xworm | hxxps://cdn[.]discordapp[.]com/attachments/1346963151010271362/1347597718553497692/Vortex_Gen_PATCHED[.]rar?ex=67cc67ad&is=67cb162d&hm=c4df6fb150802af3e4f40d080a5adf7d9ae3f0fe2421c171ffbd3f3d0b765b3b&

Analysis

max time kernel
574s
max time network
534s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07/03/2025, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1346963151010271362/1347597718553497692/Vortex_Gen_PATCHED.rar?ex=67cc67ad&is=67cb162d&hm=c4df6fb150802af3e4f40d080a5adf7d9ae3f0fe2421c171ffbd3f3d0b765b3b&

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:45776

unit-wellness.gl.at.ply.gg:45776

Attributes

Install_directory
%ProgramData%
install_file
discord.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000027e8f-61.dat	family_xworm
behavioral1/memory/232-63-0x0000000000650000-0x0000000000666000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	discord.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	discord.exe

Executes dropped EXE 7 IoCs

pid	Process
232	XClient.exe
2376	XClient.exe
1156	discord.exe
1740	discord.exe
4712	discord.exe
4264	discord.exe
224	discord.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\ProgramData\\discord.exe"	discord.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\ProgramData\\discord.exe"	XClient.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4556	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133858364202872333"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2452	schtasks.exe
3608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1960	chrome.exe
1960	chrome.exe
232	XClient.exe
232	XClient.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
224	discord.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1960	chrome.exe
1960	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeRestorePrivilege	2732	7zG.exe
Token: 35	2732	7zG.exe
Token: SeSecurityPrivilege	2732	7zG.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeSecurityPrivilege	2732	7zG.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeDebugPrivilege	232	XClient.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
2732	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
232	XClient.exe
224	discord.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 3144	1960	chrome.exe	84
PID 1960 wrote to memory of 3144	1960	chrome.exe	84
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 4644	1960	chrome.exe	85
PID 1960 wrote to memory of 3688	1960	chrome.exe	86
PID 1960 wrote to memory of 3688	1960	chrome.exe	86
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87
PID 1960 wrote to memory of 1140	1960	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1346963151010271362/1347597718553497692/Vortex_Gen_PATCHED.rar?ex=67cc67ad&is=67cb162d&hm=c4df6fb150802af3e4f40d080a5adf7d9ae3f0fe2421c171ffbd3f3d0b765b3b&
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffb5ee0cc40,0x7ffb5ee0cc4c,0x7ffb5ee0cc58
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,13466395732364835096,6623149448952841507,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,13466395732364835096,6623149448952841507,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,13466395732364835096,6623149448952841507,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,13466395732364835096,6623149448952841507,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,13466395732364835096,6623149448952841507,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4636,i,13466395732364835096,6623149448952841507,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4940,i,13466395732364835096,6623149448952841507,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5100,i,13466395732364835096,6623149448952841507,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2112

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3068

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Vortex Gen PATCHED\" -ad -an -ai#7zMap18132:98:7zEvent23709
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2732

C:\Users\Admin\Downloads\Vortex Gen PATCHED\Vortex Gen PATCHED\Vortex Gen\XClient.exe
"C:\Users\Admin\Downloads\Vortex Gen PATCHED\Vortex Gen PATCHED\Vortex Gen\XClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:232
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\ProgramData\discord.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3608

C:\Users\Admin\Downloads\Vortex Gen PATCHED\Vortex Gen PATCHED\Vortex Gen\XClient.exe
"C:\Users\Admin\Downloads\Vortex Gen PATCHED\Vortex Gen PATCHED\Vortex Gen\XClient.exe"
1⤵
- Executes dropped EXE
PID:2376

C:\ProgramData\discord.exe
"C:\ProgramData\discord.exe"
1⤵
- Executes dropped EXE
PID:1156

C:\ProgramData\discord.exe
"C:\ProgramData\discord.exe"
1⤵
- Executes dropped EXE
PID:1740

