xworm | hxxps://gofile[.]io/d/TjjjN2

Analysis

max time kernel
100s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/TjjjN2

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
dllhost.exe

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 533385.crdownload	family_xworm
C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE	family_xworm
behavioral1/memory/5052-157-0x00000000009D0000-0x00000000009E6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3932 powershell.exe
3032 powershell.exe
1888 powershell.exe
1416 powershell.exe
Downloads MZ/PE file

pid	process
3932	powershell.exe
3032	powershell.exe
1888	powershell.exe
1416	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

S.EXETESTEE.EXEImage Logger Hybrid V4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	S.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	TESTEE.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Image Logger Hybrid V4.exe

Executes dropped EXE 3 IoCs

Processes:

Image Logger Hybrid V4.exeS.EXETESTEE.EXE

pid process

4196 Image Logger Hybrid V4.exe
444 S.EXE
5052 TESTEE.EXE

pid	process
4196	Image Logger Hybrid V4.exe
444	S.EXE
5052	TESTEE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TESTEE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe"	TESTEE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642423585539392"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

388 schtasks.exe

pid	process
388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

chrome.exepowershell.exepowershell.exepowershell.exepowershell.exeTESTEE.EXE

pid	process
2932	chrome.exe
2932	chrome.exe
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe
1888	powershell.exe
1888	powershell.exe
1888	powershell.exe
1416	powershell.exe
1416	powershell.exe
1416	powershell.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE
5052	TESTEE.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

2932 chrome.exe
2932 chrome.exe
2932 chrome.exe
2932 chrome.exe
2932 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

TESTEE.EXE

pid process

5052 TESTEE.EXE

pid	process
5052	TESTEE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2932 wrote to memory of 2732	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2732	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3652	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3588	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 3588	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe
PID 2932 wrote to memory of 2676	2932	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/TjjjN2
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba879ab58,0x7ffba879ab68,0x7ffba879ab78
2⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:2
2⤵
PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:8
2⤵
PID:3588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:8
2⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:1
2⤵
PID:3288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:1
2⤵
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3700 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:1
2⤵
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4100 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:1
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4060 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:8
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:8
2⤵
PID:4260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2668 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:1
2⤵
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:8
2⤵
PID:4260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4060 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:8
2⤵
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4948 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:8
2⤵
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:8
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4028 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:8
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5024 --field-trial-handle=1932,i,15764655318576978896,4501654673138760918,131072 /prefetch:8
2⤵
PID:384

C:\Users\Admin\Downloads\Image Logger Hybrid V4.exe
"C:\Users\Admin\Downloads\Image Logger Hybrid V4.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4196

C:\Users\Admin\AppData\Local\Temp\S.EXE
"C:\Users\Admin\AppData\Local\Temp\S.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l1HLqf3K.bat" "
4⤵
PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo test.png "
5⤵
PID:3024

C:\Windows\system32\findstr.exe
findstr /c:"".png""
5⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE
"C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TESTEE.EXE'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\dllhost.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3932

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Roaming\dllhost.exe"
4⤵
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2432

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
67d12a917bf6de9a84db452689e86178

SHA1
44358dcfa34dabe40da544ba1036a043e9a7e3a5

SHA256
b1a0f77011a3d3b909ffa53309d9c3f05ee4a99a2eb5ed69ca9c969eb883b4ec

SHA512
ccac3672bb6ac4afb6aa7ef3769e58f0e595342bed8456b93b076d5a803486155d06b6e314befaa5f71f1ec62101f2feb70aba0ea99df05097f02594e656b5e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
179725bf5c34edb2f12626f3df4e488b

SHA1
eb633f187e5741bc33d3b4630b6c65d1e40dee14

SHA256
2c17e410b0bce03b526aca83b8bc25f1e32cff0d477a34b63e5684e814ac3c7b

SHA512
deee6db77784bc5b61fd5f6ef35e0d41a3d3b523823c9066a7ae0b28e5ae65cfd9ceb10a0d071032842f8b2b72d8a99e0d8cf4817eaa20981767552da22b30bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
858B

MD5
0a1cc57ab1f0354c1bb3aa7dd0676a94

SHA1
8c8b4500d8696e7102f277308cf7c28efef7af66

SHA256
1208d7cde1cbed9919b59f6b1f89ea620b88ef372acafb98af957a2649eeb57c

SHA512
71d6c70f7a274dba57bbffe69237dd7285d1c5b44e1f3daeb06ae9cc5859acc4a4d934a2a224741771cb2b2b1e028bbfe9691f7c6c7586a0e49fb09a554ec270

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1b972aac18b95362d4ee3e648a997f3d

SHA1
e12ba53e1397af6c2632ee94ac58821c7cd282e4

SHA256
34ca7c6ff422a5a6cfd648f6238b14b5554584af623d9650f5a2fdc29f595d88

SHA512
34babddb5e31950b496c29bed697aa3de12ecb5ee9cded0c16256903a91ffa69c83b7f322d790427cfd6bdc1cd694f7aba5fdbf9cc84d3446905cd2fd6175f1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
42d1d51870b65dda5f8bfdad4bf0cc98

