xworm | 99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082

Resubmissions

01-07-2024 12:23

240701-pkp6tavcrm 10

01-07-2024 12:17

240701-pf8scs1dnf 10

01-07-2024 12:12

240701-pdbd3sthnj 10

01-07-2024 12:03

240701-n8evbatfll 10

Analysis

max time kernel
96s
max time network
276s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 12:12

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

fix.exe
Size

35KB
MD5

83bbe29b99a54bad48074efb72ce1fcc
SHA1

421deeba13130a8eebacc8c7f48f28e6fe8485f2
SHA256

99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082
SHA512

67fe2ac907c297cd3c4d1af7f80257b468bc4e73cab428568ea1238d41cd8c43262765a0b0d43b2accb003901a66e9e7ec162fefda2fd89040697e1e168ac27f
SSDEEP

768:ChiLce92aOrsQiUy5FyS9ZL6LOjhibold:ChkceWsQi5FT9ZL6LOjGo7

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

20.ip.gl.ply.gg:53765

Mutex

JCfj6Aifpywc6Ul9

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/2116-1-0x0000000000DC0000-0x0000000000DD0000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2780 powershell.exe
2812 powershell.exe
2528 powershell.exe
3044 powershell.exe

resource	yara_rule
behavioral2/memory/2116-1-0x0000000000DC0000-0x0000000000DD0000-memory.dmp	family_xworm

pid	process
2780	powershell.exe
2812	powershell.exe
2528	powershell.exe
3044	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fix.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	fix.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

56 discord.com
57 discord.com
58 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
56	discord.com
57	discord.com
58	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exechrome.exe

pid process

3044 powershell.exe
2780 powershell.exe
2812 powershell.exe
2528 powershell.exe
1928 chrome.exe
1928 chrome.exe
1928 chrome.exe

pid	process
3044	powershell.exe
2780	powershell.exe
2812	powershell.exe
2528	powershell.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

fix.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2116	fix.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2116	fix.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fix.exechrome.exe

description	pid	process	target process
PID 2116 wrote to memory of 3044	2116	fix.exe	powershell.exe
PID 2116 wrote to memory of 3044	2116	fix.exe	powershell.exe
PID 2116 wrote to memory of 3044	2116	fix.exe	powershell.exe
PID 2116 wrote to memory of 2780	2116	fix.exe	powershell.exe
PID 2116 wrote to memory of 2780	2116	fix.exe	powershell.exe
PID 2116 wrote to memory of 2780	2116	fix.exe	powershell.exe
PID 2116 wrote to memory of 2812	2116	fix.exe	powershell.exe
PID 2116 wrote to memory of 2812	2116	fix.exe	powershell.exe
PID 2116 wrote to memory of 2812	2116	fix.exe	powershell.exe
PID 2116 wrote to memory of 2528	2116	fix.exe	powershell.exe
PID 2116 wrote to memory of 2528	2116	fix.exe	powershell.exe
PID 2116 wrote to memory of 2528	2116	fix.exe	powershell.exe
PID 1928 wrote to memory of 1792	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 1792	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 1792	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2768	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 1960	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 1960	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 1960	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2060	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2060	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2060	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2060	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2060	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2060	1928	chrome.exe	chrome.exe
PID 1928 wrote to memory of 2060	1928	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\fix.exe
"C:\Users\Admin\AppData\Local\Temp\fix.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fix.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fix.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\system32\shutdown.exe
shutdown.exe /f /r /t 0
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef889758,0x7feef889768,0x7feef889778
2⤵
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:2
2⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:8
2⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:8
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2200 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:1
2⤵
PID:380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2208 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:1
2⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1416 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:2
2⤵
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3224 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:1
2⤵
PID:276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3428 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:8
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3552 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:8
2⤵
PID:2932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:8
2⤵
PID:2704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3780 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:1
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:8
2⤵
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2804 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:8
2⤵
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:8
2⤵
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3708 --field-trial-handle=1320,i,4160478891940419807,11667170182567054522,131072 /prefetch:8
2⤵
PID:2552

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1880

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1c0
1⤵
PID:2840

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:3016

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
8073ebd47b5b8af19d1066cd4c669ba0

SHA1
f6cb429ec2051d7aa21cd9f8eee2442923654358

SHA256
00dadb56e83b8cb1c2e4c7cbd9f165309a6311924f7a6942a9bb4f93109c58fb

SHA512
811d57c7d6a092a34b7ac8a3428696c5d4fd1c25e876f43b784644f9c1551ed2226e2ab4331fbdef0d79ea7e01b8ae79d997cefd0b255235fae864e2281e858e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5928cc2536bbdfe2211251b17e9148e7