C:\ProgramData\discord.exe
"C:\ProgramData\discord.exe"
1⤵
- Executes dropped EXE
PID:4712

C:\ProgramData\discord.exe
"C:\ProgramData\discord.exe"
1⤵
- Executes dropped EXE
PID:4264

C:\ProgramData\discord.exe
"C:\ProgramData\discord.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:224
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\ProgramData\discord.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2452
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "discord"
  2⤵
  PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF4F6.tmp.bat""
  2⤵
  PID:464
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a999a4f14965f80ea65ce518095bbd55

SHA1
63dc7da10b131a37818ae98cee1e178f009a752d

SHA256
e7c9c83ea569d8dff4172dcae8df90677ba4107182c436d04f763a7f0d17b129

SHA512
3952325fe3c25fe6d8487dbc6519574fa17a2af66f6611acb51b71fccac69e4a0cd684869042c7884e1dc3acb08749854ced9c6f65936cb6e0e3dd62e4078f5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
57982abc06846a6c0883c9c592600fb9

SHA1
33d23f137a8ca0082a68127b47792a59d2a0d1f0

SHA256
174a9f1f84edf4643280fabc8fa94b7c59e772f3d18b2b9751562f0757ae8647

SHA512
9109678fc6b87ef58137fb7124c6ccde841c20e95392b71eec180c0230b731b2495182a8c1b5544c8f8a34102257dac0754ae54ff5f6410cc8d88e68f3187b6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8d04096ed23ff786e1da6fef9ae2570b

SHA1
caedc7d0745f50e3404a2e554d471469ea3f4ad6

SHA256
7409e48078e6bf6427cca2ad51c5d6d77ceaf8b4c09733658d89e3c347608eda

SHA512
794d055d8a1ceb134e6eab07c39cbb3f2a1ba6f9200aab721378d728cd7749bfe64440128bb5f483bdcf75c2b46af40291852dd64b0a75ffb487b6c14b492bcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fa62b6a2250d4c5f38c71ec229b3c951

SHA1
bd959ec940a5e234fbe0943e755705c62881a92d

SHA256
9ebbd5dfb65da9f7a86c98f68d3feb9ecb7529a592941c3512f7a72f47203673

SHA512
bd25b854017cbe14f52b024075b6d35acbf2e5df6b6d35c26f0a251fb2fdfb79d0663a3510470570b727dc18f459df1cfc8847e9b8d6d69fe3991da082f85996

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cd07645d694f1202a361be13a6ac3de0

SHA1
34a6fc8a072e4686385cb918bc9b64ea82f1f063

SHA256
4279ae007d2051e3adf60a0dfed630e62960f1ef5fe420dcc411e2e17e4bb161

SHA512
5a29f7eafc39dc5609ec37512a54bd3dc5862ab652e2c50d06e3c013c40814a740b9338ca0d80c924a353f14e10891078cb91e641bc636ed31a5f541c203e281

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d942f35d98e799ca11148cb76297a99

SHA1
6274f5d6bccbc5c53db51aaab0f2cc90222c0732

SHA256
ce502a72058daffd362ba0f0e5d3578d6a83e2036050552d8485f3b1b4cfeda1

SHA512
136164dd89ff1d903eb0b91bae3a9dd4bc69fe2a9f018a23945b1867c5efd735efe5571200a006093783ced0487b67fa476d9eb59d956aa83453f56a032c14d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
dadd04b91e6a3b97827dac309c852638

SHA1
da7962f631e5cd620bd73da36ecb7f6342f2b32e

SHA256
3be59679611c89108bf406c844cb1cdb57b6ac9c57c9a2d00884968e2fe3bb5c

SHA512
9cf8c27c16d0aa9c59134c5b648f0ac9b4c3280201ba1c399e3cf7ddda85146eded90df7734188bd46f13a458690e868f49fa54bf64493ffcbf8e78d5de4096e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dd84b7678b7b83a0e28843a5ed3fd07b

