xworm | d326364bd2e12c39ccb4b775a800b1e52111debaf2cfff0d0c020e06de4bf0c1

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
06/03/2025, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sadasdasdasdasdas.exe
Size

42KB
MD5

3137c79a207244b4ffd8f47a280d6946
SHA1

3694dd6f44949f6bf681b8a69410118033fe0368
SHA256

d326364bd2e12c39ccb4b775a800b1e52111debaf2cfff0d0c020e06de4bf0c1
SHA512

e9362eeca845a3c7491dcb5824fbe282815cb15d343b9b5e7db8be609ec09dac0962d4536d582c3f845b31b33b7872d3be5e433aba75bbf3856136f2fd941e67
SSDEEP

768:ie2H+qvxFTOGo7ZQumhPMCYWGNthRQJMeZIF+0C9o/HhpjO+hJPbCPt8:J2H+q7TOFShECzGJRiUFu9oZNO+nct8

Score

10^/10

xworm defense_evasion discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

sjCLxqdf2jeq4aWq

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/4608-1-0x00000000003E0000-0x00000000003F0000-memory.dmp	family_xworm
behavioral1/files/0x001900000002b12f-870.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
50	3756	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
896	sadasdasdasdasdas.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
50	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\sadasdasdasdasdas.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133857429634934574"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\sadasdasdasdasdas.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4912	chrome.exe
4912	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	sadasdasdasdasdas.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 4628	4912	chrome.exe	89
PID 4912 wrote to memory of 4628	4912	chrome.exe	89
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 4944	4912	chrome.exe	90
PID 4912 wrote to memory of 3756	4912	chrome.exe	91
PID 4912 wrote to memory of 3756	4912	chrome.exe	91
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92
PID 4912 wrote to memory of 4788	4912	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\sadasdasdasdasdas.exe
"C:\Users\Admin\AppData\Local\Temp\sadasdasdasdasdas.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffaf654cc40,0x7ffaf654cc4c,0x7ffaf654cc58
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2228 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4464,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4696 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4852,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:4192
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x248,0x24c,0x244,0x250,0x7ff761624698,0x7ff7616246a4,0x7ff7616246b0
    3⤵
    - Drops file in Windows directory
    PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3696 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5184,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5192 /prefetch:2
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5032,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1588 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5268,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3376,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4612,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3396,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3224,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3324 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4604
- C:\Users\Admin\Downloads\sadasdasdasdasdas.exe
  "C:\Users\Admin\Downloads\sadasdasdasdasdas.exe"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1236,i,9469508590516677695,14951734523742109731,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2056

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ed281b0db5046f064c3c9e992620d1da

SHA1
83c8de5c6cd04582ebe19d7a82b0233c5f659f90

SHA256
3f8437104684a616af581a686d9558d45ca0192c7340d1edf6ff967c75abb61f

SHA512
1ca2dd569ad15412eb42a6411b461e2ad040a7e33bf2a8749423f1a6cfc703b1f2fbbcafb0c07808259454920f03194f1c07dd52a3e8068b77260dfb0bdb8f92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e2c8ca1b1f34a6e4e5b3f510e2535041

SHA1
3e64222c9d3c80ede1c2afecc47b172008d4b1f9

SHA256
f645031ea0f5a2dd7a08151bd2e97377b81a545a170c8483e7915ffeb81e702e

SHA512
85fb824c0c0392df133c9460a2f4ee075b6fde10fb4a889826772bd383296003daef38fff0b9547b2a97ccd1a807aa2be994458760981d1e60009964095df054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
e3068ff3a12a74561ca3ea0b61154cf0

SHA1
23b86b871c4920b9c16506329873b6c48662ce90

SHA256
20dd28847e267aaa53008a4c67d2d3f307710e4da051890f5ec03402e8f0f1c2

SHA512
28947783b1fe65edf679903074ab776912634b49d07b9218befb70d3db33dddcb99a15904fa45818b2a7e205fabfc50c4fd0fe06e8feda1bfd19672c8643addb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
522f83e5bd46dd1e264878e05eefaa12

SHA1
aeae0f54f0a17b9945510e84db2d6d56f58ceda0

SHA256
4ec52cd9ed7bb1cba8113f1979a6c50a7ac4713242bdf8f4df9c068ed9d2abb0

SHA512
35b228614b03dd833f743d0c24bd5836ce7a2ac442defe17f849555af2c39fb2f73ea6fb3cbace22ea0ab0cc6dacc49a1fe448a9813f0ec3f10ccb30355ad646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
840ebefa221edf083ad27c9b46564319

SHA1
b09b43e8a1785dca9c8bc2607550916b8c26b326

SHA256
908df85d8d892055cb2c717769d611593ad806ae3c83f183206138ab9d51185d

SHA512
ff5067ea87ab3bcd0d6d3edb5d0f74c10b2c2aab50636acf58c7d845ff2d2cd0820362ac31b0f52e4c4779d02a0b33810ae5a561ccc0819b828a67767267218a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bb69befcb514b9412fa349ce96e10c7d

SHA1
e80fedfb6685249641ad37559174acbfc291980d

SHA256
7b14aca5456dca84dc62f1292f7155f24b97c129b794e4e0589d823ba247c6a4

SHA512
f3c6ef3b27ccdae12fbe5746265e645686e464ddf5586d3dc06c27eb5723dd043f77a4392600953754992904ebcd753ea49a804ce14fa82d251da14c0b608074

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bbaa54b69549090f87da0131b10ed345

SHA1
22168bf9f7302fd7366b5249c50877914fa337e7

SHA256
1f2b3d23f31c1e15fe99af147487eea3c2146a560076edff61c593a12ac487dd

SHA512
ccba4830eb391c693ddbc7337becff9272a9f8540313ed22035c166c7f7d9576c0854a8a4dcfaeb068244b89885302613aac82e74c39c772fc70c0dbb6e5b071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f6a370ae980390b4815338b1b54826ba

SHA1
2b155784ad2607c768aaf26c2497e4b6bb48fc15

SHA256
f5581091a048cf829f021d39441f6e8f56ebf05617a0799129025e867efc1107

SHA512
063b4bd125f1fb7ff210332632c23c3cdc1fec266a61e2ecfa51114403015b5562ea08db7c28eaef9eb724814b74abe0b046b94097154f4789d9fa3e52bdcb06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
903d048f867c5cc0706350fba9afce29

SHA1
41d0ed06b261d190e5c151941ccdda179c99862c

SHA256
03e70708ebc4813f7965bb9186f438c15f63c59efc6da587431e922fc185e95a

SHA512
f49a7b19bb454cc90811318cd455f763fa67dd924019ce4c31d83e1eb316d0e7e94d655b7edc4aaa4ae928f465a9c3e5524254beefe008de0e6e5488d89da2f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3436f7691a37f5393c1065f857a5b686

SHA1
1f9f97f05e85cf07aa1358f0eb8b16561bc620a0

SHA256
1fbf4281d0fabd8a5af8cfe839eeb2d28a534c0282a5dd5973c8631bbfe03a25

SHA512
03b117d33fd2e7de0976580561749335dfdd238a4458b8f317b5a1ab42b569f915210bd02c0dfade338b983760556daba894e713ddb08aa99fa670aebba4ccc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bf7dd5067aff2a916399eb221059dfc3

SHA1
659237a97fc7c50a88c89175984c9dcb91072c16

SHA256
c4cd6cb92322d1198acd6d1c793892befbfd79a2849ab3e22c94d0be127fb22a

SHA512
1f332d428e560df237bf2a58e8f3233c04b9fec5e05456c0f8dfc05f07b083a168bf6b1a1a284f31fa86cb513195524ad048f9b9cd401b628183e1f6b30df929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8cde71e7424b4670f4bfa68bcf074bb0

SHA1
d2d716fd9fe63a11f7dd1b740d091718325bee4b

SHA256
31af0dc2ce2c064e9706e00d77b8777bd9a23eec4523f815ba1478b7f3cca478

SHA512
cf22b112b8a8a705af6c804227574683d58fcb3a47fe4d022690bcdd056bde58b28a4bd7af449cc7d01818c1a101239895da5fe0bc7d095850d75841aed1478e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
eb5f8bdc28654f71f9b550e780101436

SHA1
40f0dc34af1a60332de796568b1bb5eef656479a

SHA256
0687d4a53836a13fade944c12ac841f0112f8b097a6bb2ced965d1bf3626316d

SHA512
a8ef1ec644772d6579761979a52696bbd7b1168a8a0bfc5fbebdfe056ee5bc20596c3e503c309bcabcabc56656f8dfd0ecc0ac66d7d9c51f7dfb15b1cba08c7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c83a531510e9a4bc1268966b9987ce29

SHA1
374ba9743025f0d960aa38d19ae7576f24eb6c10

SHA256
4aedd2d0bede50b38c13b5f1b427bb4dc4cf5a4f4fb667df929664260cc999b9

SHA512
f072e6aa1e3a80cac98f7c9d56bee8ee7e43a4866e90a277fb3fc629230fefbd0cc78f0ceb604ca82275890a398c2a1ed95d9d18c78c4e966d4e4eebc0d72cdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
27e07ef3ced2557d75f54ecf4f11c5fd

SHA1
aba8eb6a253fbf95793aa2600ca74886c2112ee2

SHA256
4dfddbb19b89ae6bce5d311a76b45cf8b7eac08a68d658f7e847c293dba9af7a

SHA512
9e8f0326edaa0128b715ce2499d47441b94ca90cafbcbad71e68a90116d7354370d15be04766b817ba8efffbb88a49dd35259b3f1faec61f9823f477c34ddf53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6289ea59cb3886572b85869558b8a04a

SHA1
940fe529ff8282415cd679ae1505bcf7c46657e7

SHA256
4ee6d9e05c26ec281dcd5385722c649ad7665abcc2bff5f02cdcc57f54199727

SHA512
83351489ee242153ce152950eacdd55ce2fa61eed837257fe3bc3c54e4b7ac641deefa890650be516ac2f4de17f8ba92c226fe1764c64fdaaa3b1c86a643c02c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c1bcbeeb2055079601a274e4e093e323

SHA1
e7d15caed2f8ff66eebdd37cced622b090707712

SHA256
04733fa2ffddae8279dcb833c2d60ac21f0403a29575b0ed8c5e986516758a83

SHA512
bf276eb95098e42482ec79a9d8cf30342beeba60a97bf6cfb1b0c0ca1d52de39b541f31cb965b3c1e4005857b100fc17cca501b3eb1d44ffa30ef64947b47b51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
7c56b73a04148998b021e69d82593c2c

SHA1
06971edb79923e59973c4eb2d6c21c3b96bd0d04

SHA256
bc71190ec16dfe9eace32646bfe62bf60c43bfedba4088b151b094b512da4b13

SHA512
8be39fbd2c07942463072af4d0a025e0975d81886e408761959927f61302565fb38119047c078f00fa90820af9ff3543e7c53769e3e6323c374fcfbfe757fc91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
81bfdbbe2e81a1437cd4bfa0b6c6718b

SHA1
a8405f5c2420e0b5b9d5b1d3b51541fc9b3d1eca

SHA256
f7dfafe9932f09edba7fe65738b0cd662c10975242f62ce3783f2f40142c5024

SHA512
757176107238cd98e4f583b6d34bb3b4b0831c5bcb3c21f02fcb78ff5e38ca86b8df72275e36e0f29de9ad3f7d0ccfbcccf5783cfa0cfac55c5d305fe8157c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4912_369649595\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4912_369649595\f722083f-02b8-4475-a04a-c5acc873cadf.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\Downloads\sadasdasdasdasdas.exe

Filesize
42KB

MD5
3137c79a207244b4ffd8f47a280d6946

SHA1
3694dd6f44949f6bf681b8a69410118033fe0368

SHA256
d326364bd2e12c39ccb4b775a800b1e52111debaf2cfff0d0c020e06de4bf0c1

SHA512
e9362eeca845a3c7491dcb5824fbe282815cb15d343b9b5e7db8be609ec09dac0962d4536d582c3f845b31b33b7872d3be5e433aba75bbf3856136f2fd941e67

Download Submit
C:\Users\Admin\Downloads\sadasdasdasdasdas.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/4608-3-0x00007FFAE4E50000-0x00007FFAE5912000-memory.dmp

Filesize
10.8MB

Download
memory/4608-2-0x00007FFAE4E50000-0x00007FFAE5912000-memory.dmp

Filesize
10.8MB

Download
memory/4608-1-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/4608-0-0x00007FFAE4E53000-0x00007FFAE4E55000-memory.dmp

Filesize
8KB

Download