SHA1
7f52f17aa3cbc32b24efb34b6acb80071e19ec49

SHA256
6db8f56a8b2cc8f47fddc2d571b162cd2c1c0521004ba8498299b429e17cd547

SHA512
7260f9f20e9bcd1b24a784ff5dbda4b77dd8707a8ac7ffbd5052b0454f720332c60fa3d838b9913e086ab5b58d9a130a142e34e029e6de0bd86d51ee38a3c6f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
129KB

MD5
b7728ed6509896dfc7b3c680c90b9f9b

SHA1
78ba303757803eedbcc5c3c2322d15390cc1885c

SHA256
bfa75e95e940230feeeb37cde3adbe578162907d7357e222042ca9e4577ec212

SHA512
1df231d5216ee2f341acc1bb54eef75c134a8a91678558d00ca5a67929abce2d7fd642e4ec14449f997b2a4b6b64fccc858628c1ad81467d871d3d47969c33f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
100KB

MD5
8487492ec6a9067c586b2ae5cc033e67

SHA1
9eb3a16cff1a02571400349093417374c036c152

SHA256
671cefe103c9a764eb0190e982d3a3707cc2230c8d497850d6a80fe27e26918a

SHA512
ae18aa846ee67d139769fd81d52c25e97b8b170818a3c34f19b28b2454276dc922dea65421a074557dadd004ba6608875905ae4f724027692d66cb606eb88910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58b60c.TMP
Filesize
87KB

MD5
b30ee9cc0ef0aa3d103693ed2b5a0f04

SHA1
ffb07de4a87eb3b324002f0ede8c2e8b191cbdaa

SHA256
19300fed0096236a76753c68177f0523f750d114b0156e0879426249d683aefd

SHA512
a38aa2e3a30a781383f1c01e6ef9cc3498228323e3d3073df336ec607b86095f9f958a433672a0cac9fa8cf3bc87241a8a667da6869b43f1af2584b42042ee35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
da185fddf7e751e39023edde12930f37

SHA1
657fcb7fda401b69d3bb97e7b6abf126ac36d4b2

SHA256
8928226805a92acd76d21e1a276176d9af3ca1ec31f14e45a2b4b88f4722cad5

SHA512
db7bc02a1bd86d587840a56334dee9cb80aa0a8635cd2eb1c490bc5466659350de4d625f320731e34fac235016515d0dddc05a6081149dc6c2e82c262be6b975

Download Submit
C:\Users\Admin\AppData\Local\Temp\S.EXE
Filesize
7KB

MD5
b8d58060de9ef19140c2801ea6c979bf

SHA1
f98094ff9101b483e7a0d2826884a351c734fa9b

SHA256
38d7a6d3e1fee555dd526ade1d5efaf18d62bb35dbcea1505f47fd6346b432a8

SHA512
3eec6801ce54fc2541374a6f97956186d17e841a35f039fce59d7b0143f31d9fe8efe33e89fd676311b79baf75b5fae04f785d493206b75e424ba8d4e56adc7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE
Filesize
66KB

MD5
04b8f12a041a2812f433aaf8f0a897e7

SHA1
b0680cf948c750266c565d21a100e8127d8bae40

SHA256
94fc19b165838e67bb83583d20b11d5acc7af865aa8a1c73691addd86975ac15

SHA512
018e3e534249abaa1d7da77566a3f1742e047a074ee07ae9a6cfcfa32d68f2b1bfb853360928cc9d2b28299d41803f7841aa5b5ef6431310b0b8b3ce0adf608e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aj4wkv2y.ekt.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\l1HLqf3K.bat
Filesize
2KB

MD5
f588fb26f7bb8500fe4235446e808d1d

SHA1
0d0029a41f068d8b2ace763b57a1a7cdca6ea86b

SHA256
70b6546689c6e17ce3da85e5d52f0b053fdc18579559f3477d3362e2cdaff41e

SHA512
fc84adc7447cb36b43aa9c90f395126622044c83321bc2c2c6791f8f4f6099b43137e5668f2eff5c1d9edec0f5af5ae2e7b22d64dc2307404c27291349822a1e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 533385.crdownload
Filesize
126KB

MD5
6d103c685ef0960fab6eca5bf4617583

SHA1
ea11a8ba30f54015d71ed646fbd14b8800fc2e3f

SHA256
77d041474b58f2142077c3da4fc2d64c29a40eb400410c784e2606647028fa3f

SHA512
2429d67cf73056d496ff4cff2b8a72e2bc643201616b969464543580bd027366e13c51fda4161e319af122fa22c088c1ec737e87e8528e09b4e450d84755732d

Download Submit
\??\pipe\crashpad_2932_XYCCSEXNFTBPNQIA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/444-163-0x00007FFB95850000-0x00007FFB96311000-memory.dmp

Filesize
10.8MB

Download
memory/444-158-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/3032-170-0x000001F950410000-0x000001F950432000-memory.dmp

Filesize
136KB

Download
memory/5052-155-0x00007FFB95853000-0x00007FFB95855000-memory.dmp

Filesize
8KB

Download
memory/5052-157-0x00000000009D0000-0x00000000009E6000-memory.dmp

Filesize
88KB

Download