SHA1
6984754142eafbcb1e07c6f23a9d837ca453e9b1

SHA256
068dd1aab0f38292da8754e2c72269cd3158d635fdab6b1b7193a3bd1ecd6e44

SHA512
455933ce02ffea81f54ff5ded8ad5454c393688c92fe6e617de070548dbc90f26f1c60ab8ed9b3eb91ad75241487d4db8a645298fc15063083ae40b1388ceade

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5e827055e322a6ae7ae6075d829f3ea3

SHA1
0eb4489eb724db2671e89060458e8cf8cfb1795c

SHA256
e6e34acc5df01ab8a4f5bdbce859a2b5a1890e9c28a597be6a758a6c7020dd60

SHA512
b062eb1b964019715f5d25a2af7d73fada8964bb452e7c977a92d38ce6da67035dc046085364969f584ef01e49cd8259ef8577d32e36552c9df27bfc288fa3e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
927b62d68f4531b189255eef943df4fa

SHA1
5713518b2080b9dd16ede743318f3cec87887209

SHA256
a8567a9232c13e718198f4dd3183c831b1eafe3e0e73f23c633306b582a7083b

SHA512
feed9772ea08418c0a4f4b0cc174d900b259edc398e205de2de46efc862d40ca28076a4b85dce97f15dc703050500d76d84962cb793ee969e1f3b2ae69dcb454

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b5ad603b0a8005911a6a734736d50467

SHA1
7cf66aace61ed90e655ee8f51404c502dbc33a6e

SHA256
e5a28254b74b14aefcd39aa7db8964b9fdeac1c249ae0b82a70fe23991fe71fc

SHA512
9ea9837a2483780c2b74f21c6fcc0c358f917f3dea9a290557c13c508acf1358be6cdd556c8f8df8c6803ee771e505ee591405c136858b75633beefd443b19e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5064367a0aa47f78ac2c28f850d160a9

SHA1
b76863ff876732348165505308e2b35e0c5d7bc4

SHA256
9c75adb4d2cf22bbd4a355f2754aae1f84d1c7d281847e822107e729550e2967

SHA512
ef9a072c9d4acf7912032372ae459f352f90cf100de45637a68b2fb1a531880aa7625b47ecc5f686c3f4112b18315af0c071fa56c5d273e925fb56cb94505067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
54f4c398c194c5168d882bfa16afdb27

SHA1
5e1d23c54a6999a9484437992e90ecaa4aa02ab5

SHA256
c3e1471bbc24f51f41d7c4c03069cae0bb975f25460143709a4e035d4b1f2db5

SHA512
0f213c8b10887d8f1dcc4619db181ffad7f464eccd262a991f3a22d849a705c0a63bff117ba90bc1eba855d51ba02eb558bef068dc5106193afc3a8dee2a9cc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6eb7b15eefe7303aced64b2e2f9e75a1

SHA1
4bf70ed1924e28d3a14fb16ec07b4f0e0a788487

SHA256
84802a203a279fc04c9be190bba652780ddfbe369aca1c74a1cadb47a8ed2f4a

SHA512
1b5603c5e155735c60eff708c4b3d2cbd80a813702b016b2a606ccc136e2756b8967f64f8167d01e6009bc60f56fa3ca9d2034d78905c20a86b7dcf29eb88c1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7049850c083fd8e5d88291e0ebbf20cb

SHA1
6d668dddba5dc58e8a2b5d0eaadcd7f026245d36

SHA256
b775ae6c7eb00bc0f9bb8b4e22016141d71c6dcb4179b9df848f8515f638f1b2

SHA512
50f21ea6f81440962045cdbf6bef0113a8117869a29931e3e34874289672134e0a7458c4e0bf2998a3c531baf6174bcd202d9f3a609227e82b47493127d6439d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c93ab6a4a6c5e30c29b2dc38054bbada

