xworm | hxxps://pastebin[.]com/kucx1UEf

Analysis

max time kernel
69s
max time network
68s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
06/04/2025, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pastebin.com/kucx1UEf

Score

10^/10

xworm defense_evasion discovery rat trojan

Malware Config

Extracted

Family

xworm

104.168.32.88:4479

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000300000002ad32-241.dat	family_xworm
behavioral1/memory/2112-252-0x0000000000800000-0x000000000081A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
123	1552	chrome.exe

Executes dropped EXE 4 IoCs

pid	Process
4316	VC_redist.x64.exe
2112	svchost.exe
2648	VC_redist.x64.exe
1192	VC_redist.x64.exe

Loads dropped DLL 1 IoCs

pid	Process
1192	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
2	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
86	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\VC_redist.x64.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133884165226120641"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\kucx1UEf.txt:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\VC_redist.x64.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeDebugPrivilege	2112	svchost.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 4232	428	chrome.exe	81
PID 428 wrote to memory of 4232	428	chrome.exe	81
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1652	428	chrome.exe	82
PID 428 wrote to memory of 1552	428	chrome.exe	83
PID 428 wrote to memory of 1552	428	chrome.exe	83
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84
PID 428 wrote to memory of 1708	428	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pastebin.com/kucx1UEf
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffafa70dcf8,0x7ffafa70dd04,0x7ffafa70dd10
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1884,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2180,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2220 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2344,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2488 /prefetch:13
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4148,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4200 /prefetch:9
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4632,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4804,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4976,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5152,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5352,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5852,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6224,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6236 /prefetch:14
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6356,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4708,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4132 /prefetch:14
  2⤵
  - NTFS ADS
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=6256,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6704,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5060,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6720,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7032 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4652,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7132 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3884
- C:\Users\Admin\Downloads\VC_redist.x64.exe
  "C:\Users\Admin\Downloads\VC_redist.x64.exe"
  2⤵
  - Executes dropped EXE
  PID:4316
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Users\Admin\AppData\Roaming\VC_redist.x64.exe
    "C:\Users\Admin\AppData\Roaming\VC_redist.x64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2648
  - - C:\Windows\Temp\{17891A1F-9B39-41C0-8087-D483452F760B}\.cr\VC_redist.x64.exe
      "C:\Windows\Temp\{17891A1F-9B39-41C0-8087-D483452F760B}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\VC_redist.x64.exe" -burn.filehandle.attached=732 -burn.filehandle.self=736
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=7116,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7360 /prefetch:14
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=7356,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7240 /prefetch:14
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6140,i,10700150014789090413,8162319571732011390,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7384 /prefetch:14
  2⤵
  PID:1252

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4028

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2ea8cd227321926ac37b76bab7558953

SHA1
194864d954562d5c8d435262057e365ba8690124

SHA256
5a6e63e63dee72845e96162ad3fbf92a8812ccea37a2d7f824b8b584fd65fd0d

SHA512
8664ab6e7d93234d40c8a2f8d5a5b5424ec23e7ad5d790817df0f7e064c585b9b950b669b82632a6748954d57927446ec70a6ea20156b6660bc4b3d3ca098f3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
6f74385e62e98d369b5f161c2a3c1edd

SHA1
8239d2ad3090769d398dd7b7a92dbd99dd4def02

SHA256
5925fa8d00b890925796dec06ac4177e6b362dbfa19497aa40b0a3797ba8fee1

SHA512
3ea2ae953fe58d5d37f257a0a169c70a8e2b6770449f2ec027d5236d5b596251baa9995a662bd967b65b08cf07a7b94cbbdd1e1481c730bc584138059eb5a94a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
46a9fa71828b191e46f18c17e54188e8

SHA1
c5d472b7a58562e3ffba75881f1983b371cf0891

SHA256
30b3a35b10ed19ad9d814b011c0d207af79ab58ca6ff0a93fffa14839fb042e6

SHA512
58f5cafd7af771e4795cdc0e8d2f5eda756b0454ad823a0d71ea2f2d4dbe01a99b541106c4ec22d9c40f71985f48c2afaada7239f940707466b896f8e1e3d1be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8040b1abae9f3eb7ea9386c62d796501

