xworm | 8d51377fe043255945425c46ce9a964083da47dd78c841da3836558a6c40b831

Resubmissions

08/03/2025, 18:53

250308-xjvc5s1mv8 10

08/03/2025, 18:45

250308-xd9wms1tas 10

08/03/2025, 18:43

250308-xdeeqs1shv 10

Analysis

max time kernel
220s
max time network
223s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08/03/2025, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsApp1.exe
Size

107KB
MD5

1e24ff2359051f6c6a41809c4b9ebbf4
SHA1

a422a0a2b3ec9d9fd588eee0c8abdc11e7da3b30
SHA256

8d51377fe043255945425c46ce9a964083da47dd78c841da3836558a6c40b831
SHA512

9a7f86d428941d43d768b69feeb523b7e9def3b7e6924ec50dfad68556a52f0f4ffa62f59b52b6d1ebef3302f338b099cfd4a924f2d270e4f824aef408c22de8
SSDEEP

1536:TMCOo9HbpuW+LpyOQGTrePk5QgKYXsIpsd0tiA/EdipjNd+FXwD+X4vBr52WBHPa:TaGcoCoonMyBBzvBXvWjOVY

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

any-attraction.gl.at.ply.gg:27770

Mutex

B33wn5oKUxMok1Li

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

council-wars.gl.at.ply.gg:19994

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1568-10-0x000000001BF40000-0x000000001BF4E000-memory.dmp	family_xworm
behavioral1/files/0x0008000000027dd8-162.dat	family_xworm
behavioral1/memory/5796-176-0x0000000000C10000-0x0000000000C2A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
83	1812	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
5796	skibnabatys menu v2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
71	api.gofile.io
73	api.gofile.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
92	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133859336469612144"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3612	chrome.exe
3612	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3860	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 1144	3612	chrome.exe	97
PID 3612 wrote to memory of 1144	3612	chrome.exe	97
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 2724	3612	chrome.exe	98
PID 3612 wrote to memory of 1812	3612	chrome.exe	99
PID 3612 wrote to memory of 1812	3612	chrome.exe	99
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100
PID 3612 wrote to memory of 1876	3612	chrome.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe"
1⤵
PID:1568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc0107cc40,0x7ffc0107cc4c,0x7ffc0107cc58
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4480,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3688,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5300,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5032,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4652,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4600,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4612,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4576,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5528,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5540,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5836,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5848,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  PID:4412
- C:\Users\Admin\Downloads\skibnabatys menu v2.exe
  "C:\Users\Admin\Downloads\skibnabatys menu v2.exe"
  2⤵
  - Executes dropped EXE
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5920,i,15086213026705431572,13971987270802342062,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3340

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4468

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3860

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:1324

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5064

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
12b01bfb69785fe4a5a75e0a577c7093

SHA1
345c692e39ca14d7a9aa5b8aca779465e35a3f9d

SHA256
1511f2edaba3210d2ad601c36bf46dc91ad43b8a5391e359f5820616cb8e7fe1

SHA512
9d2ff5020181be75c115faacbd12aede6bf7b83d7177d9753204a9cad58c4cf50ff159d2872ce16156504e3cb60970ddfb6cde2d1883ed7f16680fa4a86ae7ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
192B

MD5
8512c0eca50555a335c622043c6a59e5

SHA1
66b4a04b3e66424743e7f3eab8b69c54c80d8273

SHA256
fa472b65d59d441d2460b8f96f30f6ba14df8f845c6ad31a00484b6a11161d83

SHA512
7887905816754e8ef732c6a0af826de476385eb8bb125e2bcd962f3af5df9507cec5f6f41396d0b138948f220e94df59d775de029aedc89b14fdc23d5ccd52ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
675f1fbb26586e42a363cd5ed201312d

SHA1
c51b8b4cf880bd708580993677d928b69fd20126

SHA256
f14aa390199a6af702269e092d895f79afce5ab56b8c0ffd77149eb7ef0abba2

SHA512
e5d7a636667372ac116d258674d597a453dde0070c4b205d4c06b4e3dedb300af72e64f5992ef7e65600d8ec294d15ef098a362cf833e65bd070a4ea095f8ff5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4b374351020e78b35b96d22f3f11f9d1

SHA1
f77a01429cd254e6fecf561dc176e04993af07d7

SHA256
7f66815b06a359729d5bb94e4eebda17c89789f60f2edb6b3a8bfdbfed223ce6

SHA512
1b5e58de05355b46f75403d34ef5d99d3628bebc69d29f914d08369f1da84243ddf5c9f5a8c7ac0106b02f1eaae14164ccb781345352be0e0437a9a03703d203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
353775f89ef1c6fa9cbed9423618dae3

