xworm | 382795fea9086b171f12bd039398b822fbae9ca1fe1704d89ec1ea53bfb4d37a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

now.exe
Size

142KB
MD5

a0d7ef878665100044cd1d67df924e2b
SHA1

31fadc994844a9e59bea9e52b193df3a8a39c6c7
SHA256

382795fea9086b171f12bd039398b822fbae9ca1fe1704d89ec1ea53bfb4d37a
SHA512

784543b84f835ea3d30a0b02d4f5ed558359c812d69c2921e0c8822cceabce0a2f935787154ba8d824c30eb34a75080ace598cd8f8df15fdb50c0ce5daac38a7
SSDEEP

1536:z2H+q7TOFShECxGJRiUFu9ocO+XctTEW:DvqUFu9ocO+8EW

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

GzBalPVgdb4kiINV

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2816-1-0x0000000000820000-0x0000000000848000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133857414415548089"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1376	chrome.exe
1376	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	now.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 4904	1376	chrome.exe	98
PID 1376 wrote to memory of 4904	1376	chrome.exe	98
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4640	1376	chrome.exe	100
PID 1376 wrote to memory of 4924	1376	chrome.exe	101
PID 1376 wrote to memory of 4924	1376	chrome.exe	101
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102
PID 1376 wrote to memory of 1452	1376	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\now.exe
"C:\Users\Admin\AppData\Local\Temp\now.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffaa6bdcc40,0x7ffaa6bdcc4c,0x7ffaa6bdcc58
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2476 /prefetch:8
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4088,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5152,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4968,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5356,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5584,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5620,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5596 /prefetch:2
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5556,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4988,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4520,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5468,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5784,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4956,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5132,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4408,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=3400,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5704,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5740,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5396,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3192,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=5248,i,15881822969197493898,4648401675914787639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:5560

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6d385144d42270803ee2c9b9e0b7833c

SHA1
ff40aaa1c1b075e5cb93213dcc023ceee0347318

SHA256
56807e2bd4aaf9d10e3f34354fcee223d3463a0efdb4b09c7153e689d88992ac

SHA512
c7324a60dca5900e81f43209f11937f89ea6d8084a800656b5ab8b91fdf4cc38b7054546a22996a6fdce2e7cd1069d49de39a63d32fd45de651ceb228b04cf74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
68ce97196ec8b9ecfe0b9a50907b49b6

SHA1
1c4d05d9d39cc27d55de52e2b9d1640e182d3602

SHA256
0293c7c230d4a11b17128be449bb4511a021a23d4595d077b5742e589f2e7149

SHA512
54be8c15762438999c86e1536f12ff80c9d94157254594aeb1e9c071711a5b090944aff530b0ab0693cc49184efffc4aa87eb54e72bf59a59384c3f18867ea08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
40e83dadeda377702d86a52f99bcd545

SHA1
dd7f66c489a422231498c737d1b7360b8e192e6d

SHA256
da95ef02a36c299d2c7e3cb5e78fb2d072881e3ed37e1a6c0b27278262040f5b

SHA512
b42014dbc1089d5c2fc6353ddf315c94f3aee0d56d0f475bfbe26e2046a64372ecc9662e17bc1797988fdd8188baa05d1e703035aa12e16dc24184b7832bfe9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
b2141ce60d0eac4cc4bd8c136b04df2c

SHA1
f7cf381eb7044e39456a6e814ee35cd9ee7c70ae

SHA256
b4da1e8bd0c175fb23e1bc90966229a6c9b6daecc5ccf5cc3e5040ca71cc5203

SHA512
f9bc02cc0b946ca8812e18c8cc433cdb6ee428fb22fb70a7f799a96140f5a917e2fb8d5898e85b6483d99f51d9430ab907e5883c55f811ed32e5ce806c3fd453

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2ef6625d00285da6cf9dc15b7156b6ad

SHA1
0c37660d986217ced78c913a2151c5b03355b21d

SHA256
d475b4936f22756f95301bc3f4fb326bf17b8fe8b3462204a96286a570612d79

SHA512
126979eb2d284f4d867bb38cd29d2323192f9d584772e3c1bb0f21f31a6f5bafdeea9e00d9c2f59336b6fc7fea224b9a97e95139d21ff41f8b168f2d34673d50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
505ca21402e153d1b210fa07739cf37f

SHA1
3b35ce894fda535fbb7a4c6bad70ac3644af12c1

SHA256
83cf2204334c7d2fd74cbcc4c1c48892c9cabad9d7b0dbd7629950d5693413ee

SHA512
c3daccb1d0202b807a41e2b79c94d2744ba4b486187497c9e87ebc35fa3e46131ca7ba02347c30eecec1b7c99ba0b0225f4c74940b6cf3ca2721e10e16cce545

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c454bf78bacba1126c9d14cab4a42e6c

SHA1
f5795f61b1066b278ce0076220a1c191e05de827

SHA256
e096845c89d34b22b9a3709987646b935461e20f676505d3d70c62139747e6fa

SHA512
6741e31df0fd32226104ad58f657489f97442c002da23e914a8f0594351f641494439b01f8cef5b1d65896f4d6e14d26af58ffecad477f9ad8e85edc2f2a8d60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aea9de10491b79460ccfa5d34a2e3fa4

SHA1
52f03bfd09c4ef7f22bb282a28726148caf9f93d

SHA256
d4f14904fb0d8d4e27a45fd89ed3e1eedf420f402d0c68a11a94f0d3ab5a78e1

SHA512
4ba8bb7b99ce770633ebbdc0815f352f242a62692602e890a77e6c7502bc6c9d0f4e8d42a1bec9538ac4f40639794c8fef30b70892c51c935f7225b9cd96e31f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dd6ae874e73c5e022b9eeedfc1bd6950

SHA1
f0a023609bbb37b5096afd734f66d47d8de7bcdd

SHA256
040ecb3d974454dd8255473eaae953979ef6ed63d8fa5f78002ad56a3307873b

SHA512
39f5bc6f1d3f50ba7c9b82df43a59e58648f7e6a5bc1662ac6db6b5af7d2b7c973503ea171c5ea9ea7b096ee1f663399d0648b0813cf60edfba09bb1bb426339

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
247c5101147afc6ba9a32cc89f8636c7

SHA1
d9c142e51e355204b5561292c03ca6c64ce4e283

SHA256
ba4c6f51d76eb873c5de99be9f6ba5bfa102b2694dbff64b455cb3a4f39de384

SHA512
be69d5c58ebaf4f3d3d5dc624e0568e40a6ddb39fd9b9f1f9574590e2835f27427718c8a0dfb510b69382b1fd29ab47feb55b38a6dc712b98d0207a9f1948892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
631a673eaa91997b19f2b674c2b1a314

SHA1
4615ce2cf2076d6a2725ed0a163fa251aff710ec

SHA256
e613639963f8d3debf5224b46ec756ac66101afedffa9cd84d02b53d590e3909

SHA512
c11b47421462ab4128831c7729466459e0fa43f7df6c5b5f25ed27e48839c0a2c994121dccba060f78ca4bf5746aac6d1af151d0bd294b44293ce6d10168d580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e15a1635985a78c0a663475b3c9f9738

SHA1
951fa297e10f44fd4b4889aae35d09de0af05355

SHA256
1a123789abb9277b9993d6a61fe48c32dbe206913cd37f82319313cfc37fb4e2

SHA512
ac5beb7b08a8376b5980559c122f89815e06f048b3964e29f8a495b4164da4d6e56561f3ce76e84b4de13f035d7cb15185dba99e96bde34ff00f184f3073c732

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
46a614048fcda672c01e015acc4be753

SHA1
e4a789f7674bb10212357d6e70743cc4cb7ac13a

SHA256
bca20622bb0414a7862e07eb73d95e3198b94bf172fff523718875c155f9c07b

SHA512
aae63265a572eadc1f0ff2a68cfee5584463d69c3186b683f24830d50bdaa28f49872af16375cea5c323240b3c45dcf0d02a7d80d8af21d17887f55dcc2f60aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9d925c61e2afd543aec64db709e9a36a

SHA1
84fa0509848e7b1938f7890f1d40bfa0c037a8eb

SHA256
5bb89dfbb211977ea3e1a37df99e83ae4784eac3290d29ce9c17efd5cee7efd3

SHA512
3158d101e871c76637d09fd479a0f1cb64af406a0d3d448ddad3a8d89ee79b622a6fe31b282a47ac7f83df46faa5dca83a029024d7fbee26586f1e88d7465080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
a68a4b0586830bb965353dea346ddbf2

SHA1
dd73d94c0af972714f6c46ff309b1505560efd21

SHA256
43a2b53d9552d31bc47caa87bcfa04b5f12dc0db76465e640b82d2ec9e4530f4

SHA512
f0cc2f3566e92a7a0ee0ec6e57ca6c8ba1167584aa61bae91e6f4cd0e9c4b6823f5e7a42e33d026651b7dda223157d366280394c126c52f53aba724d3a9bf4e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
4f32ecefe49cb63b31d79a0631db5418

SHA1
ef5bd40120256413317717162c5e3caf3d6781dc

SHA256
4ef277b7d35856ae6b3117e23d588dd08f9871fe7cb3e14ded15934625ee107c

SHA512
2b4921dbd53c52e339689b21de45688d73ef51d410106918c5e49f6a022c4239690e2f6ab2f573c851731b6a2b7d6c5ef5ed1773a0e8809200df56b790770406

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
988befbc97229173c30fac16f417df3c

SHA1
02ce377117c3e84eb63da3fd7c22e337e6693a75

SHA256
e455030bd3db5d632aa35cfe9db72f7663ba09365e0452b0bb9f43020716bd10

SHA512
45dfd6eb4ef0418fecedbd0a09c8bf93c1b4b4fc1307bf080d08ccedee5def316deb6ec3035d29ac6862cef142f3c97ec1dbcf239b9ef6685d0d3cdc0e4b1127

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1376_539423236\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1376_539423236\b7151e70-6451-4a63-a93c-dcee824d5459.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
memory/2816-4-0x00007FFA97880000-0x00007FFA98341000-memory.dmp

Filesize
10.8MB

Download
memory/2816-3-0x000000001BA60000-0x000000001BB62000-memory.dmp

Filesize
1.0MB

Download
memory/2816-0-0x00007FFA97883000-0x00007FFA97885000-memory.dmp

Filesize
8KB

Download
memory/2816-2-0x00007FFA97880000-0x00007FFA98341000-memory.dmp

Filesize
10.8MB

Download
memory/2816-1-0x0000000000820000-0x0000000000848000-memory.dmp

Filesize
160KB

Download