xworm | 03015c4f39849613a41ed43ed036ad274f80d005509177fcc902c80a36bb3fea

Analysis

max time kernel
106s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperFixer.exe
Size

74KB
MD5

aa65192e44a3bda4ea039571429abac5
SHA1

e1c8f9861e01d1b042d7267c5d7a6b7562f05c7f
SHA256

03015c4f39849613a41ed43ed036ad274f80d005509177fcc902c80a36bb3fea
SHA512

0e48d517c8730548497aba3fc99a1baa38f640e9f46f8061ac3f8dd9cb47eb5bfb0bb5daa24ef690225112b748b926ed3449623764f400b3aa2705f3987ffa3c
SSDEEP

1536:/AySegvs9JRF1AFF9lr9bWsn7D9U64CURikOh1ATt:/Ukj1AZ/bWODsCURikOLmt

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

uk-theory.gl.at.ply.gg:28001

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2520-1-0x0000000000930000-0x0000000000948000-memory.dmp	family_xworm
behavioral1/files/0x000a000000003cf2-29.dat	family_xworm
behavioral1/memory/2532-35-0x00000000011C0000-0x00000000011D8000-memory.dmp	family_xworm
behavioral1/memory/2004-150-0x0000000000230000-0x0000000000248000-memory.dmp	family_xworm
behavioral1/memory/2060-234-0x0000000000C90000-0x0000000000CA8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2028	powershell.exe
2068	powershell.exe
2940	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BootstrapperFixer.lnk	BootstrapperFixer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BootstrapperFixer.lnk	BootstrapperFixer.exe

Executes dropped EXE 2 IoCs

pid	Process
2532	BootstrapperFixer.exe
2004	BootstrapperFixer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\BootstrapperFixer = "C:\\ProgramData\\BootstrapperFixer.exe"	BootstrapperFixer.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	BootstrapperFixer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	BootstrapperFixer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	powershell.exe
2940	powershell.exe
2028	powershell.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2708	chrome.exe
2708	chrome.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe
2520	BootstrapperFixer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	BootstrapperFixer.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2520	BootstrapperFixer.exe
Token: SeDebugPrivilege	2532	BootstrapperFixer.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeDebugPrivilege	2004	BootstrapperFixer.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2520	BootstrapperFixer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2068	2520	BootstrapperFixer.exe	31
PID 2520 wrote to memory of 2068	2520	BootstrapperFixer.exe	31
PID 2520 wrote to memory of 2068	2520	BootstrapperFixer.exe	31
PID 2520 wrote to memory of 2940	2520	BootstrapperFixer.exe	33
PID 2520 wrote to memory of 2940	2520	BootstrapperFixer.exe	33
PID 2520 wrote to memory of 2940	2520	BootstrapperFixer.exe	33
PID 2520 wrote to memory of 2028	2520	BootstrapperFixer.exe	35
PID 2520 wrote to memory of 2028	2520	BootstrapperFixer.exe	35
PID 2520 wrote to memory of 2028	2520	BootstrapperFixer.exe	35
PID 2520 wrote to memory of 2788	2520	BootstrapperFixer.exe	37
PID 2520 wrote to memory of 2788	2520	BootstrapperFixer.exe	37
PID 2520 wrote to memory of 2788	2520	BootstrapperFixer.exe	37
PID 2912 wrote to memory of 2532	2912	taskeng.exe	41
PID 2912 wrote to memory of 2532	2912	taskeng.exe	41
PID 2912 wrote to memory of 2532	2912	taskeng.exe	41
PID 2708 wrote to memory of 2188	2708	chrome.exe	43
PID 2708 wrote to memory of 2188	2708	chrome.exe	43
PID 2708 wrote to memory of 2188	2708	chrome.exe	43
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 448	2708	chrome.exe	44
PID 2708 wrote to memory of 1932	2708	chrome.exe	45
PID 2708 wrote to memory of 1932	2708	chrome.exe	45
PID 2708 wrote to memory of 1932	2708	chrome.exe	45
PID 2708 wrote to memory of 1588	2708	chrome.exe	46
PID 2708 wrote to memory of 1588	2708	chrome.exe	46
PID 2708 wrote to memory of 1588	2708	chrome.exe	46
PID 2708 wrote to memory of 1588	2708	chrome.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BootstrapperFixer.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperFixer.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperFixer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BootstrapperFixer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\BootstrapperFixer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "BootstrapperFixer" /tr "C:\ProgramData\BootstrapperFixer.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2788