SHA1
0194ee919855f0d6c24e7814f1d45eae37f9dc50

SHA256
13055dbfa8bf5507e1fbfb7157744ded85bc92ecab6c113c6cc70fc655273d1d

SHA512
32f59c35b20a72d66913e859013cf0a21f709fa050c6d0778ec77bc27b602ba05ef7f69042cb3136e4c1339568242e53cd2e331884406aa4a0d823d3e41db0ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aefd781eead28360c43b1dc1d6389ae3

SHA1
eefe5494971c458c7001ff83f5e92799cf9605f7

SHA256
663eead2bce7fa11fa4e25304f4e898b8dd8dd25a82baee3c019941570b6ce02

SHA512
3deef6f8b9fe49c2138cf30570d6e01ee41e2dc48dc67fea264b202f7e727be36e1181a7ec2d07cef0e434c6f3c861ceecf4d5e8658a284b44b40ae07604361d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
176a8166770dc6a6335d755bc5265408

SHA1
789ec6f2df9a0fb8c251652cd8811b8184f28616

SHA256
6e0c126c20ab54d3521cd43e88445e58ec6e03b51c024a822294adf25d48085d

SHA512
06e64b54e642801e879e04644aa2c8f7620e3bfb33d9c6a79b992d507b492268da8429d978832f979ea8ab2a6bb05ca2c13c7a61aa1bf0227037887b9c15fe1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e8f2599489013a56138acfe294f99208

SHA1
b3fd2fc14dc48e9fa2b3d8690ed1c81ee306a746

SHA256
c505f2177765f296973ff8313af3dde4262cd3166a8a55f2a8e9d3a6284f81e3

SHA512
3ef6052e8c0ea8eef104669065391e76935c121cf19b16cf9066f83640c25681bf7d24a45246c7ced944f85cb5e83238aeadc7ff30c7c10fd4ed9f065a000aee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
272e849508a6925677fb7dc7e084e746

SHA1
cf6b86e1b9dac49aa1fabea31aa56fa23b5e1463

SHA256
bc0b8014ef133f2c934fc69e429dfdd4a772dd4cf49cac393cd093c57cd0d023

SHA512
852f2fe5ad4e4fd1f2b4e0dc6e3481cacef09a0428099ed4dab39d0528722edae6b5fa2e74f3da174279627466ccbd77288f81732b3a9d11b407fd9f73f37718

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ceff43e15bf3b984d46f101cfaf72b23

SHA1
a5c685d86fb335da943914ea01a72479d0fd3515

SHA256
8ab5905dff5195399b64236a9bc83d15351d19a778490a71dc6fcb06216834f2

SHA512
f715ee86321a7d5292abe45ca771a15d0484e9f7305cdbe29edf9b123ef45b487c5141d2e06232624c7ed061459e422d2551d7cf38d9bba80bb952c942a89121

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
319ac3ed966374936869c777d0c84315

SHA1
2231246e0e01cc4930cabf3b8f1fb4b752d2a7da

SHA256
a34c5925c8210782bbeaef74e1e587c33abdde46094dcb301c7a4e3d9f6103ec

SHA512
c759bc6144b71f6f2e54a6dbf7df4c7ec12f81adec4246d2d176e3227d4de95926fbee71c75807c5e01069d655b51b2a82ad1a836f8b8b05417714c5c33b1a74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e3624c8109e49a32bdd7cc5b65a8ffc3

SHA1
41c3eed8831dd9beeaa70601d4b26fef0a69e2a3

SHA256
9cb1253b44369e1842747d4d92a24c4416b4e03e6a7423033c7f135ebddb8efa

SHA512
ba3708d8fb744d5e75513ce5b779019b40faeceaa0f8a4ed4dd93552a0de4d1db0f5560e630b9bdb35bd3a7dd850d3ab36b3426738c28cdf313ab355811a3e09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a6637184dd92be3c716e7ab262df52db

SHA1
5132d177844da2deea67dc52491d0484fbfa354b

SHA256
9d91af8bdc6f272d4d0c6af2ee0d576a4649baaca5fa5655a6062ee6d1f06e58

SHA512
2c24d29f185befe5f47cddf0080713888eb8906de5ab73a33a918c28772f529831ff231c94a8e13ce43eaef7d09c6b7f7159e1aa1f6a588ac3a7410f28ec1f2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cb45756e5adca3ea6d994abb0d1b7966

