xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
1800s
max time network
1180s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/1540-1-0x0000000000380000-0x0000000000396000-memory.dmp family_xworm
C:\ProgramData\svhost.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1008 powershell.exe
1544 powershell.exe
3184 powershell.exe
524 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

sv.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation sv.exe

resource	yara_rule
behavioral1/memory/1540-1-0x0000000000380000-0x0000000000396000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	sv.exe

Drops startup file 2 IoCs

Processes:

sv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Executes dropped EXE 6 IoCs

Processes:

svhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exe

pid process

1712 svhost.exe
2924 svhost.exe
4144 svhost.exe
3884 svhost.exe
900 svhost.exe
424 svhost.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

sv.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1712	svhost.exe
2924	svhost.exe
4144	svhost.exe
3884	svhost.exe
900	svhost.exe
424	svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

chrome.exeLogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "120"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642987296864988"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2108 schtasks.exe

pid	process
2108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exechrome.exechrome.exe

pid	process
1008	powershell.exe
1008	powershell.exe
1544	powershell.exe
1544	powershell.exe
3184	powershell.exe
3184	powershell.exe
524	powershell.exe
524	powershell.exe
3264	chrome.exe
3264	chrome.exe
740	chrome.exe
740	chrome.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
1420
3680
4636
4116
1328
3888
1688
4100
4708
3316
3796
2640
3476
4828
2648
4424
4332
3004
1968
3932
4824
1600
4064
2788
4916
1176
4068
2980
4552
4392
4756
4256
2336
872
1360
4888
1940
4772
1052
3860
4576
3672
4176
368
1384
4732
3980
2576
3180
5076
504
2032
4048
3576
4984
4400
4404
1468
3964
3428
436
860
4072
2404

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3264 chrome.exe
3264 chrome.exe
3264 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1540	sv.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	1540	sv.exe
Token: SeDebugPrivilege	1712	svhost.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe
3264	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2960 LogonUI.exe

pid	process
2960	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sv.exechrome.exe

description	pid	process	target process
PID 1540 wrote to memory of 1008	1540	sv.exe	powershell.exe
PID 1540 wrote to memory of 1008	1540	sv.exe	powershell.exe
PID 1540 wrote to memory of 1544	1540	sv.exe	powershell.exe
PID 1540 wrote to memory of 1544	1540	sv.exe	powershell.exe
PID 1540 wrote to memory of 3184	1540	sv.exe	powershell.exe
PID 1540 wrote to memory of 3184	1540	sv.exe	powershell.exe
PID 1540 wrote to memory of 524	1540	sv.exe	powershell.exe
PID 1540 wrote to memory of 524	1540	sv.exe	powershell.exe
PID 1540 wrote to memory of 2108	1540	sv.exe	schtasks.exe
PID 1540 wrote to memory of 2108	1540	sv.exe	schtasks.exe
PID 3264 wrote to memory of 3020	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 3020	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4504	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 868	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 868	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 2760	3264	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\SYSTEM32\shutdown.exe
shutdown.exe -L
2⤵
PID:1468

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe32feab58,0x7ffe32feab68,0x7ffe32feab78
2⤵
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1928,i,7291325944993561328,17645169753306116663,131072 /prefetch:2
2⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1772 --field-trial-handle=1928,i,7291325944993561328,17645169753306116663,131072 /prefetch:8
2⤵
PID:868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1928,i,7291325944993561328,17645169753306116663,131072 /prefetch:8
2⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=1928,i,7291325944993561328,17645169753306116663,131072 /prefetch:1
2⤵
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1928,i,7291325944993561328,17645169753306116663,131072 /prefetch:1
2⤵
PID:364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3624 --field-trial-handle=1928,i,7291325944993561328,17645169753306116663,131072 /prefetch:1
2⤵
PID:1440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1928,i,7291325944993561328,17645169753306116663,131072 /prefetch:8
2⤵
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1928,i,7291325944993561328,17645169753306116663,131072 /prefetch:8
2⤵
PID:1352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1928,i,7291325944993561328,17645169753306116663,131072 /prefetch:8
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4708 --field-trial-handle=1928,i,7291325944993561328,17645169753306116663,131072 /prefetch:8
2⤵
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 --field-trial-handle=1928,i,7291325944993561328,17645169753306116663,131072 /prefetch:8
2⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 --field-trial-handle=1928,i,7291325944993561328,17645169753306116663,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:740

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4860

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2924

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4144

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3884

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:900

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:424

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38c3055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2960

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\36ca86c3-e2a2-42a6-9588-967b45de1265.tmp
Filesize
6KB

MD5
b6fb4380ec2b1d2f2fd5bc1b8597bd26

SHA1
827fdbb494d603d0c7bdabc991a0d5e950044bec

SHA256
687190653e7d922fcf67c4cfa17b205f10731af13f78b3d25ca48b2ba15ddaeb

SHA512
cd70d55069401f9826e1897ccd5e2e40c4f2d7c82d7fa89a5899f5333f0f3bd192be548b2ea1966414febe3ee4de638a623b871db78688caa4d846f32777b20c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
0f052182630ffaa2ca6d9dda84708af8