SHA1
8e0d56ea97c3229b2c255d8e0f279101826ec977

SHA256
c859b748993d77538738768996f1786d87a70df38a386cda0fa417ee8f3cdc30

SHA512
e8f1ee95ab36bca6acfdb5bcb1248bd2951e1053cec812bce7b0dc9e9a9275e4f486adbc6106df97c9ec1795a0a3f93b602fcc3ca28e9a9d1158f373fb7f34bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6ae378e73b47a02c32c5bd8042b87c11

SHA1
2ea05756a846d8e3475cc6ca1f26c44233dfdf32

SHA256
78976a35c06914c7948d02c33cc0cc1355a85c9dea9fce49f54f1c419c9e66b7

SHA512
2251d3f18970ec5a361b1c3c2c609608e729707794125d19385b4aad2faf7ed8e31234a9fb904dd391dd60f23476b004d90553e68749e65717e7949c3a0bc204

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d44e124c11d251c22e791f6bcec0907

SHA1
39cbff6b290cf686376398eb31dbbcc31b6d0a38

SHA256
6bfa4ec78be2baf5d23af610800035212d6c4d55c9ec1e6ba86dac690267b6fd

SHA512
a0231fca81c5178941c691d8608d1993bdbe2112a0535d6f0793d46ec3220af370dc54f1a322f6242ab2917cc37f86812614407612babba653ade724ff9ac6e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b91906c3b8fc622bad33e86ea4775488

SHA1
52a51a1ffb181842ffc553fb852c7e6e26044a43

SHA256
cc1a05d5d7f09669a9918a2fda714295eca996b6b7d36aa9809432939705d5ed

SHA512
22d906c642cdc526d7def37339034254ae00833b6935648948a8a721ae22d6ad42576d7b975813038286b72ccbb8ab2126e137c5252210481b6a0be27934b967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
754d884a7400994aeddd414c79254379

SHA1
a260d8bb63a8746291d44c1602340106c9850ce2

SHA256
e2b91495e8a99aa1b4add89d62cc9d4f018547c0b421d4c9f40883e4f4e30a24

SHA512
37eacaded438a8f6fdbdaebea66dc6bd0886b11fb29f1ad7581de9725c5624f6a097e7ddadc789c8095065f2f4d7b36734a6c80490354a11347787ea49e4b62b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a2988f5e4baa73ae737758c41cfa451f

SHA1
dc8f1250091449e4a2449fc0d739b3701c32f0eb

SHA256
03d25cd4e59894704fade21bf1470492a63b7cbe1327960c4c47f628f7916bd4

SHA512
826e5e767c6f81798d18554035cf2f87332bf2ca9f03d5f53dd7dd3010702565f88130b8323acbc651ffd010c9c563842b4dd6da6bf9f78db02c2d3a7404b604

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9cecefb9351b0d50ca5fed8dbf843ba8

SHA1
4c7185e4f6a2103a5c53ab01889f29c9b044f65e

SHA256
bbc88d3e32c4cdb0f250ad2095c13fc8a476cfb1f6d5b5499e3266028c8c98f3

SHA512
b9a3772bbcdb249357d14c50247f3a54ece88751fa0ba149dde425fa025c6a073b64b372d97cbba3d428b131fa83cca26e7cc81f49f8a06ca3da85f78098b3c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
015ae07e6def5b01a880bc743405514a

SHA1
f59e08417a6be694b2e92d8b72b235df66dd82a0

SHA256
f166d30ea26cb0f636f9922e96bffc65c606ec0287d1f4b6b4fb5753dccb852f

SHA512
f91c96b66c1012df753f2173ddd1542083ece2a5fa194e9fd519383985fd97877258d6f644afdc636c9e50f5c53e5b2b8786b226bc0eca8c8ed55ca2547ded61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
38bf62f56a03bdfe9d6f7ed41cead0e0

SHA1
6a53a1a37b81b596f194541988d87a9f4c64cdb7

SHA256
4676b454eee56b5ae4f9935f291d7b5e04dfe2d55e485c578f27e1a0de3c3f70

SHA512
2f29e442a823d7be56104187e62d02ecacfa3fbd4b395daaa5b4926361d01857fa56918285809a463ee54cf9411dd09dc4237538136daded99708193362a283d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
99a2bf6c0cadf515d9d9f2ca5ebbb58d

