4c68fc7cfea0b998be9ebc730f6fb64453111463cc97a05832f826bd5c95c70a

Resubmissions

11-11-2024 22:32

241111-2f212axldw 10

11-11-2024 22:25

241111-2b6hnaybkd 10

11-11-2024 22:10

241111-13dfhsxhkh 10

Analysis

max time kernel
218s
max time network
215s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-11-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.6.7z
Size

18.5MB
MD5

6df23ee40cdb76bcbaf9debadabadd54
SHA1

98113a1537411c368d33691af4d7b03b4019b828
SHA256

4c68fc7cfea0b998be9ebc730f6fb64453111463cc97a05832f826bd5c95c70a
SHA512

198472da9d16717d5607541b26951c113e821cca95a204c8973b3b3f92ed42eba35dc42ab2a4efa193c404319a64c34c90b35837ab4c924c1dba3a3fcce55292
SSDEEP

393216:CipL2GD+ki9oXFJan9qqBYpusMUO8hEx2sidgNwVgs5517:CiF2k+f9oXFmq9pusMX8axD6355F

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
440	Xworm V5.6.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133758381081620297"	chrome.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe
440	Xworm V5.6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2468	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2468	7zFM.exe
Token: 35	2468	7zFM.exe
Token: SeSecurityPrivilege	2468	7zFM.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2468	7zFM.exe
2468	7zFM.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
440	Xworm V5.6.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
440	Xworm V5.6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 756	4544	chrome.exe	80
PID 4544 wrote to memory of 756	4544	chrome.exe	80
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 2516	4544	chrome.exe	81
PID 4544 wrote to memory of 4892	4544	chrome.exe	82
PID 4544 wrote to memory of 4892	4544	chrome.exe	82
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83
PID 4544 wrote to memory of 4360	4544	chrome.exe	83

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffefdefcc40,0x7ffefdefcc4c,0x7ffefdefcc58
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4672,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4660,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4596,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:3624
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6829a4698,0x7ff6829a46a4,0x7ff6829a46b0
    3⤵
    - Drops file in Windows directory
    PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4340,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5348,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5152 /prefetch:2
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5228,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4288,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3216,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5460,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,15397563233891294561,9579154863910141112,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  PID:4036

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4140

C:\Users\Admin\Desktop\XWorm V5.6\Xworm V5.6.exe
"C:\Users\Admin\Desktop\XWorm V5.6\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:440

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B0 0x00000000000004B4
1⤵
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
46833b855f173ee364762f5a1826c830

SHA1
03540775b07bec276bc15dd21a42e6a63ad316f3

SHA256
80d96fe64731fadb749351495c7d6366c6baf67129bae9bf1196b92da094a2ef

SHA512
ab81c2ddf48f2e551f0054df1dca04dfa0c162590b951e6d550e69de48e6ad7225580b9e7373676466e4cf85111c49dbdded6be6789ca70f522dab40d06b12f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
3647b9f33855c2c98bc6d5db75042c9e

SHA1
f6e47d097a6c46be23899444148e86eeae85d151

SHA256
704ba706c9bc2c4194c27a4c061d180958d15ea972fbe00815dc61fc66e99eba

SHA512
f74dfe1c65e172bf54e7f7315a376bb7d8fbb1aa14436c5909f3ca7db25fad8632a3e018931d9d7bd21898ebd2c6b9eac1ef7de4dda2def7f7762834f5990131

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
0575afaa7909380a26bbf475fea6c1a9

SHA1
ae4849564734232af298a2de7879e154fed23ff5

SHA256
a6e29c1e12386aeaf8e9e1ea27b9671fc3d13d9ea9ca9b5a7e1904674fd6e521

SHA512
c20fbb7be90dcd997b3b29c5710610156aa0c8d1919447f7bb057e02c5925855b5ffad7d5772fd6456eb6993ed26a282fd31ac68c39643bc90a6a67b3936ebb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9efcd0c9ee4bf0c3b8bd9f8a29ec4d4d

SHA1
0fff2f68b3deed71f71ef00f12348ead53cc1d0b

SHA256
e5a7aa756621e172ff32be08fcd28dfe3265642197072237df3cd17f050709af

SHA512
112b9deea54b0a40ed01f17d8e52de516c79c451a24ca9c6c1065b4ddc98059bd57ee6c08ae992539da9147e89298ceaf987dee42105108a7b76eb6a89f16a19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
51801eca824b9af3bf8119c096e49029

SHA1
6045da7c173d2220a47dff188f3d693d93d5526e

SHA256
9f69f8781a698f459eeb6a81080c5a396eeab20edaa88fbcb1c430006b1c0e5e

SHA512
4a8dd1db2af1407dbaf116ca90b08515f6f039435456976c12adc3aef301457201c0fac409cb1717c300d4c5bbee56e3c0f8f76b77fda636b0baa648ce7b803f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0896e147c41a80c346aadb5c2c714446

