xworm | c1ab262588f30079f7c3c4ebcb9585264505fd555077a3680f5beac77ca48745

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SteamCRACKED.exe
Size

293.0MB
MD5

224bcccbdd3ef2b84c25dea2dc23a033
SHA1

a439d7112c853ea2138b57a68b703081467295b3
SHA256

c1ab262588f30079f7c3c4ebcb9585264505fd555077a3680f5beac77ca48745
SHA512

0148a011a4b5361f2e3924594a4c38021a8e4790cfc5509e537498e1d38bb244af2fb7881a95001bf677e087736c6d55c46eb7a36e39a8a59012e73e8adfce35
SSDEEP

6144:PtBmb8WHz0L+GIIIIIIIhIIIIIIIIIIIIIIIU:lXmL

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

193.161.193.99:63603

37.4.250.173:63603

Attributes

Install_directory
%AppData%
install_file
XwormV6.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5092-1-0x00000000002B0000-0x0000000000308000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
860	powershell.exe
2788	powershell.exe
1220	powershell.exe
3684	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SteamCRACKED.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XwormV6.lnk	SteamCRACKED.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XwormV6.lnk	SteamCRACKED.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133758367685208353"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2788	powershell.exe
2788	powershell.exe
1220	powershell.exe
1220	powershell.exe
3684	powershell.exe
3684	powershell.exe
860	powershell.exe
860	powershell.exe
2592	chrome.exe
2592	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	SteamCRACKED.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	5092	SteamCRACKED.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2788	5092	SteamCRACKED.exe	88
PID 5092 wrote to memory of 2788	5092	SteamCRACKED.exe	88
PID 5092 wrote to memory of 1220	5092	SteamCRACKED.exe	90
PID 5092 wrote to memory of 1220	5092	SteamCRACKED.exe	90
PID 5092 wrote to memory of 3684	5092	SteamCRACKED.exe	92
PID 5092 wrote to memory of 3684	5092	SteamCRACKED.exe	92
PID 5092 wrote to memory of 860	5092	SteamCRACKED.exe	94
PID 5092 wrote to memory of 860	5092	SteamCRACKED.exe	94
PID 2592 wrote to memory of 1384	2592	chrome.exe	98
PID 2592 wrote to memory of 1384	2592	chrome.exe	98
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 4912	2592	chrome.exe	99
PID 2592 wrote to memory of 3620	2592	chrome.exe	100
PID 2592 wrote to memory of 3620	2592	chrome.exe	100
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101
PID 2592 wrote to memory of 2132	2592	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\SteamCRACKED.exe
"C:\Users\Admin\AppData\Local\Temp\SteamCRACKED.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SteamCRACKED.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SteamCRACKED.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XwormV6.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XwormV6.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff489ecc40,0x7fff489ecc4c,0x7fff489ecc58
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2204,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2436 /prefetch:3
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3352,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4572,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3748,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4432 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4068 /prefetch:8
  2⤵
  PID:788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4900,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:1968
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff6cd344698,0x7ff6cd3446a4,0x7ff6cd3446b0
    3⤵
    - Drops file in Program Files directory
    PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4884,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3708 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5308,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:3228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5384,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5332 /prefetch:2
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5292,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3420,i,12279511574274272325,4292504986842285229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3124

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5277b6a995b9aed59e50e4c765cde8f1

SHA1
5df6b37cf1fbad3273b1666521ebfe3edcf272ff

SHA256
440a5d12c9ddfaf6958a7d7f5fdf412811012c91f59d2b8b617d98bf3b96c529

SHA512
6cde6d9e0a64fd9a0e698c46137066ada0dc4c9947f2d067eaab31516624f06a22a3043da7c2cc642ea10500cc5a8e477e5386637a28ef2998d57ad5d86bc372

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
1f24cc026f317f0190844b01de362a84