SHA1
18f908db25ab24d37d2c7665fc438ec9385596b5

SHA256
f7fbd82e49bd1278fa806ed332cf580511448dc579a47c935102a2f31e43fcd2

SHA512
0760e4ac1df8527467e7bfc28e13be569ce04518716ec4aa850e96a24cd46b8a09670d1eec9ac4a9ed85b80520dab701cb498173633d2c3d73dd10486ccaedac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
7a0869738dd33a47baa6db359f88e854

SHA1
17316e8a0bc88015d48949bd00c2c0716878dd78

SHA256
81290b073e307f91512ee7e244f9029a3b625649b2d225a73b0c6f6abb190a89

SHA512
88097d244c89b7e33b8c1b55d1cffd9d896f314f45ce9a075a396bee023513a7e142c7daab9b8f062c137a484b8139bec6584953fec77b6342e7be5c82d9a1cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
9384e9598cad46f8d4f5a8cf40017598

SHA1
09e1f0d6cd7f16bf82a38564925e5234d44341a9

SHA256
8c0cbac9cd59841698403f72fdf2128ae569a9fb2e795bfa003d00367fdbcf38

SHA512
4b23aee2ac556072c045988c9d5f6f9eeae06b6c091e84cedee7465f917b794fe740acc5846604fbb440ab674928443d7b77d99cbafe38cfe42d23dcab0f5a9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\discord.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF4F6.tmp.bat

Filesize
140B

MD5
26c9effe06149e83a818f7b4131094e6

SHA1
9a77cb6dad7db0d57ef8eafb871bcb4b118df17c

SHA256
165eb94cd361957be8f876527e47f93f8d2d26ce2eb3aaf524286e7adba1ff40

SHA512
77802ec443bfb510b6fee96ea6d7a9dbd2a13bc8d6552a5ab627e2e11477f1c2adee5ae093f51b7d9b61f18638479930730b66c9935c698dcbe038deb2940ca0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk

Filesize
670B

MD5
211945a7d264e0eaad56b774594461db

SHA1
525549b9e0a07d39bd09e70f89ab4198e823eb1e

SHA256
6840dcc522c8561a255d92346d4ed2e7c2c0e3455e205502adf05e90590bdae1

SHA512
4fcb17d1ac84b3c5efdbe4d8cef058e4b3945f72fb4e8cff8b5e1d10c096a18721b1c285a0ce8b7d2aa0490d2dbff6a903bd27df8a9bb6a822f2bc33a3333d88

Download Submit
C:\Users\Admin\Downloads\Vortex Gen PATCHED.rar

Filesize
35KB

MD5
0c07f5734cea1c7bac60415afc339ac0

SHA1
d4da3cfee0ae0df63a08fb80b4e1e7316db7e98c

SHA256
f56f841675ccff84cd702060121b94dc9b86a7d3fcd5864bc24849e42e0d3d8d

SHA512
5a1a8b3c15efc8492626844cf925a2e9902a9fb0a09611d7930e901f4cedd5a75648b9c7eeccc71898babf6d5ac36db1343c887e0518a205acb45075c2bbf00f

Download Submit
C:\Users\Admin\Downloads\Vortex Gen PATCHED\Vortex Gen PATCHED\Vortex Gen\XClient.exe

Filesize
59KB

MD5
b31d0f6da57aeaddc1666df77a54c6c3

SHA1
2f2ff3b4bff5b6b98f98e88188f5af1bda4669b9

SHA256
5916be1d46719f87e37e55b78d11ad393ca407bd33dfb6e20976652c3e1289cf

SHA512
5ebd2d609f4a625f1fa98b76afe894e966a0e087d440983b0d2550440701ec5ff99b8cc6e76d93d0de2ef832ab1a69cbbd10427713f56f4d67d03f98bbed12ec

Download Submit
memory/232-63-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download