SHA1
396b2864b16f34cb9de83bc8c5582be74ddb1904

SHA256
5bfc326367abe9acf8101da2ca9a295dd16b8b862a62776cafb6e046484fbdd4

SHA512
4a96955394860fab85f14c0133b4163ce54a5796c9c63206a7d7842c90a0616916100f6e526622be96d0c41c2fd9208b2972682e1825209999e5a20d4bccdcaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
cd1af82d2833c5d57da8846580d0fa83

SHA1
741525fd58ed0bd0460a18973b6cfa4e9a428565

SHA256
31590f1087058fec75a2e3d19117583401cc9cb447714b027d679144806befba

SHA512
9730ff0e870855c2911f26bedfc2597797408412521806d2ee7a03a7f658add964b6b016d6f118928a8a3be5b7da418e78d22d6fc74392691b4575e11b7325c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a62c1bfa0db37564275fba510eec7505

SHA1
86af30ecb7c6fd787948495d8ab4b36b3153416e

SHA256
81e8182141c9b4666f34ece55963f21ab2d9658e30ba280d17e68ebf5b559a98

SHA512
f57b48b173be6f52d64313e83d12308224f26ecac100754ca50c6f4fbf055e5f90b775015076ca07cad77fbd3065f1b04895a96e4cb248a278b45892b331c44b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d7af47ed39c7a7db7e2175c9307f74fa

SHA1
e9d9fe8593c408f21f700f58158a7f9dd916c68a

SHA256
35473ad174647b1b50da35b7238f03938e7b27b64bd8bc53d68fc2713c308cca

SHA512
f0da6de046de15be6b8420899d26790b8e5372431537f4d8b52dc6501a13e8887927944d74b81b78b32f91bcc0f73324df72012a52cde812894f09b8c487bd30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5701f334366184cbb7ab9f094778450f

SHA1
0a96dc674405b011698d44297918ef525b224ff8

SHA256
32ae387e4a4603ce8289af8f1b8f3d7b9c20538bfd8198982fa64d887b23f167

SHA512
1dd2bfe6e42a2a386f130436f47aa5a1acc605e9704a681d94d5114ec979e38d431f1f69ed6e6e54fee0d8e97f0a6351cd8e7b22f245d11462bb79b61efbb5f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
78f0006c4822855abe1c2400563803a7

SHA1
3af39131bf8d0954c77fae0397ebbbe13785f20e

SHA256
7ff0d4c231ffdeb9cf9ef80bb1abd42a264abb8a7af57c956d95d4fe742af1b7

SHA512
85364286eec562cf853b67a753ff3ffed4bc32b847f15609b050ccdc7e45c7b2a5c513924e8d92fcc1db2dff0db4812ce12f6e69fa522125107c3f28106fd80e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\9751d13c-3f3b-4fd4-9a6b-8bf0fd02a2bc.tmp
Filesize
292KB

MD5
c2499dc869d248bda93eb3f2984bad26

SHA1
4bd9990519dd864cacb0bd6879bf90f47e0ff33f

SHA256
5dd0785155e7383e262e7bd6c3bed0b9cd3ca0e102e105af4088b9657fdc2957

SHA512
6da7fd067029db00b3c5f94c528010278b8cc328f0deddd9fb3bf0b74a58674ddaffc7ead4a93981d297e2fb8bf64b4b7f837cfbee0e15d686a60ab20a140725

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
fb4e6f8cff9b94ba5c91be10b95e2c93

SHA1
ae07eed15a714a67025cc7c56860acf5f62f27a4

SHA256
5078808da1c18957f853762f5461c546bd9cb315d7b590371b11ba9630c68c6a

SHA512
16474eff7c79ecb82e41a666d574fdc9a6f3938d8905c67a062f38de02bd0daaf7e0a2b6a9459b6e49dfd6fb45a23678ae1e7e0c7b2f0590fa26433feb903eb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
363B

MD5
6e89aaf9bb41588fe753a0ffb9a33167

SHA1
fe8274f149ce4b76bfa371d0ef9eeb22c1f081d2

SHA256
6a7848eb7031034ebf19fb853f7578fcadbb751fe97d2302e908ea5fce54b8e3

SHA512
47fb78fe7295c6d59ab43a91249bc8339d49268ccea12690ca655b6ef4db9a8083d9b54f4211156eca6f96e0e071d190a46997aa2cb21250a3c93a1cad16e34c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d9d910d8d9a3f3f7d059870df23e7c0a

