xworm | hxxps://gofile[.]io/d/xFW8C1

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/xFW8C1

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

WlRiR664X9VKgye5

Attributes

Install_directory
%Temp%
install_file
System.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b98-88.dat	family_xworm
behavioral1/memory/2564-91-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	DiscordMultiToolV2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	DiscordMultiToolV2.exe

Executes dropped EXE 4 IoCs

pid	Process
2564	DiscordMultiToolV2.exe
3932	DiscordMultiToolV2.exe
832	DiscordMultiToolV2.exe
2700	DiscordMultiToolV2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133766723815891092"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe
672	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeDebugPrivilege	2564	DiscordMultiToolV2.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeDebugPrivilege	2564	DiscordMultiToolV2.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 4624	3024	chrome.exe	82
PID 3024 wrote to memory of 4624	3024	chrome.exe	82
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1644	3024	chrome.exe	83
PID 3024 wrote to memory of 1896	3024	chrome.exe	84
PID 3024 wrote to memory of 1896	3024	chrome.exe	84
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85
PID 3024 wrote to memory of 380	3024	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/xFW8C1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd0c6bcc40,0x7ffd0c6bcc4c,0x7ffd0c6bcc58
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2072,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1840,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:3
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2144,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3120,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3716 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4372,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5140,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5152,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5148,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5124,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5188,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5040,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=724,i,9429644005204107175,10611111821402524531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:672

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2416

C:\Users\Admin\Downloads\DiscordMultiToolV2.exe
"C:\Users\Admin\Downloads\DiscordMultiToolV2.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Users\Admin\Downloads\DiscordMultiToolV2.exe
"C:\Users\Admin\Downloads\DiscordMultiToolV2.exe"
1⤵
- Executes dropped EXE
PID:3932

C:\Users\Admin\Downloads\DiscordMultiToolV2.exe
"C:\Users\Admin\Downloads\DiscordMultiToolV2.exe"
1⤵
- Executes dropped EXE
PID:832

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4264

C:\Users\Admin\Downloads\DiscordMultiToolV2.exe
"C:\Users\Admin\Downloads\DiscordMultiToolV2.exe"
1⤵
- Executes dropped EXE
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4dcd2085e1d592ae5e55a1ab414c2b3d

SHA1
b3591ab10bdf04d2aac46927319a1edc3a772b01

SHA256
28559df413c2302678a55acf8f2e8ee42c485cf5cacdbfa51b7b2d76f6733518

SHA512
13dd734eadf46ed271e00354dd804cf5d89678edf5b9d48a700b03c731f2042a800528e54a7df307d840997bf1f18e15298f79c63d36049b3e218d1b8df34bea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
7df6b8454995c18ea8224d5249cbc306

SHA1
340bc67419632cc833d6d0b27d95183a1d27d7f2

SHA256
e1b67633f1851b118f40fff56673ef6cbbbbe74abd3cec54b7d07f71eeb628fb

SHA512
75c35b6a1b37a3c0ddfe045d7f093cf057aa1e30759e355131d13b52b7b615379125d1ac5ec4f75ceb498eea79824c55247f9efcfdb10afb521899dd86fc9041

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b57cae8d7685f0d5a5cfd7f2bde7d72d

SHA1
1da92b114ccc39f87e5e73b72629ce7317c542ba

SHA256
e03ab62772df71611c90e45e4d02b51b442838102f55f188caba516ad43cfafe

SHA512
1768d92afb329d2f93d61a10dac4ba013006b6c94fd4b023f40d3ff442a58c7515ad0b09cfb94a7ae0544a088a8f3fef8da45123923c39113b774143dec2b811

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
6039eb9a7583b801a98b97282afea0d1

SHA1
2bc39f75ecdf7b7980f15f8ed7cca5ff3b51617f

SHA256
41560c997b0eb5148b1b170764fa43313c3e9e0c54b752627c74b44e5163bb24

SHA512
38898b0c65ea4f0569f45662efb7dfe394bcc2737dbb46e44cc89d25409aea9bce6396693ad667c9d59466cee0cdb593844d1362c9fcfb1941c212d29e4b4c89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
47e44bcf53b6b284e0e0fdef183ddbf8