C:\Windows\system32\taskeng.exe
taskeng.exe {16E31991-6381-49D2-8A5E-ECDB1CADD28E} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2912
- C:\ProgramData\BootstrapperFixer.exe
  C:\ProgramData\BootstrapperFixer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\ProgramData\BootstrapperFixer.exe
  C:\ProgramData\BootstrapperFixer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\ProgramData\BootstrapperFixer.exe
  C:\ProgramData\BootstrapperFixer.exe
  2⤵
  PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef21e9758,0x7fef21e9768,0x7fef21e9778
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1224,i,1699664035063148281,11699727385480199749,131072 /prefetch:2
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1468 --field-trial-handle=1224,i,1699664035063148281,11699727385480199749,131072 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1224,i,1699664035063148281,11699727385480199749,131072 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2348 --field-trial-handle=1224,i,1699664035063148281,11699727385480199749,131072 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2372 --field-trial-handle=1224,i,1699664035063148281,11699727385480199749,131072 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1680 --field-trial-handle=1224,i,1699664035063148281,11699727385480199749,131072 /prefetch:2
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1404 --field-trial-handle=1224,i,1699664035063148281,11699727385480199749,131072 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 --field-trial-handle=1224,i,1699664035063148281,11699727385480199749,131072 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3772 --field-trial-handle=1224,i,1699664035063148281,11699727385480199749,131072 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3672 --field-trial-handle=1224,i,1699664035063148281,11699727385480199749,131072 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2428 --field-trial-handle=1224,i,1699664035063148281,11699727385480199749,131072 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2992 --field-trial-handle=1224,i,1699664035063148281,11699727385480199749,131072 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 --field-trial-handle=1224,i,1699664035063148281,11699727385480199749,131072 /prefetch:8
  2⤵
  PID:868

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BootstrapperFixer.exe

Filesize
74KB

MD5
aa65192e44a3bda4ea039571429abac5

SHA1
e1c8f9861e01d1b042d7267c5d7a6b7562f05c7f

SHA256
03015c4f39849613a41ed43ed036ad274f80d005509177fcc902c80a36bb3fea

SHA512
0e48d517c8730548497aba3fc99a1baa38f640e9f46f8061ac3f8dd9cb47eb5bfb0bb5daa24ef690225112b748b926ed3449623764f400b3aa2705f3987ffa3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\742639a6-7431-4f65-ba8a-722d9fa6049e.tmp

Filesize
355KB

MD5
c2e9147ce53ee36acf8d19b621be7b3a

SHA1
fc584d57460ce5bc8d73a3c7834a73d6213e41a1

SHA256
08f75ca9dc06f2bc0e9505ec6e4717a193fce7a74979f944f0cd00b4952f0ae8

SHA512
79be63ffeb47b4d7113ea97c9de067804bf411bd5527a57e300df66fadb4bc04267671645cb121908038e0f8a071977020b6dadcf8f1ac0dcadd2aaf1d3a659b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
7b49e7ed72d5c3ab75ea4aa12182314a

SHA1
1338fc8f099438e5465615ace45c245450f98c84

SHA256
747c584047f6a46912d5c5354b6186e04ea24cf61246a89c57077faf96679db6

SHA512
6edf4594e2b850f3ede5a68738e6482dd6e9a5312bffa61b053312aa383df787641f6747ac91fa71bb80c51ed52a0c23cc911f063cd6e322d9a1210aea64e985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
0b3963d7e9df710308f5fa5498083b0b

