xworm | hxxps://154[.]197[.]69[.]165/

Resubmissions

01/10/2024, 10:30

241001-mj62tsvcjp 10

01/10/2024, 10:26

241001-mgke2svarn 10

Analysis

max time kernel
64s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://154.197.69.165/

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

154.197.69.165:7000

Mutex

jcTVbnlMjCEJAYCp

Attributes

Install_directory
%AppData%
install_file
crss.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023426-57.dat	family_xworm
behavioral1/memory/4340-69-0x00000000009F0000-0x0000000000A00000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 1 IoCs

pid	Process
4340	crss.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133722522562450325"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1832	chrome.exe
1832	chrome.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3992	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeDebugPrivilege	4340	crss.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeDebugPrivilege	3992	taskmgr.exe
Token: SeSystemProfilePrivilege	3992	taskmgr.exe
Token: SeCreateGlobalPrivilege	3992	taskmgr.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 968	1832	chrome.exe	83
PID 1832 wrote to memory of 968	1832	chrome.exe	83
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4556	1832	chrome.exe	84
PID 1832 wrote to memory of 4452	1832	chrome.exe	85
PID 1832 wrote to memory of 4452	1832	chrome.exe	85
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86
PID 1832 wrote to memory of 636	1832	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://154.197.69.165/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd7902cc40,0x7ffd7902cc4c,0x7ffd7902cc58
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,14138749050172366088,9682897436497233609,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1844,i,14138749050172366088,9682897436497233609,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,14138749050172366088,9682897436497233609,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,14138749050172366088,9682897436497233609,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,14138749050172366088,9682897436497233609,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4480,i,14138749050172366088,9682897436497233609,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4796,i,14138749050172366088,9682897436497233609,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3824,i,14138749050172366088,9682897436497233609,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3112,i,14138749050172366088,9682897436497233609,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5136,i,14138749050172366088,9682897436497233609,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5428,i,14138749050172366088,9682897436497233609,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:5112
- C:\Users\Admin\Downloads\crss.exe
  "C:\Users\Admin\Downloads\crss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4340

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3712

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
73f7d209147960f529db06d45cc36781

SHA1
c2459ad8b2cd0b4c0c8c1f6324d27c088bb89e70

SHA256
2243b6a94beb47b39f09526ed2a8a907628e361b3142263b839ecc0ab5efbf12

SHA512
f7ea428ed2a1eb02541a0b7bb39b931202bf5a134af32562c7c3fb88c8bdf90c31e26402a5db15d94950d80e6ddd2eeb16b49dbdfedb3fe4937b6885a0fae82f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d53b064859aacf38a6eb017ff181d1b6

SHA1
1efa662e14eaedd7e099af2fe075904b6009f8a8

SHA256
0647ad631bf9ab1c6178a572525c1642df4709cec1e16046dece52b473b5e606

SHA512
e77a54a69b0d8ea4b897cb04b960ee037da6b43fabd8417c33d56372005bd1a3564f3a265f2910493cf969ad57d30de661994cf1bd6c74e13b12eb5120d855e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
682cde20d85708149d1a9b467a0cced9

SHA1
beb1fe2ae3f01513a419d5868069fe9f4ae44453

SHA256
d2de702dafd0d649d173263e050d50857784a7d454319ff92de4b3325a8d8df0

SHA512
efcaa75f75dd262edab4e506a10a33ca2086a970da79d370964ef82d918ab52ea04e2d4ae82c9ee39d5a9a200d93394ac49b7f612eb5bd2c3e72f0d153408e99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9b83a1df6fef615193126e4f5fb210e5

SHA1
177248ae19032112f7c2dff685c485493cfcf923

SHA256
20bdd6d9302ef934ab26dbc47fdb62621cafd2df298e7b8e394e00dd76be8078

SHA512
7798c3cc5da0a82a46e8603e4d5fb77021c8295012a453c143495fc295b7ede920d9ccef40fa1a888a16a7e53e6b4d504351b6369afe9b84b2b5af639e4dd277

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6152b2a5db4c273c5755a165f41705a3