SHA1
aee7ac6e8057705afc5ec61fe87c7857c30449e2

SHA256
8e44800127592443bba7c25181e84303f03b41df83fcd94e2204440809690089

SHA512
b891178aca34251d9cf71cd6123237463416cd0c4ed834ca6e18066a5e7ecad7909f1fd5b858baf1fb953be229d198d771ec091222253a79110b51795c5cb5c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a4208516444cb4094431c9cd0f711564

SHA1
17addc34c1c0bee551eb686a29b6995474ffd448

SHA256
ed25fdd96fbaf57d3c784912df8d57bb4b281e09490fe09f74187bc3749d45df

SHA512
ab7bfb4c524c0c751ca7569b8c9f3af99bf6261bd645aa422efa29bfb9f263ab2c4a854f09f11c2832a7e9cbc6c66737b872c2bc1725c303fd1f06ff5f8fd9d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dfa2209f6a92dd93030a30e00daf8552

SHA1
ac99946a13a12581127d828c7848d35d089c6f48

SHA256
33c6ce5a24e1300faf62eb157341b9b75e67fa3733bfd547b500344fbe9f250d

SHA512
30a96df8a6863ed747a5a103016b2fb853445f4d1030d94542cf60d4792933cecb346a704d86ffb0578e9e8f1cf14e7dba81906f81c13512f206b3cf0b0a59cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b50e347f507611576d9236161a07a4f

SHA1
cd3a23afd3a38089e74abe50a805475255237773

SHA256
35c70acca16ed12a965240b7d95a8d20d03114f0d7ae7cce8398517512da57ca

SHA512
3ff0f52dad37ceedc5aece10688c5c5c614e6bf8fe670eabe0963a6974edadf394d7dfe6f037d864f85ab13c91219628c881406c000cdbe213a40af22f2ffb0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fe0c3a215d7b812ac4ed4f9d609b726a

SHA1
9c37978e2f83bec237eb898e5dced585b9cc8efe

SHA256
5dcc56ef6d937ccfcaa1921da6ead4ee78f903bb0e3292984b60077ced92ebec

SHA512
7d4cc8fe7d59ee9d3ba140b8e0c411744b26f802edc5675aa8ef0944b5330202f68f19f44df199716b4ed83b777ebdbac938f0c6a4af32ceabc3c7b39ab3db71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
817762f5e89ee8a6ac101cc328eb94cb

SHA1
31e3e6015dc0f418aa86af38731414811f5fdc38

SHA256
f9741ad997e3a44ac976991347593fb71188e46fcdf0dbbcf40cf245db997a7e

SHA512
89a25387de0b08b99171fa05f7fc2e4808a31be5e957527e59373e38cd46fdb96a381e44eec93616401c096936f6f4cf4ffe5784bdacfac16264a5974cdb036b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
100cba817ad23a2241dc037ffc57f379

SHA1
5dcdb65e9cbd06d95066bf7253df4eb6265bae7a

SHA256
df6854e3c4b0c1cf237a06e1a41a74826312803dd9a8a0ce0c4dacd19b6cef23

SHA512
5266e1627a722d71bca4a744ee4ecc84c8af90195ed539f5c71931dbcc80a33071d3dd052eb1bf0d8b57a8f5cc288cb4763787acc319349ff2f4d2f713bbb255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1b1cd17cc9833d93369d534ad68771c5

SHA1
96c1ec443265b82301a8ff61995bf72e867d0264

SHA256
fbface15902a412970e7a22d1b07b3468cd0e51490091b92f2ea5569028901ae

SHA512
41e4784d8782dcfd1051bca45971be16f14a4b8f892e0f58e3f04ca09940de10812647aa083a075c2ca91b7d09bec6a1b4a3d3fde0aea3c8110e3cb05b0c7856

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
32fcc68722462cf6ff08e3580c3dea1e

SHA1
28c049664cf2bab5677c146c69e6ead5dfeb7fa5

SHA256
f3247cb0accf7b4ba82fbcfaf32041090d0cd8c4b4659b72f72702bb1bd704d8

SHA512
4cb9887237a3df8611cb5a229e417017c249972d126dec46fd0f0fbc1ce00ee650085250060fd8f9c1233a76fcdebe675efbfdc0a221409b8a32cd3ea2f0ec81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
9e296c11ffaf57bbc8221a1c04614bf0