SHA1
b8f071c939b2244f361fe19e1f8cc33934023629

SHA256
1d33140af8e5d5f89d2a74aaa2994c91a264c80a4a0776909ec4513cc190ce45

SHA512
3fc64bc3a61560d9aaabe3e570858269bd068f43fb4bd8c94bcb76abb305f74ca423c88e2331fb65494d162351f2b1ce08c89c6bee68c9eaf763ac3bcb59df79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
96ee608496defb739101f90119c80523

SHA1
33eaed843c62c163a44cc43ca6b33213c2e46b71

SHA256
dba3f4f630e988583c6b5e511750e59850ce13bcefb5507721dad92f3cf30f1e

SHA512
0abe055ef11a3103b16a810dcfe54e1b2daa858d5acfc995037144d7b3d1e609f5013c27fe3f7416b4b1fb81f65478ab708dd72aff1a8a8390c43bac500c214e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ae126ff05f72460d954867398f824d91

SHA1
9bf54e68752444f1e9ce60c94c1816fa338dcf10

SHA256
5fbf7dfdf2a9ef76eee834eae4ebd7ba27b3ed67208a6c6f267d84d718ff0a2c

SHA512
6182a9588dc91e99284d4f56293f6b1aa5e64a3f19d490dd59ea594b545c23a75db91a0f130deeb8c8ced0cf748aa4cbf16680f7a22430ab7c50697e1be4a5bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
10ae4861ab3cc7530075194cc83a59e6

SHA1
eaefe6906a43ccb51050bf09ceed99cce791759b

SHA256
16bf832c55f606691454f80366f4b941d40d2980b738ed18a98792db31a7aac0

SHA512
5a3881bf606485ce8342c35055c926e96adcdb1610fd4641c3625940c40e7bd223386c5e92b239d6726012fdc94da4e4d1a9dd79460e7e245e4672a858581e58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
354KB

MD5
1576821e7ac0318b7b9bf5e76c8e1787

SHA1
73c3ab7cc27dc84a0b2ce76e5732c5b9adfa3211

SHA256
8ee98a329608167787343044d58d05c507ed39d66ad56d476acc1a49e80f6e6f

SHA512
c501d2448fa5b69d709e19e578c1ad3efa59b7ec9ea0f0317864f0c42cc65177c21ca9b451afaf00bd3ba6b4a0bc6ae93a49c80e3078a5de09f36aa85d2ee6c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
177KB

MD5
0e9db5baac813811b1a1ca6ff397384a

SHA1
15f84ab5720bbce2bda752d502c90d63813725dd

SHA256
9f8d5fe03d46252e6f6af9c4860336a7f5d1f8fbafba8ac869daf29f1f282e39

SHA512
756b204b1ff82837ec598fb0e36fbd3ad69fb5bf01f54b69cf024491ab6d7b9b7188e91d4cb148653e457cdbaadbd0bbf85161fc01af992056591c4b39acdbb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2286c127b6af6f5123055c953967f950

SHA1
bee3101ebe8235c15b42575732d48bcd5616a29b

SHA256
428f1166107844eb693d192ee86650c3235260cc3e1f7ffb52a81349243591c5

SHA512
84443e9698d02dc7230dc900feaafe89a953f017a26878fe1cf34bafa79346c985c9ebcc49c85e8ff39a56c978447509b22ff6ae9f5346aca1fc78dd1215be7a

Download Submit
memory/2004-150-0x0000000000230000-0x0000000000248000-memory.dmp

Filesize
96KB

Download
memory/2060-234-0x0000000000C90000-0x0000000000CA8000-memory.dmp

Filesize
96KB

Download
memory/2068-9-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2068-7-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/2068-8-0x000000001B830000-0x000000001BB12000-memory.dmp

Filesize
2.9MB

Download
memory/2520-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2520-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-1-0x0000000000930000-0x0000000000948000-memory.dmp

Filesize
96KB

Download
memory/2520-31-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-35-0x00000000011C0000-0x00000000011D8000-memory.dmp

Filesize
96KB

Download
memory/2940-15-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2940-16-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download