xworm | 8d51377fe043255945425c46ce9a964083da47dd78c841da3836558a6c40b831

Resubmissions

08/03/2025, 18:53

250308-xjvc5s1mv8 10

08/03/2025, 18:45

250308-xd9wms1tas 10

08/03/2025, 18:43

250308-xdeeqs1shv 10

Analysis

max time kernel
306s
max time network
379s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/03/2025, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsApp1.exe
Size

107KB
MD5

1e24ff2359051f6c6a41809c4b9ebbf4
SHA1

a422a0a2b3ec9d9fd588eee0c8abdc11e7da3b30
SHA256

8d51377fe043255945425c46ce9a964083da47dd78c841da3836558a6c40b831
SHA512

9a7f86d428941d43d768b69feeb523b7e9def3b7e6924ec50dfad68556a52f0f4ffa62f59b52b6d1ebef3302f338b099cfd4a924f2d270e4f824aef408c22de8
SSDEEP

1536:TMCOo9HbpuW+LpyOQGTrePk5QgKYXsIpsd0tiA/EdipjNd+FXwD+X4vBr52WBHPa:TaGcoCoonMyBBzvBXvWjOVY

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

any-attraction.gl.at.ply.gg:27770

Mutex

B33wn5oKUxMok1Li

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

council-wars.gl.at.ply.gg:19994

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2128-4-0x0000000000310000-0x000000000031E000-memory.dmp	family_xworm
behavioral1/files/0x0005000000019b0f-220.dat	family_xworm
behavioral1/memory/2196-248-0x0000000001380000-0x000000000139A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
55	2948	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
2196	skibnabatys menu v2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
41	api.gofile.io
53	api.gofile.io
39	api.gofile.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
59	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\WF.msc	mmc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1364	mmc.exe
1364	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 968	1148	chrome.exe	32
PID 1148 wrote to memory of 968	1148	chrome.exe	32
PID 1148 wrote to memory of 968	1148	chrome.exe	32
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2212	1148	chrome.exe	34
PID 1148 wrote to memory of 2948	1148	chrome.exe	35
PID 1148 wrote to memory of 2948	1148	chrome.exe	35
PID 1148 wrote to memory of 2948	1148	chrome.exe	35
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36
PID 1148 wrote to memory of 2580	1148	chrome.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe"
1⤵
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2339758,0x7fef2339768,0x7fef2339778
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:2
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:8
  2⤵
  - Downloads MZ/PE file
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:8
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2160 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3008 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:2
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2488 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3248 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3536 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3400 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3532 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:8
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3444 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2748 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=656 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1800 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1044 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2176 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3988 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3876 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2200 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:8
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3200 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:8
  2⤵
  PID:1128
- C:\Users\Admin\Downloads\skibnabatys menu v2.exe
  "C:\Users\Admin\Downloads\skibnabatys menu v2.exe"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3944 --field-trial-handle=1288,i,1741298560870295193,2252040487304383074,131072 /prefetch:8
  2⤵
  PID:2404

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2012

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\WF.msc"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1364

C:\Program Files\Windows Defender\MSASCui.exe
"C:\Program Files\Windows Defender\MSASCui.exe"
1⤵
PID:2204

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2068

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x538
1⤵
PID:2936

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
3ef5409b5454f826a74911acec1b2fad

SHA1
a27549682c8806ed73cb0cb5d5adbd3ebc679c7d

SHA256
45d70aff34e027717d1146cb74e20a6f65c1e2dce0bdd0e4d78db7ead146c646

SHA512
9904a0d2b37f59d0d6fb5ce23ae217133a16f7469ed0f0c71127a2500773f1bb800535075826a57f6027bf0aee14276db85f8d2516a794e2d436535e51aeaf1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
9e2744e2386af1b3c353617f4b23f4de

SHA1
d5c68d9126265e25179ef1f097c2bd16d3777037

SHA256
cc3f888464a891993fd3f6e86dc02d85b82c4190156dbbc3fd80fdb75e4983b2

SHA512
bcba0f5d5bac43fedb737e6fc45d548dea6e5847e78c04eb45f7c1dcf96fa327cfe4bab1f9c2de340b0087ac103d802d5ee5db323708ebdffc84f8e61c7d560d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4f274a2d14f526213d9159ad4fcef1e4

SHA1
31361eeaa65f8779611b72c54fb70cf7efc52a02

SHA256
914f8674b2c8cd15df0834f5188f72a543854ca90681bc0a2d62f152cae358ce

SHA512
bb1fc91cf632f3d0a18b5d15c2b51e03c53a3e3b08c609924b827b8110ac865c92cf58cac6cdb1337d04838431e013085c3535f1b463e4088fe1bac81fd25f75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f33b79bf94373ce6a066d0e37c1765bc