SHA1
8670f3e7b0fb9bc8c1bca970acbf78d306601556

SHA256
a5d087626268bc84b4cd6c6dbdcb11b0c0297fb6cb27e9d3ed0f0f705c58ed6e

SHA512
e7190453d80727fcb0bb7248261cad4b55c3accd9f55de0a2609492fef382fa6afcdf19c4efab430845631d2c51e9a6c74a50d841538008d187305083d06ddf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d6e14dbf1155b9ac601be0d1c53c8626

SHA1
d439e606f59ce2b67f5c92365c9f17ef34f520a6

SHA256
791f0858c2229257450138aea1a6f7eb47e71136d0b420da8eb39458cc0f8ea6

SHA512
39718adc5bdba0debeee9ae661076fb39376da980d24643cae9ec616c58b148debb71774fae7cce2faffe22d68344a7051ae82e163914563c964ec6974cf07e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
06f862c177b2f6ecd543bce16b15cec5

SHA1
589df4e6cd4bbfc323036abd32f8302ad0241e38

SHA256
d3ebee81b17bfbd103604b033ef75008c30be79081b7f76856ec01b9ddb919ff

SHA512
2adeefaf50ecdb20ea3b327ab6a37cf98e0edba4f3e38bd2409c13d6477ba44ac212d4310922d0417ca6378a307b3d3d293a426a17152918bd9f860f4b703e75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
22fd22a82bf52a6faab1e8cad357a6c5

SHA1
c65a85221b736e59291c238b70e2407e1dd97f8e

SHA256
49e841a93ef15aab79496e357604f366f568c959407a0e802914ba46bcc982e2

SHA512
c066fb7aa621eb0174d94c3ba90392b4fff9fb9468ba1753c4b7387839cbc8cd554fd08461cc4289882398bcc00d328a4844c15ed79964f2794c96cf8b1011f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
96ac405c16e1fa73d2dfd192e144d83e

SHA1
83d8fdce64cb21c5c6205d1e45b24aa8c366e199

SHA256
ef474b4bb83b0586ccb8d3a113481687737c847fdfd45ce8ddf81ae23fcae405

SHA512
1b280520814f296b0870df9fe23cc6bbff9c890e983c2ebe0d0836c610f2858379b6ab0eb7565d698b848b75429019c8ae0f6f293b5f860e5b1b18bbf7958828

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
98f007431814cf2b470bd19ad9d6ad49

SHA1
fa58caa59217fe18af913d95aac1d3e065a58de2

SHA256
18f29f63d63191f4c3175c18f5cc572fddbd1f4853265ef25406b25fc789ab26

SHA512
f5db5b105087ad020e23c3f1ac8834e1918e7ad05b92c0832a3885835e637806f277903ef9182bc483c738bfdc255bfae0b13babcec65dba03cd511ad578ec6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
379f09c0e6eb48d5c22787a838d05563

SHA1
7cb6f0281cc75d4b876268ccd3dfde54a7fc9e17

SHA256
8c9e127ba3bbdc040f429146640523a0f95cdf5c6f227486bf711daadf525355

SHA512
4b03b7f9bb2c3a6a62c0d91971cdcd12fd0fd44993a4f7fdfeb8147a27c9271ea7aee9e7b7b9772aa64b76c9cef363cef4b9fc53ea654195267d0b73874df12f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
823a379fbcda3c90bb79b1abe963f77e

SHA1
48db7e223630a786be2c38d565a59f52c74b3e85

SHA256
8e52f08c188a43d27c6e00ba55567e08931c2e0052b34d0abb0434ab81052657

SHA512
da3e6a1cc7ea51625012c4d6657396bba9830144c122938fdf7c74c829949d6ca1f3c8386bfb92a5e8459bbe776caa40c0e1efb4d8e5aa69999c09d4930753f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f2396cf1e140e4d0f3bf42b25c90fac3

SHA1
c52da09a4d17706fe4d8d32eda90ec86b08cc5fe

SHA256
09923a0bbdf0ececd222ceb5c62799dda0e9565219eb1ae89a33bc1e3ed9c112

SHA512
53dc00e0f1234f43c523d9ac863c8189a985082a03ff29c178d02f67fce50a341b01fc5a342d5db007256e2508e01c8a2a8b9fa32e956a42e013b980fce26b93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f8170d17589be7a6076087181792313a

