xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
175s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/640-1-0x0000000000DB0000-0x0000000000DC6000-memory.dmp family_xworm
C:\ProgramData\svhost.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3428 powershell.exe
1988 powershell.exe
1600 powershell.exe
2308 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

sv.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation sv.exe

resource	yara_rule
behavioral1/memory/640-1-0x0000000000DB0000-0x0000000000DC6000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm

pid	process
3428	powershell.exe
1988	powershell.exe
1600	powershell.exe
2308	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	sv.exe

Drops startup file 2 IoCs

Processes:

sv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Executes dropped EXE 3 IoCs

Processes:

svhost.exesvhost.exesvhost.exe

pid process

2564 svhost.exe
1048 svhost.exe
2312 svhost.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

sv.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2564	svhost.exe
1048	svhost.exe
2312	svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643081697646765"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3992 schtasks.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exechrome.exe

pid process

1988 powershell.exe
1988 powershell.exe
1600 powershell.exe
1600 powershell.exe
2308 powershell.exe
2308 powershell.exe
3428 powershell.exe
3428 powershell.exe
3932 chrome.exe
3932 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid process

3932 chrome.exe
3932 chrome.exe
3932 chrome.exe
3932 chrome.exe
3932 chrome.exe
3932 chrome.exe
3932 chrome.exe
3932 chrome.exe
3932 chrome.exe
3932 chrome.exe

pid	process
3992	schtasks.exe

pid	process
1988	powershell.exe
1988	powershell.exe
1600	powershell.exe
1600	powershell.exe
2308	powershell.exe
2308	powershell.exe
3428	powershell.exe
3428	powershell.exe
3932	chrome.exe
3932	chrome.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exesvhost.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	640	sv.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	640	sv.exe
Token: SeDebugPrivilege	2564	svhost.exe
Token: SeDebugPrivilege	1048	svhost.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sv.exechrome.exe

description	pid	process	target process
PID 640 wrote to memory of 1988	640	sv.exe	powershell.exe
PID 640 wrote to memory of 1988	640	sv.exe	powershell.exe
PID 640 wrote to memory of 1600	640	sv.exe	powershell.exe
PID 640 wrote to memory of 1600	640	sv.exe	powershell.exe
PID 640 wrote to memory of 2308	640	sv.exe	powershell.exe
PID 640 wrote to memory of 2308	640	sv.exe	powershell.exe
PID 640 wrote to memory of 3428	640	sv.exe	powershell.exe
PID 640 wrote to memory of 3428	640	sv.exe	powershell.exe
PID 640 wrote to memory of 3992	640	sv.exe	schtasks.exe
PID 640 wrote to memory of 3992	640	sv.exe	schtasks.exe
PID 3932 wrote to memory of 908	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 908	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 3900	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2260	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2260	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe
PID 3932 wrote to memory of 2804	3932	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0x104,0x128,0x7ffdb341ab58,0x7ffdb341ab68,0x7ffdb341ab78
2⤵
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:2
2⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:8
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:8
2⤵
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:1
2⤵
PID:768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:1
2⤵
PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4340 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:1
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:8
2⤵
PID:324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:8
2⤵
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4468 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:1
2⤵
PID:3124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4480 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:1
2⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3160 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:1
2⤵
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4984 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:1
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3332 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:1
2⤵
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4840 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:1
2⤵
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4148 --field-trial-handle=1980,i,14485793629205496387,8684053467852628491,131072 /prefetch:1
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
4b5077655832feb181756f0dc43a7e02

SHA1
35248001115e00c58c10f6d3bfc29a963dc7fb28

SHA256
d7903eb14bc320f6a1f84d60a5dd5a0fd223de9d6d836bab1b91e28a7af34e9e

SHA512
353e3c522c08c36e8e47c6c473d1817fe8cdaf0bac6dbb0c9198cdd1f4d9bcba69e1e8cedb1f34752e7b9100ccdf09af232cd4633eb64608599859af4763de8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
27353696f6ab4be9afef03646422b0bd

SHA1
0b99bcafb1b1dee109de188a8ac258272d6c8e2a

SHA256
d7ae9eabae88cf1a825ec180ed6ca54af684cf6bdd2732f98765dadbbcaacf6c

SHA512
be4fd5851d601c9afab160d71b061ba76f07a7adfa237fae0219eb9ea9155b01476690ae345bae2737f477a7ba62dbd2a5caf5bb704c9822b954f8c6bd746e43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
3b15a9ce3141f40465f2ae75a6c48163

SHA1
ac616a83d728f0614fc67914994876d102af4895

SHA256
e1e86865839462499e0638cf7181951dbf659b878f7f852a11b024776a7b9d11

SHA512
84684b4e7a96dfe96d577138a21cd3d59c0187afcaae1a191adc299656537e815ce8b53ae2268ef64c52301f50469561f5965cf60b64bf89e94e6b61b3776803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
76692775e4781f0c9f0092f5804cfdb1

SHA1
6740e4e4110028c62282ee1e7eb8be576a2bc23a

SHA256
0c451ff3823450d544066237cbfb08556b7ca36c4a0ea085055f69ab35795b00

SHA512
6e0731e3736594d9e86da2fc33e08a663f29100074cc8d46e2716123c946b9eb150c804c7cf8428cac631e1cff984663d41ce3b5e1e77965bd8e2ecf0742af34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wz2omofx.unl.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\crashpad_3932_ULBQABCBDZTJEUFZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/640-55-0x00007FFDB7280000-0x00007FFDB7D41000-memory.dmp

Filesize
10.8MB

Download
memory/640-59-0x00007FFDB7283000-0x00007FFDB7285000-memory.dmp

Filesize
8KB

Download
memory/640-60-0x00007FFDB7280000-0x00007FFDB7D41000-memory.dmp

Filesize
10.8MB

Download
memory/640-0-0x00007FFDB7283000-0x00007FFDB7285000-memory.dmp

Filesize
8KB

Download
memory/640-1-0x0000000000DB0000-0x0000000000DC6000-memory.dmp

Filesize
88KB

Download
memory/1988-16-0x00007FFDB7280000-0x00007FFDB7D41000-memory.dmp

Filesize
10.8MB

Download
memory/1988-13-0x00007FFDB7280000-0x00007FFDB7D41000-memory.dmp

Filesize
10.8MB

Download
memory/1988-12-0x00007FFDB7280000-0x00007FFDB7D41000-memory.dmp

Filesize
10.8MB

Download
memory/1988-11-0x0000013A53430000-0x0000013A53452000-memory.dmp

Filesize
136KB

Download