SHA1
90fc131e66aeb44a834c04e38e9eb87dbe43120f

SHA256
a8f095f0dd2cc9130451a24878f2c0491ed00c0f07248760ef57dd01fa1b1268

SHA512
06824b76e7159b0be9aa1b5ec540fcd55d3fea807d9ec63dc8538a0905eb602ecb12b276f0692ab6e1a127c16a82f02637b6acfe1b4c2d4329b1fbc316d2d6d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
9186d82b4253e5c8d9f99b039028f8cc

SHA1
10fe1170d49fc4c8db44620325838be741b837ba

SHA256
fcb93a65b0fb985429d7087d4ca0bfb008b62316e77dd562ae62f045260e378e

SHA512
4aab2b8e7f66c61718b4b615e21d87f27f307ac7fa8314e40364efdabaa47ae6630767cac18c2a5c189f0b8ee1cc66b18536b8f28c39e06d1df766e7eaf254c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5e8d16d508447584a3663e04e7ced841

SHA1
81cfeb2688b1d1b0837a44789d362480653ac79d

SHA256
7d5cfb199485bdb11f8c31bac854cc796cbb3d537e8efb3e9a465324d260f3a9

SHA512
16cfe13c0c0a5e539dc11197454a301a0e8574dfdee69acd4edd7b5594c450abdf7b4d31465212680c8d9f6560863679714663e89c49a17daeb8ac25ac6804fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
bf3e6c3b23865ac7e836ab8a5f107a96

SHA1
377f8eddf69052e9b4050482af697c2b82f6a1c5

SHA256
00c8ef2de28bec5f174b02cade1d8de145f5c63f33596bdd0c8ad6d123076b9f

SHA512
7db5210e0b8ab7e4d2d379a15e3cbe1b4986f75c0035f3f7ee924667dfa91db4def9c979a25fc6ad2233821061b03656543ff06f3ee8e80ae919d0e3b5378e62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
140KB

MD5
d9eb28cbf90de1fb02f8a15d693d6409

SHA1
60ab52d6d15008eb6c0ddb547f8be5f94e94077f

SHA256
bc175c290515fd8eaf9a4d66d62fc589675cfb9aff930d8e38606b2cc13e51c9

SHA512
589cd8bd2cfc8435c02114d688443e71f26a546460da748437bf4e7618d116ea02217f45c4b2fbbd9c42f79dc7d9bd3d71a1815ea38636dd9b2081543b3c46c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
291KB

MD5
4a25e733f8c87b2b589d9d93f4ed1f2a

SHA1
2f14b345d506c08c2bb1cd8b1f5b1a00e3a51de2

SHA256
dddeef04cf9af0c25cda3943b8c362548b95953c3222b43e424fb1f9a536d24e

SHA512
592223b3e943f412d3d2d64e17a0ca28dac76e5eb7c5ab913e6a8089adb98bd834bd270de52a7ea441d20d26f73f1363d5e50b869cff91f1fb7e67533dae7706

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar36D0.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9c62e190d52a2e4c77756ef9883693a5

SHA1
d6da509761339bf0a75687b6dbeef8babd463e77

SHA256
14b11fd543b1c2bb075a25179041158e3806c9ffb6e0625b050a06f7d0dcaa00

SHA512
fe613db94cdb2578eccbbd2ea1e3067d3e38c59f254dcba341a48300963fcfc2e07cc6fbebc268f1ae960ee61f12a82b167671707c639dccbb41609f898e6a0f

Download Submit
\??\pipe\crashpad_1928_PQNZKIVLQZUAWFMK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2116-100-0x000000001B1C0000-0x000000001B240000-memory.dmp

Filesize
512KB

Download
memory/2116-72-0x000007FEF5533000-0x000007FEF5534000-memory.dmp

Filesize
4KB

Download
memory/2116-27-0x000000001B1C0000-0x000000001B240000-memory.dmp

Filesize
512KB

Download
memory/2116-0-0x000007FEF5533000-0x000007FEF5534000-memory.dmp

Filesize
4KB

Download
memory/2116-1-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/2780-15-0x0000000002440000-0x0000000002448000-memory.dmp

Filesize
32KB

Download
memory/2780-14-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/3044-7-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/3044-6-0x00000000021D0000-0x0000000002250000-memory.dmp

Filesize
512KB

Download
memory/3044-8-0x00000000021C0000-0x00000000021C8000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads