xworm | hxxps://drive[.]google[.]com/file/d/1mKwzI8VIHZAf6vS1gm2Ou5z1MatXhZJA/view?usp=sharing

Analysis

max time kernel
62s
max time network
63s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
02/04/2025, 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1mKwzI8VIHZAf6vS1gm2Ou5z1MatXhZJA/view?usp=sharing

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

kakaschkee-48307.portmap.io:48307

Attributes

Install_directory
%AppData%
install_file
.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000028254-198.dat	family_xworm
behavioral1/memory/4524-209-0x0000000000F50000-0x0000000000F6C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	BootstrapperV1.11.exe

Executes dropped EXE 3 IoCs

pid	Process
4412	BootstrapperV1.11.exe
852	BootstrapperNew.exe
4524	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
8	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
98	ip-api.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880690653251913"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1336	chrome.exe
1336	chrome.exe
5472	7zFM.exe
5472	7zFM.exe
5472	7zFM.exe
5472	7zFM.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
5472	7zFM.exe
5472	7zFM.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
1336	chrome.exe
1336	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5472	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeRestorePrivilege	5472	7zFM.exe
Token: 35	5472	7zFM.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeSecurityPrivilege	5472	7zFM.exe
Token: SeShutdownPrivilege	1336	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
5472	7zFM.exe
5472	7zFM.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe
4504	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1836	1336	chrome.exe	82
PID 1336 wrote to memory of 1836	1336	chrome.exe	82
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 4496	1336	chrome.exe	83
PID 1336 wrote to memory of 3640	1336	chrome.exe	84
PID 1336 wrote to memory of 3640	1336	chrome.exe	84
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85
PID 1336 wrote to memory of 4316	1336	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1mKwzI8VIHZAf6vS1gm2Ou5z1MatXhZJA/view?usp=sharing
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x94,0x228,0x7ffb7378dcf8,0x7ffb7378dd04,0x7ffb7378dd10
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1924,i,11021554858370544504,13124408337832345201,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2224,i,11021554858370544504,13124408337832345201,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=1832,i,11021554858370544504,13124408337832345201,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,11021554858370544504,13124408337832345201,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,11021554858370544504,13124408337832345201,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,11021554858370544504,13124408337832345201,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4280 /prefetch:2
  2⤵
  PID:420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4732,i,11021554858370544504,13124408337832345201,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5392,i,11021554858370544504,13124408337832345201,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:5516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5644,i,11021554858370544504,13124408337832345201,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5488,i,11021554858370544504,13124408337832345201,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6032,i,11021554858370544504,13124408337832345201,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=504,i,11021554858370544504,13124408337832345201,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6212,i,11021554858370544504,13124408337832345201,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6060,i,11021554858370544504,13124408337832345201,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6220 /prefetch:8
  2⤵
  PID:5456

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5300

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\BootstrapperV1.11.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5472
- C:\Users\Admin\AppData\Local\Temp\7zO0656CFB7\BootstrapperV1.11.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0656CFB7\BootstrapperV1.11.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
    3⤵
    - Executes dropped EXE
    PID:852
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Executes dropped EXE
    PID:4524

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
75cf629d6afc5356020d4c377f0cded6

SHA1
3645deb6ed3d02c164082a88002ffd777a125b03

SHA256
a7dd0b6703044642c383ff9e953627c066a56f936f9b7392af372370994c1f4d

SHA512
f0a7463c612a0c32689fdb45e507f58ccb57304e9e9697c18cc315b14b3919c11f685022f49aad4297bd502ad4b0e29fc4fd40e9a3828c4b62ec65f6221f889f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
549db2e9504462cbb824f3b8756b8c82

SHA1
adc6ceb3145838f46d4390362dff9d1980c19d5e

SHA256
1620daba197b20bcf1668db1283840335a0a5b187e7e4335c9330fa3fc73cac2

SHA512
3e147652e344b5cb01b45daf7b2a3b775f4bec0daa15103fef611707652fb6608f5a2d30a57f08b992f2cd5c4631993d21201f6880f89626f08cc947d1699ac4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
460e1384ce7a5cc650d04db3949306b6

SHA1
493ea196f58c6a99f43f7a19697783a302f0f3f6

SHA256
2bfba3dd7b1619d3b37134999cf1d4accc45ff07bfcfea83f06bdadfac5192be

SHA512
2d954e88e4c944517be84eb5554fbae6ffd74429a159bc01b6d2a38e7d06d705557ed6a69c927ea21fa7ce6fcf9e9293f0c00563bd63d8e8ea3bf99777fdf41f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
73a1d4989740c0203ce6a4f467cce594