SHA1
b83996ed4de9a16a3b2a330bd5c1258c2c161b9a

SHA256
c70f55dc88ccdd81c1102c09094067f312bdd85d68041b891aed1bae862d8a21

SHA512
16b8468264fed6e06bc29f4d6cf9320e71f28ab1930fe5cc1bad38c6d78213679dec9e542a2ad25d5814ad5d7e47b8d663d480d0e5044996938856a4f5f56187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
e39f6933b37965c9b4c07abe7dd4f059

SHA1
165f45b69a72c7ef35108c8bc835f13df598ad35

SHA256
9a0448e4449bced85c79715cd12debbc5a3ef221c53153bfeba9709ff49a8cef

SHA512
499d20c478160a3a8d0845f68d177223d593ba0d24e62daf6c5948dbbe0c2146846c519dfc8e2479836e86876b1c891cf93e3788218d749a6f6c31c107b4eee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
42f24dc7f878b4e55cd48c7276c0a396

SHA1
64098bcf33877f7be1d10a240b6c950c85816220

SHA256
1498f0cf5888979d6c2f1227fadbfda65661a91ccf202d1ee57b3f312bbcb7bd

SHA512
57162f89374089d6bcaee352a3c5537ac664c5e0923b8ffcfc0cb8dd5bb0f7e9cda49db1a0cccbc737c9efaffbd89b5e8d7aaa576501c89de91d12cb857a372f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
13d49ba3dca34564238b695e111763d9

SHA1
b9c00dd5b4cc6716212b98348c5aca84c098bb5a

SHA256
e23b3add15e385ab536f6428f24dbbb1f7544a5997cbc95dd49a92d7ad5af99b

SHA512
7fea83f54f7bf361f4e3e3dfbaa7608a13100703d2851c38228fc0a0f00cabcdf2ffe4c6e03d75c57ca433ce184d56a9c3e629bf795e22f6cf5e5140c05ac7b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
352B

MD5
58d8469d652cd4e524485e8e854f5234

SHA1
1e6918e1364597e6ed0aacad0c355bf9755a22e1

SHA256
c90e6808d17280ea47596f3210fdf0443d249f25cad7a584bb282ee3d72a0c10

SHA512
3bf01ebf7c7e1512ede172c3d2ed22f201ed381854a54fdf77f565edd070e4a6d2532c59100dd6ee75e00460ed978b867231bae96a7e3bdbcc04249a09e069c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
56fb4f7e3766e8e203523410d0e2e74d

SHA1
77bd095a02bad23965779732191a0a454c1d0bc2

SHA256
708e9c9406d9891a5d087ce56a6a9e6c5c92ac4acb74cc6620bc7055a503d116

SHA512
f6460bf7e7a0c26291db378cb6210ecda249d22cbcf89b0ac6d3da4bd44f2a0e7e15456799fcdc982cc7043f0d5380159e7603349cc5ce035fcc64e88231200b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
278KB

MD5
26d249994eec9bf0ee589d3eb4185288

SHA1
0c74779a5001b624058c07ea9a09f6f544e8ed6b

SHA256
fb8ac05dc3400d67f6bd330ab8ecdabd3ddcb5efe48d5986b2388016c1f1f0e8

SHA512
dc151ee035745c0e505f17154b7fb404ec4ff4d6d16407f0d51e35b775eaae0cd7f33d46e554a1a765018a08fd9666794185b1b6489971cf5419fdf7e3e5a059

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
278KB

MD5
2339f21ae8722250fa2791096ef9c896

SHA1
fe1a007accfe5f21aa13968bcc55af0a282532d4

SHA256
7855ca288ee3200e4cf81af73508df5c4de915d9e0e7151b63f012fa3544fb23

SHA512
64f972bb20f219e5423e21eda2837f6aeed9b67d84e06d6f59561790efaa17c2adbae962334c716c35d0e220c4c68f32a4061de73f9a8cd01baad5713984b9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pt20dboe.mix.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\crashpad_3264_BMXHAYLYEYJATOMF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1008-17-0x0000024632130000-0x000002463234C000-memory.dmp

Filesize
2.1MB

Download
memory/1008-18-0x00007FFE378C0000-0x00007FFE38381000-memory.dmp

Filesize
10.8MB

Download
memory/1008-14-0x00007FFE378C0000-0x00007FFE38381000-memory.dmp

Filesize
10.8MB

Download
memory/1008-13-0x00007FFE378C0000-0x00007FFE38381000-memory.dmp

Filesize
10.8MB

Download
memory/1008-12-0x00007FFE378C0000-0x00007FFE38381000-memory.dmp

Filesize
10.8MB

Download
memory/1008-11-0x0000024619AA0000-0x0000024619AC2000-memory.dmp

Filesize
136KB

Download
memory/1540-59-0x00007FFE378C0000-0x00007FFE38381000-memory.dmp

Filesize
10.8MB

Download
memory/1540-58-0x00007FFE378C0000-0x00007FFE38381000-memory.dmp

Filesize
10.8MB

Download
memory/1540-0-0x00007FFE378C3000-0x00007FFE378C5000-memory.dmp

Filesize
8KB

Download
memory/1540-1-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/1540-208-0x00007FFE378C0000-0x00007FFE38381000-memory.dmp

Filesize
10.8MB

Download
memory/1544-31-0x000001C64FE30000-0x000001C65004C000-memory.dmp

Filesize
2.1MB

Download