SHA1
db9e360a939f7990167e01dd1b87ce80cf730008

SHA256
24853dc768f3fd343baa3ce6e5fec0393e38a8754760a323b10ad7b783e7d564

SHA512
16a4bdb5e7824f1e62ebb57e95074eda10b6dbd46b2b6a468f6c666e1bd9704d7b99f42cbfbf2e362fd98c3ba262a38b6d65443b3d76c8924ffdfd0c9571989f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9bd72271fc25565f5b0520bc372f981a

SHA1
3d8cdce1cdaea2e1eae5e645d8219d2b590adffc

SHA256
fa0c80a63ff9d6a2fe5ec7e6079d9cf06c654aa4062b99bb98f82825beda0011

SHA512
5c2b14149af28cf769d0f32fe4b02ccddd56133d1e5870b4743f0a9c4df6b1ef10469ada0e3a4305f0064787d4c4722da03c05de6d1efe22e113ee7dd46db873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
78eec7a44a202b1b399875ab2ea91478

SHA1
944438c2c28d5c9b5d9ed6864c8e2e6c54b71fcb

SHA256
cd64c5b21bc5bd99bc9e229f093b126d282a1beb7a8d589a7a28c976f3a1e82e

SHA512
d3b2b1706f9af429a0d5aaa20ae2c348eaed2b60e5464a4cee58cdbef54f374d2f07e9ced2affefeeb28d576c218a7c8256826865524b67ec9860a2d56fc8da5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
90208988d7e3c703ce0d2e98bbabacd6

SHA1
7df3c48dade0c9e5abf1d6a74ac7bc0d81de5b65

SHA256
39268f71c8d806d16a0439359682cf496b38cb79609fcbe4a62b0924d3286da3

SHA512
7adf5838a7b0f78f2654f860697854704159360cbffaa89b3c5a6ddaacc46b6487d866f80b71c756f4f3f2ca937f3f6aadde556c1b3fc3bcfd8436d1592bb678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a38b53401b676a223e04b7c09e9ab2db

SHA1
039f190408a1c0bbe49f096a7393aec0b85a56fc

SHA256
515729c55aaec6967725ba97a4bf329bdd3db214cf445b4579bd049d947322f7

SHA512
aea38c73a7770f0fb4961e57b74bb4f565d1a5f3093641fc8c41a69882a4496075e4a67f05bf5bb3015de4cfcd92633512fa41860c75d7c3237e5a676ac3e59d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
be13bd76843bde3ae7f2a27fba8fd20b

SHA1
292b65f255d7c2f1057dd6ea8f282eca7068fb81

SHA256
2912b51a8ad972f1d13076a3086336bc6c31392c23cd785d629e17f4698548a6

SHA512
3c94d67c81234e24d88e0fe275e9a79e814d6c6d2c4f50661cb1b460e8ecc6528a18d4fbbf5b26a107c6c01aa7cd5250df1c761678ff23b2bc4b0c764caea1dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
72b0757ace8f1d9bae1b3390de0c1837

SHA1
d52d9b007546c769daa59e077b5caba827e45017

SHA256
83da4771a77cb2aee3819d0342ecfcd683cc8eb1055942fc9ffedf4a7a878434

SHA512
308164832440e35a27d3cc9a3def11ca555d23902826762eedbf34d2d09fe1b591b1ac83546e406df15a5811dbfcd02b60a48677f5fe45facd0b7d0e46a55908

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
409d9934aa3690faa8b9f23ff03d258b

SHA1
f54bf22b6c16bed984bf1c25335807b40fe085ab

SHA256
0139587bbbd3cdc51420704405b05629df5dc0332765630c19f2cb273663f7ca

SHA512
b8a4319d015816e26156a8024c3e39b8bfdf947eaa32e2972cfc02e877ba50d432b45629bc28488d6f0d1ddc9469cb0ebc73c5e0e20d5a3b23a34a6dd838b9bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
1f275aeb084e2d2607632490eddaa25b

SHA1
5ce12824e5957c20390b772c9f9c0712e595ac1a

SHA256
82b3b72fb3bf5c514574e3be17489c67f5ecc35ff6fa6ada53a0f5cdd6b5127c

SHA512
7d030099f25dc78b294b5fa3d3b06b3c1d5d10e744e7e082e8fe07db0dad8565e26f4aee0dcd1032219b7cd247c9434b95903071c08b10600c656271956cbf87

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4A90D889\XWorm V5.6\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4544_1555220332\8db61aea-6062-4473-9941-faec9b86e33f.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4544_1555220332\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Xworm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
memory/440-806-0x00000216F5930000-0x00000216F5B24000-memory.dmp

Filesize
2.0MB

Download
memory/440-807-0x00000216F3B30000-0x00000216F3CE3000-memory.dmp

Filesize
1.7MB

Download
memory/440-810-0x00000216F3B30000-0x00000216F3CE3000-memory.dmp

Filesize
1.7MB

Download
memory/440-788-0x00000216D84D0000-0x00000216D93B8000-memory.dmp

Filesize
14.9MB

Download
memory/440-821-0x00000216F3B30000-0x00000216F3CE3000-memory.dmp

Filesize
1.7MB

Download
memory/440-836-0x00000216F3B30000-0x00000216F3CE3000-memory.dmp

Filesize
1.7MB

Download