SHA1
c99a3504e94e5ecdf5e6b093578a7a2d919dbcf3

SHA256
45757297aaea23b3a9e7cbe4babdf1d4691590101c73a8e72ddae50da4df2371

SHA512
2bbd1fd58675f830981460e446463af4ebe374a999c8d561f8beeb2bc4751ed77152c213553de68280b5cb8054ed347acc11e3911fccf2855cd6f68bdd9035e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e4c5b41b86afca229eb66dea6685957a

SHA1
934d924736e4d73938b9800ee0718b23bfe102ee

SHA256
0892ef1a8489cfe3df125dc5df18270724b1275e10490b9731b6978183b810a2

SHA512
00c6bcc673291a4479909f3979f290988ad25404afbdb610db89d182feeb80d96b071513f433782dbd9c1bc6f5ff326145a7b7932a05e50b77db5e9519b936a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b8469d4794c4569204ca8af549b0c0c0

SHA1
d33a31fce1084b1d4a254ec3573d3acfcf4c1d6e

SHA256
3716a9d245ad9185cbc05dc231e96801a023e097313e204809d4474eea5e9774

SHA512
fa1db6846603e3e819ea50992cfebfd42c6d9e76452e759aae5ee12537f23ac6e7a150ca3d0a92765efe00b1017f2bb822037613741ea2d3593dfb87d2c79dd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f3087b95bfe6377a32af742b863781c2

SHA1
61888d927cfb5287f0784b04fdc95a6b3983bde6

SHA256
ab0561be4f06193a32fba73b880e39b0db494d5a68cf288c9614bfcb8cbfb09a

SHA512
bc1e50730a4072122696aedf5433c6f95a6afe9988b17c693e29825a434a749947b9635eb1f684c23203a099941663f2252f75f388939ee2f948d5c0565c08e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c208.TMP

Filesize
48B

MD5
9f0dc55ba190ab4f26fc5fa051de9fbd

SHA1
bf725efcadc46dc10aae230b37242ce1f4d2b2da

SHA256
36314386c2fc726c4c2e820465bdef42037c15b93e73b03b55459802419ce5e5

SHA512
051fb9131890fee72667d9c8457c611cc2a88f1a79641b2f187aaac2d3490d3f56b38835258ed17f7856d9ad45ad183379767c5d7fff712f771b4938c3c6ac75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
ff8c534bf9215e0d35ef11df82522aed

SHA1
58a49fa84807eee342719a082808f370caf8a72d

SHA256
0b057b95aecdf07d4c1283161e60e09278d53e9cb923d41f68a45b2c86f0c5cc

SHA512
ca5412c2e936577bebbf111b4e9998d305107a7018f24398a57f9c7109d81918ea2a093e585ac8dfe78a18c8bd2af73c163cff1af9fd8c6aa2a4b6925b417d41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
4baac83e4ff0b63f297ff5f6861ac303

SHA1
120af85ab8dd7671b03831d792144e30e89c1b2d

SHA256
71fa51fa3e520bc96d9cdfa1d66f63f005e174d0637fdcd7874270aec0b94c80

SHA512
2d1d2f3401f4bd5c03a5ff19f2fa1c54840d311c5765f88c4031303dfc0b73d782eb7f27503e23384759ed9550cca6efcee0c1a643a95e33901ef4820243b842

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
5da4dc2d4a5e58f9ef462aed7922d134

SHA1
31473b8d3ab28eb4f9f62e035710ccf5745ebd84

SHA256
737876ed639b2d5e21b32c9b797f9312b0fc4fc65703b0e12cd44c3509ba0a0f

SHA512
9432d1cb3f5df519e2201a1d0f2acb2e1cc2a5b2b9e508976ec557b63224394a5a9203693ee6acee8b894832c28ae325c9fdbafe728a4c5db648d3b02280dd40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
7bd06f2f949d7460de05ae394d41525f

SHA1
595e0bd5166044defde6fd3c8e15125ecfc57223

SHA256
e8896a8da5e97a2d4cc6ac3222b85c504e8f0eb5eff66ce3d18bacb9d2dbdf5e

SHA512
0f9ee26f3cdb7d84444b2ed7f6b33a15d4551e670a2c77f60c45dc79f7c560558b0754c8951afb7ea543d683317d94ae89bea5ce5e82d5e7b8b802acc9c584d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0656CFB7\BootstrapperV1.11.exe

Filesize
2.8MB

MD5
31268948460e616e84f5b7866cf294db

SHA1
20cf4198bada3966a197bc9ecf18f4cbd942f5ef

SHA256
1896ec6f6ab2be494f77be6bf0b70e3cec9cebde64b318df66086684797f1d2b

SHA512
5e1214806ba19fd7f537f2fe1a274bff37fd0f977c42147901f9a7771aa04764ebfefe43e90acf7ddc614ba781709f08c8c298b6e227f7131fada9f7bb162c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe

Filesize
3.4MB

MD5
07b2ed9af56f55a999156738b17848df

SHA1
960e507c0ef860080b573c4e11a76328c8831d08

SHA256
73427b83bd00a8745e5182d2cdb3727e654ae9af5e42befc45903027f6606597

SHA512
3a982d1130b41e6c01943eee7fa546c3da95360afdad03bff434b9211201c80f22bd8bf79d065180010bc0659ee1e71febbfd750320d95811ee26a54ee1b34c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
86KB

MD5
174eb7c7dd9219f546f80b791da9566f

SHA1
fb6915c1539999e6ff456ab7b68b511f22eaaf84

SHA256
a4c484bee42028fdc1117d4458d75ff86ac0063370835ccf4cae90cd6b3d082f

SHA512
9fbc25db668acddbad25ea6f541c08072e5ad0630107a10f7e14b8318a630ca95ab2b8a004f278d8d3d67b4689353afea6b82ce3a7005b01530bd7207fe8ce30

Download Submit
C:\Users\Admin\Downloads\BootstrapperV1.11.rar.crdownload

Filesize
2.8MB

MD5
838d50ad4b2861523cfa1c8664a33caf

SHA1
3815401e5a0411be36844315ce2380bbafd7f348

SHA256
e1325fbecca6d1da2ddeeaa30ce0e6913e5575a948b7a00bee14f6bf3ac6ae03

SHA512
4e760dcc24f0829333c3a8a625e9b8077fb44f57b39f9b4142de9de336488931f9657160d3b0b73584da23f44ec2e0982ebb0254b5f009d80c6ae3d85b10756f

Download Submit
memory/852-211-0x000002145B910000-0x000002145B920000-memory.dmp

Filesize
64KB

Download
memory/852-222-0x000002147A8A0000-0x000002147A8A8000-memory.dmp

Filesize
32KB

Download
memory/852-210-0x000002145B130000-0x000002145B4A0000-memory.dmp

Filesize
3.4MB

Download
memory/852-212-0x0000021475A00000-0x0000021475A08000-memory.dmp

Filesize
32KB

Download
memory/852-213-0x000002147A0E0000-0x000002147A118000-memory.dmp

Filesize
224KB

Download
memory/852-214-0x000002147A0B0000-0x000002147A0BE000-memory.dmp

Filesize
56KB

Download
memory/852-215-0x000002147A7A0000-0x000002147A8A0000-memory.dmp

Filesize
1024KB

Download
memory/852-216-0x000002147A0C0000-0x000002147A0CA000-memory.dmp

Filesize
40KB

Download
memory/852-217-0x000002147A120000-0x000002147A146000-memory.dmp

Filesize
152KB

Download
memory/852-218-0x000002147A160000-0x000002147A168000-memory.dmp

Filesize
32KB

Download
memory/852-219-0x000002147A170000-0x000002147A186000-memory.dmp

Filesize
88KB

Download
memory/852-220-0x000002147A150000-0x000002147A15A000-memory.dmp

Filesize
40KB

Download
memory/852-221-0x000002147A0D0000-0x000002147A0DA000-memory.dmp

Filesize
40KB

Download
memory/4412-179-0x00000000004A0000-0x000000000076A000-memory.dmp

Filesize
2.8MB

Download
memory/4504-235-0x000002526FD60000-0x000002526FD61000-memory.dmp

Filesize
4KB

Download
memory/4504-234-0x000002526FD60000-0x000002526FD61000-memory.dmp

Filesize
4KB

Download
memory/4504-233-0x000002526FD60000-0x000002526FD61000-memory.dmp

Filesize
4KB

Download
memory/4504-245-0x000002526FD60000-0x000002526FD61000-memory.dmp

Filesize
4KB

Download
memory/4504-244-0x000002526FD60000-0x000002526FD61000-memory.dmp

Filesize
4KB

Download
memory/4504-243-0x000002526FD60000-0x000002526FD61000-memory.dmp

Filesize
4KB

Download
memory/4504-242-0x000002526FD60000-0x000002526FD61000-memory.dmp

Filesize
4KB

Download
memory/4504-241-0x000002526FD60000-0x000002526FD61000-memory.dmp

Filesize
4KB

Download
memory/4504-240-0x000002526FD60000-0x000002526FD61000-memory.dmp

Filesize
4KB

Download
memory/4504-239-0x000002526FD60000-0x000002526FD61000-memory.dmp

Filesize
4KB

Download
memory/4524-209-0x0000000000F50000-0x0000000000F6C000-memory.dmp

Filesize
112KB

Download