SHA1
49942ed3a4e22b40ae70f9fcb6d65d385259566c

SHA256
892be5a065831536c3be88c1ffb6d1965c0f04f7c6724c7d0022d7c36081d499

SHA512
45932144caa3b88d2f4de56882b1246385272c6f549b5c7ece50d3e2ef1fa4c0315c2a1a297d1c04e996baccd7ed8525968b39240cd20300c91971d711b4ea26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c14250559ab0b9f0cfbc79da9c37ced1

SHA1
b3b8ca3009011f364f4f7a005e7c1fad23556c73

SHA256
283a8f9176aa1d8eef65fd9f667a6de75b6702a319b911ebeb07559cc6c919a5

SHA512
147e2f5168cf9dd32fc9ac8586c355b12a288039881009ce0a664c659df51e4099ce6dfe5652797cb368ea134f93d4ec2175405d0d7318b621a20e7c90f5f326

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
db23b9394d2abf8111772cf09875334a

SHA1
f2b5795d25d7131981410d78ec681fc4bb64107e

SHA256
6f9043135ba242c85f15d6f572fce0c8133ab4baf104a8f1b59d36230a1cb3a7

SHA512
17a138b587d17722321e42acf73f9db7844c92194b839de68b1b9105caba8451253b70ff4af059c670a798998e934d1d11caae232d949e296f759e4684603067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
503fee2051a4af523111fd87acafa535

SHA1
328ccdea3146858530fd73eca02736f3141ca1bd

SHA256
3bd1deb7ce174120bcc222993456d251c6717c7f0011e327e500c6746a7762f0

SHA512
72cc99fe46e4de3008612efaff455c69748a71da70b32917ae61448f6da8a4282f6b891f613cf9dfbae7022d79401716cd243211831d77873b4754abb960864a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
666936d0025b5e1f31411594f8baa348

SHA1
4aa45ed159b472db596b78a9f243f219647eb4ca

SHA256
1f88b716081887fc0d418d937bf5830fce4300c2f60402f46fcd18ceefafba39

SHA512
6c1a3cba983329f7c6b17f0cbbd2dd2904bbd0fbf24df6cb709581a3ea612b93b9fec789d1c44d65c590ed64551e2d681d0342f26e5e562510ca6aeb691f27f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
6555a944f80f7cfbf41791fba2058083

SHA1
d42cef7cde4ac801e4144ce4628486a3558253fb

SHA256
e42d3bad0d35178e3fe62f867976cb9aaee2e8b99ca8dc93eb737a7e6436b1f9

SHA512
0eb6c2e3a46a2111d8ef11a78fbfd0039d78ca457bfc0f76e5dbd4c715875347e64c5f0e09872a939a4888aaafa17a31517bdf09c1f29de4e2a5eaee384e3b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_al5peaqg.ifz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2592_1066213201\029a02e2-eb25-49e9-b1e7-2b0e214e3558.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2592_1066213201\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/2788-17-0x00007FFF46EE0000-0x00007FFF479A1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-14-0x00007FFF46EE0000-0x00007FFF479A1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-13-0x00007FFF46EE0000-0x00007FFF479A1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-12-0x00007FFF46EE0000-0x00007FFF479A1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-4-0x000002026BC90000-0x000002026BCB2000-memory.dmp

Filesize
136KB

Download
memory/5092-57-0x00007FFF46EE3000-0x00007FFF46EE5000-memory.dmp

Filesize
8KB

Download
memory/5092-489-0x00007FFF46EE0000-0x00007FFF479A1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-0-0x00007FFF46EE3000-0x00007FFF46EE5000-memory.dmp

Filesize
8KB

Download
memory/5092-56-0x00007FFF46EE0000-0x00007FFF479A1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-1-0x00000000002B0000-0x0000000000308000-memory.dmp

Filesize
352KB

Download