SHA1
7261ca7c6ec48820fcf92b0ddd40ec3c053b0694

SHA256
1e50d12a976dd751054373b0d0c97090125bb7116f96dd7bed617d50b7a639f0

SHA512
0c9476a6473b247c6aecb9f5b159523018cb1382440a242c9c70959b871c00e8e5de571c5129af564f09fbfbb62028f4cfc06212a5bb35ee3ac92229cc96c4da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
887e49ba7f4f97748d516fd1e571188c

SHA1
2f9d4684625d42f88c3ead21a097053d9b6afe60

SHA256
1440b30b1caf2d3bad6e67dc043daed60163a11eb6381ec87beffc3a02d79825

SHA512
03fadca6de1cee1135a1c820bb1ff1064539129c2b397144acf36a03562eb2c713555be8f2e5b14c465a953fde01c631deb28e199b4da318b32f07fe3a17ef64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
5d1d2a334d7ea3c8e9a809804bdb0ffd

SHA1
12452bb51b822773ffa152855d258fd31042c0af

SHA256
72ee7018a920b99d69de7cc4c622fd3072d6d8183181ad4b196a2f3ee4a66867

SHA512
1f60819de14644e6de21b87b25a98dfc1bb6bbf8e88861cb7c896eea21e5af868d9f8d8b42bf511149c148ffb6ac12440d0560750903cac5c3ed19fd315c6e56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
614b7e9af6cf5fa7c1e1efdef4b349eb

SHA1
41575743457fe84458fbde6be2250a8129a7a84b

SHA256
ebb6dd40160478a731bdf752f8206149dd5ef3bec5e2082f8fec3950dec13fbd

SHA512
6b7456127ed0b60dff22efd120ebc641384a78fcd9165afb44afd58771d869521aadbfd7ab58f70756bf80f4a5159843030c0abcf2789814e077aa27e19132f2

Download Submit
C:\Users\Admin\Downloads\crss.exe

Filesize
40KB

MD5
3ab61ee8a81099edddf87af587420a10

SHA1
d6c0f6f60d13cc786cf7ac0df2c45b5dc47b945c

SHA256
feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f

SHA512
f43326c79ea8bd118fd90efc8c2c8306e02901727ffd7c6666b2a35820eb8799976007f4886a68a7f411509ad61dcf7ddf5a3630fa5342014ad5aa978818ff3f

Download Submit
memory/3992-73-0x0000027AEA060000-0x0000027AEA061000-memory.dmp

Filesize
4KB

Download
memory/3992-82-0x0000027AEA060000-0x0000027AEA061000-memory.dmp

Filesize
4KB

Download
memory/3992-74-0x0000027AEA060000-0x0000027AEA061000-memory.dmp

Filesize
4KB

Download
memory/3992-75-0x0000027AEA060000-0x0000027AEA061000-memory.dmp

Filesize
4KB

Download
memory/3992-85-0x0000027AEA060000-0x0000027AEA061000-memory.dmp

Filesize
4KB

Download
memory/3992-84-0x0000027AEA060000-0x0000027AEA061000-memory.dmp

Filesize
4KB

Download
memory/3992-83-0x0000027AEA060000-0x0000027AEA061000-memory.dmp

Filesize
4KB

Download
memory/3992-79-0x0000027AEA060000-0x0000027AEA061000-memory.dmp

Filesize
4KB

Download
memory/3992-81-0x0000027AEA060000-0x0000027AEA061000-memory.dmp

Filesize
4KB

Download
memory/3992-80-0x0000027AEA060000-0x0000027AEA061000-memory.dmp

Filesize
4KB

Download
memory/4340-72-0x00007FFD65370000-0x00007FFD65E31000-memory.dmp

Filesize
10.8MB

Download
memory/4340-71-0x0000000002BB0000-0x0000000002BE0000-memory.dmp

Filesize
192KB

Download
memory/4340-70-0x00007FFD65370000-0x00007FFD65E31000-memory.dmp

Filesize
10.8MB

Download
memory/4340-69-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/4340-68-0x00007FFD65373000-0x00007FFD65375000-memory.dmp

Filesize
8KB

Download