c5a33c292ae32d7cf43b
SHA1b1f891265914eea6926df765bce0f73f8d9d6741
SHA25620dcc4f50eb47cafda7926735df9ef8241598b83e233066ea495d4b8aa818851
SHA5129d8c1bb61b6f564044aad931e685387df9bc00a92ab5efe7191b94a3d45c7d98a6f71d8ae5668252d6a7b5b44ab6704464d688772aedac8bdb2773d5765d4d56
-
C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\NAudio.dll
Filesize502KB
MD53b87d1363a45ce9368e9baec32c69466
SHA170a9f4df01d17060ec17df9528fca7026cc42935
SHA25681b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451
SHA5121f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7
-
C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Readme.txt
Filesize235B
MD585122ad50370f9a829b6602384b1b644
SHA16d0dc94e7fe82650422a17368314da0da58af6b5
SHA256444cbc7b57b4a6198ee1474fd9623e1afcb8c7a0b180f05e961a822f4365499b
SHA512a3ccd49bc0424534ba3b5ee558709022dd31d257ca48fd2eb8d7305ec098dc9275e016da332d293b7cdbdc5e91b82c7602c15abc52c0c0c4f3c81d4126b4afd6
-
C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\SimpleObfuscator.dll
Filesize1.4MB
MD59043d712208178c33ba8e942834ce457
SHA1e0fa5c730bf127a33348f5d2a5673260ae3719d1
SHA256b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c
SHA512dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65
-
C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XClient.exe
Filesize33KB
MD5a1db3b2036e7b2332328c2d93c2e05a3
SHA14dc0abb2f93d6f9cc14f2ca077bf93059dc182e5
SHA2567d393196743add4cca8597935381b418d88965814e363858d143a2ac75bbdd17
SHA5122dc139037d37c941c2fd4ac95e5f9b424db69ed2962964ca3229176b0fd2e163b3c239f81e0473187579be4f1329cd22c45260a399a47020066ef7372ff7228e
-
C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe
Filesize7.1MB
MD5a3607b02e971c7ca441ac55aa4721a52
SHA1c253f23fd3e8d2a62372930853341a9dd2e6eb98
SHA25627e652193898971746450f86b547945b5cdb47cd6e9a095481ee5db32e9bbd0b
SHA5125c02782a35470f20898bef2e6965a6e9cbe041cd66f66c41261d96163bc1e2badce0b747ec51607314826a89cd1c80788793adb987a22fc30bce0d02c03d99a5