SHA1
7c2a682cb53286b5831ddc4d52eb804ea93b4352

SHA256
8ead4e2ca3039ae8e815527c65c2193bae8f5f98840a9df85fd6820ecfd22b28

SHA512
79d92c76acbdc75be6e9724b28daa5680a09e1d8046d442f7237263b59600a7426e5ce4742211b2ae566b7aead27d11d6b4613fd1ac6a1983ee012f53fbfe590

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
849B

MD5
78a55723963a0b8582bb0225dd8f8018

SHA1
37ffd351504064a01fe809e2a9b0c89c330c0c8b

SHA256
7a038af87992f94dba1248d1ff61b1aacbc182bcd0544e7f605acf81ff070b82

SHA512
2fa21959b07f01d772d2737e6f1f049caa9c06d126982d2950e955549dfdd3281693855a52ba9bf92d1b61f1ea7a578ac3b6af811f1d579e67862ee0c9bd1b8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
c655c9b6bb2141e5153619f89f0808b3

SHA1
e6b3c0ffbfe3a402e9be021fadcf48f3f7675135

SHA256
2f84e2019ba3b512b450920ce725c5cf2e673249e51e5e346e3e015fbc713b20

SHA512
0fa272aa9a367b810cd93d2745758f09c86349691e712f0f34236c954bf0ebb6dd20ae531eb771b8bf668cc557cf677160fa34bd182f250f9da9399e3d724e98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7ef8842df158616bded7e8597465a92a

SHA1
872d79f0b6b220826c033cf7c19f3c9ad5026d62

SHA256
b75fc1a8a717391debed2d0242f92493c8377f8f0ef4e950bf637bc34d6768dd

SHA512
65313b6488ccd1b194fa041f5fabd9a67abbe3366533162ef696f396386d1018aefd5627cafd28663ae318aff38d0e65d8ac98733221f0cd7a46f7bb9f68d071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0a7aba0eaa36560a490626474c0ced9c

SHA1
942d0fd0da7755dd7b13aa8b9e415bc6677e8a47

SHA256
2600ab230d58c38a4df293da27baea15edf9fcc246dd21f858277b7f4098e2cd

SHA512
1f16fbe9e68aa7e75c153180f7d7f42c739d38cb4a4f46aad36cd12721e4230455b45f9547707147aa02032e037101ac25137b61ff0b78f65436b5934f144eb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7b2a37c93f4207ae101334c7eaf59665

SHA1
05f909c964fd03d39cb6fcd1917a5d4236b0ee46

SHA256
7c198fbf69473af13db85e0c2145a1610d1ecc88e44a4e1c589f54c2aa612027

SHA512
24d53e3f19dd1d15f18783a426e18b6516dd37d8818d6f9c0359044724c1c2c85c0625d9861a6c83667d984f0333947762e0d28878e42234b0c93f7ba207e8dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ac0be73f-cd78-407a-bc6d-568dcc9631ad.tmp

Filesize
6KB

MD5
92ce5aff697672a83fe3ffb4455e5c38

SHA1
934d6aa237892362ebfd25c6e952354d9086b99e

SHA256
a3ab3e53c5cb2ee5ee095a19f18ad97f4b14f6417807776b9325beb797c8a9f0

SHA512
782d63cb734c8dc6d809e229e0526519b71ecd65096173067f9b4ddaf3497189120c9e84aac2d85eab2eab73c09daf4e1a5c6e55d7092c230256c25792b7f010

Download Submit
C:\Users\Admin\Downloads\skibnabatys menu v2.exe

Filesize
78KB

MD5
2ba318ceed593c5efa745c547a2d8003

SHA1
3ba519e011b7a6ed6804d38d2fa2cd06542a0db1

SHA256
219c72cfa13ac4bfb1f3d8005cad5eaf41745973e395842aa596af293f5be5b7

SHA512
e5ceb6c791b96a9ba2e111c0170e49dc956331849c263988750f57cab16621224630851df8a320beccf50c3b9fc24a079938c098c809427ce2ec6a1ac40fee04

Download Submit
memory/1364-290-0x0000000002410000-0x000000000242E000-memory.dmp

Filesize
120KB

Download
memory/1364-291-0x000000001D580000-0x000000001DA58000-memory.dmp

Filesize
4.8MB

Download
memory/2128-7-0x000007FEF551E000-0x000007FEF551F000-memory.dmp

Filesize
4KB

Download
memory/2128-4-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2128-8-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2128-0-0x000007FEF551E000-0x000007FEF551F000-memory.dmp

Filesize
4KB

Download
memory/2128-6-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2128-1-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2128-2-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2128-9-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2128-5-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2128-3-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2196-249-0x000007FEED1A0000-0x000007FEEDB8C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-267-0x000007FEED1A0000-0x000007FEEDB8C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-259-0x000007FEED1A3000-0x000007FEED1A4000-memory.dmp

Filesize
4KB

Download
memory/2196-248-0x0000000001380000-0x000000000139A000-memory.dmp

Filesize
104KB

Download
memory/2196-247-0x000007FEED1A3000-0x000007FEED1A4000-memory.dmp

Filesize
4KB

Download