SHA1
17666f73913cdb94f66ecf07db12dd3703e4262e

SHA256
3258aec915c04e298445c203d94c70c3999f7358d435e7bcb720304de5b5ae05

SHA512
dd580326844152ddc803079f3250d7d279fdaf0a4a2694984f72ffd721d0b8ad254e83fc9f2441a9d0eaf07f42cedf9b04da946803c17f2d1721bb776980d4ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
fead8627656f7c0b2029af80a3e3557f

SHA1
00ed220ac4c021ba7d094f9a82ce19dc56de6f39

SHA256
bb46b80cbd217b52910e5e6e93946e46635fe2e1849d20314722925aae574874

SHA512
93884259a5ffa99057aba9e82a2ff54219bdbe84d6f2618171a24eb41eab1634eb2d13db4723409381ac27007a70db529a1ee2c6752f5a5b3330b3440896e9f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DiscordMultiToolV2.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk

Filesize
1KB

MD5
96157301f3c34661c68c1de58df6b52f

SHA1
5a8d59a9f5ec120b51e29f247a4d5ba13548462e

SHA256
4c1d5ec01476081b4fcb366f71eabeefcd8520da1bf8f268fcce5dca556dba8a

SHA512
023911845b9b32170947b61f631245086c3357175b13de72e1192c3ae82410aa5e1b2535b7f63d2b43ab85f4bcce6dcc7641a49103302131a8ef279df60bf758

Download Submit
C:\Users\Admin\Downloads\DiscordMultiToolV2.exe

Filesize
34KB

MD5
172063ed1cd219f2e2362a819a48f8f4

SHA1
f0ed5f1901a3e25a1c82c269efddaf3d6119677d

SHA256
e0793428aca624e59a99360b2c4694f95f3daf0a922e9afa282a195a25c4da15

SHA512
c88eca7be667dcb826a36ad7efe5cbb8dad42f8b5e9d0ab878160241032fd98986f72468ef5516341e11e36dd083ee184ed4eef164d6305323846e5992cb55ca

Download Submit
memory/2564-91-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2564-112-0x00007FFCF86A0000-0x00007FFCF9161000-memory.dmp

Filesize
10.8MB

Download
memory/2564-90-0x00007FFCF86A3000-0x00007FFCF86A5000-memory.dmp

Filesize
8KB

Download
memory/2564-105-0x00007FFCF86A0000-0x00007FFCF9161000-memory.dmp

Filesize
10.8MB

Download
memory/2564-111-0x00007FFCF86A3000-0x00007FFCF86A5000-memory.dmp

Filesize
8KB

Download
memory/4264-179-0x000001AFBDDD0000-0x000001AFBDDD1000-memory.dmp

Filesize
4KB

Download
memory/4264-180-0x000001AFBDDD0000-0x000001AFBDDD1000-memory.dmp

Filesize
4KB

Download
memory/4264-171-0x000001AFBDDD0000-0x000001AFBDDD1000-memory.dmp

Filesize
4KB

Download
memory/4264-175-0x000001AFBDDD0000-0x000001AFBDDD1000-memory.dmp

Filesize
4KB

Download
memory/4264-177-0x000001AFBDDD0000-0x000001AFBDDD1000-memory.dmp

Filesize
4KB

Download
memory/4264-178-0x000001AFBDDD0000-0x000001AFBDDD1000-memory.dmp

Filesize
4KB

Download
memory/4264-181-0x000001AFBDDD0000-0x000001AFBDDD1000-memory.dmp

Filesize
4KB

Download
memory/4264-176-0x000001AFBDDD0000-0x000001AFBDDD1000-memory.dmp

Filesize
4KB

Download
memory/4264-170-0x000001AFBDDD0000-0x000001AFBDDD1000-memory.dmp

Filesize
4KB

Download
memory/4264-169-0x000001AFBDDD0000-0x000001AFBDDD1000-memory.dmp

Filesize
4KB

Download