SHA1
4e34e6339930ab316aac4bbb8bfc4539a19a0c55

SHA256
e7b90330281a8ff1a396af4793dec9e4422224d2c0c87389a31d8e88df60f646

SHA512
afd7a82fe320fb88d05e4b0147384564009ecf60276267c29070a07a1fc6ff2814245224e6404454befa227fde002ff2c077ee0b3ae9be9c7452053a5b9bd1b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5a07b6ce38cb8da4820f77a95bb2d305

SHA1
2bfce16f83d63a889cd0015a02dc0e04e751ee3a

SHA256
8b48d0ca0924bde585dd4886d69ba511bf7dc739de32da6b8ff0717b4bfbac26

SHA512
b22c93088eaf62a31de9fa2f60e7d6488d048d767bf9fe2e13fa5210e0653ff256adfec2bd71a284404b6f944f5fd968f15c78bf4cdc1e266dc89be1f34a3c74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
246KB

MD5
3cba845000fc8042eccf621b26c47dab

SHA1
621ac9547e5a486856dc51d6514a89d34b7e0aeb

SHA256
5601b1a008a7fbc5d7d2f26b057cf92f028d8c4cb4d362dcf639fe1494ad4d53

SHA512
13aa18eecfdf33d23c8588ad47e42d44ea42e112d479e0a625d35960efff069cbe1a59ac669908a1a712ed8729d8ac80ec7556064e60b3cd9830b9eb2f835664

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
246KB

MD5
73c162d89405d3a51b0061573c584a47

SHA1
16008e2d088e5ff272621d2d5ceeae0b19e96fc9

SHA256
cfda82ee4dfd64aaef1ed950d93e7aaf2660ae11812dae4b0b3522e2fc0cd491

SHA512
206d3b38a6b50d30b207dfd2b2e3f7f7bdb9d6d3998577af682d8b4545e5a6d54c9d4168ee30171c5201819b5ff7e3310e71b6e7b5c6407cd8725aca0dd967f5

Download Submit
C:\Users\Admin\Downloads\skibnabatys menu v2.exe

Filesize
78KB

MD5
2ba318ceed593c5efa745c547a2d8003

SHA1
3ba519e011b7a6ed6804d38d2fa2cd06542a0db1

SHA256
219c72cfa13ac4bfb1f3d8005cad5eaf41745973e395842aa596af293f5be5b7

SHA512
e5ceb6c791b96a9ba2e111c0170e49dc956331849c263988750f57cab16621224630851df8a320beccf50c3b9fc24a079938c098c809427ce2ec6a1ac40fee04

Download Submit
memory/1568-14-0x00007FFC042F0000-0x00007FFC04C91000-memory.dmp

Filesize
9.6MB

Download
memory/1568-11-0x00007FFC042F0000-0x00007FFC04C91000-memory.dmp

Filesize
9.6MB

Download
memory/1568-5-0x000000001BD00000-0x000000001BD9C000-memory.dmp

Filesize
624KB

Download
memory/1568-3-0x00007FFC042F0000-0x00007FFC04C91000-memory.dmp

Filesize
9.6MB

Download
memory/1568-6-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/1568-15-0x00007FFC042F0000-0x00007FFC04C91000-memory.dmp

Filesize
9.6MB

Download
memory/1568-2-0x00007FFC042F0000-0x00007FFC04C91000-memory.dmp

Filesize
9.6MB

Download
memory/1568-0-0x00007FFC045A5000-0x00007FFC045A6000-memory.dmp

Filesize
4KB

Download
memory/1568-7-0x000000001BF60000-0x000000001BFAC000-memory.dmp

Filesize
304KB

Download
memory/1568-8-0x00007FFC042F0000-0x00007FFC04C91000-memory.dmp

Filesize
9.6MB

Download
memory/1568-13-0x00007FFC042F0000-0x00007FFC04C91000-memory.dmp

Filesize
9.6MB

Download
memory/1568-1-0x000000001B1B0000-0x000000001B256000-memory.dmp

Filesize
664KB

Download
memory/1568-12-0x00007FFC045A5000-0x00007FFC045A6000-memory.dmp

Filesize
4KB

Download
memory/1568-4-0x000000001B730000-0x000000001BBFE000-memory.dmp

Filesize
4.8MB

Download
memory/1568-10-0x000000001BF40000-0x000000001BF4E000-memory.dmp

Filesize
56KB

Download
memory/1568-9-0x00007FFC042F0000-0x00007FFC04C91000-memory.dmp

Filesize
9.6MB

Download
memory/5796-176-0x0000000000C10000-0x0000000000C2A000-memory.dmp

Filesize
104KB

Download