SHA1
70d6bb28284207a1f3cd45ec9f58a78c9d2d5fab

SHA256
724fb6314682f39db225decec08c5ffa68863f12c36998950a0c012aace9f2a5

SHA512
8b799e48919fd9b3537deee9a4515b5a2da185012f44121c2fc403f3454838776399a37c1ada635788ab5ae9b9a490ca4fd2979799e6d4502194209890dfe01f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1f8e687152b22dbd64d653458c285308

SHA1
95e26580ffad90e69c865545c6d36ecdab407b13

SHA256
a673d3576a22c405b252d66fc7f20a2bb350d843b89f6c971f2621b5b9366dc1

SHA512
1667492d345ec8fd484f2814ef1173155e27490bf3f962be3948fe47e79ebfed188f1d4c0125eb35e1af8a0a0031b5e0eecbea23960508c37f96f2a40545848b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a8bb56ecfe871b00ae826bbd7b4a6fd0

SHA1
6a276534042dbb3960221f93b25f02c749a66145

SHA256
2b0bfc928ea1bb191367c5d9d0ee0f850c78fbd248395df56ad9feb64ee92090

SHA512
5078e3ee603f7e08f7d3537c2cd4bc7891f3550fdb3be0498c0cbfeb6baea202b756d1b7dae2053f3fd64e05e1249ca6150fd16b6fea350a8ccdb1fe21ca5f18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
129f96c23dc4b7ffb0cce1413a2b59ad

SHA1
e72130b7187d1d8e57c1bca0266a2490febc87f3

SHA256
525a1578b1956ccf05dc8d11fbb500b03e4d6c08d9193a7a9a9e62ca70825ff0

SHA512
a34a02564e5d40a1383b28b6029466e660704552e9e9a77cb363977ee65fae17428de6ff583850b658ddeae7eb80c23a0a4a46c55f919522a9fe030754244a7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579e24.TMP

Filesize
48B

MD5
fea10afb6dcc609a70a45a3bee93452d

SHA1
32e253b988ad1e18f7c4204aed83e26fd87852ca

SHA256
637f90734f80356eaaf614279b38c29e0fd621a4bf6c372f04adcc07195628ea

SHA512
ac4a51ff1dab4378558b9ee8be7a0b3224346183719cbfd96ca8963567208c903930d4f0a3af8f2bad8ffa44d3cc3694d2317e5ca1809903edc8f8efd5808d14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache\index-dir\the-real-index

Filesize
72B

MD5
ec1bb325e5588a291565bfc709737f81

SHA1
ca4c05d081da096e4d6415dbf266777e871b2cbd

SHA256
0f1a02abf6cca8e5e411679085cf4d04cc369ba330fe6fb4fa992b9a315f29dc

SHA512
f578b33da07dfbeff272e08b73da05f8a2c8a583fc6d16e13ee7c339935f7ff17011a0a6fe6c5684b9c7a2aee47dc9c6c499409df63e7156f25acd185bd4738f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
075bf536dbe3eff752523bffac1b344c

SHA1
26a26fc508a97ba0d727dd338f29dc063f31667b

SHA256
b6169b3142a164b97c7a991f2d2cf5bab0832f02847b2938b5b21ec4f04e7205

SHA512
900805139473311b801febcce008acf8115bb3cbbf5ece614b9d3a8d6aa538a40c789169072930fe4ed104a4f31a009a49b1abb3675cd93d3ce515b8ecde0fdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
05afa75cc22e7922d24f9e287b6478ff

SHA1
e35b648c29d2a6d2688e2b1ad8390b3997e30f81

SHA256
451d45e4721a2f4f8360c4835210e90d42c865d6b07225940326d07a4dd66776

SHA512
0a4c34ac78c61220ac37fe3a93aa631bff7bbd66694d16154c5ad53a01e525ba0bdd51a6a2c9849dd48168bafb84a21970930f321bef50b2beb3a8ffdd055263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
49d621e1600b571259f79b3ccaa1744e

SHA1
79dfaf6745b7aed2dea20d5e931bfe1f0fe2dc63

SHA256
2ce37d2a4b2d775be01292338a75fcd82d48790aa3e04ddc8b3dfd90f4ea432e

SHA512
1b992471a98a94cac7734c1d6e334928bd20475e1d237b3632dc3acaaf0a89a53ea53e74cdb42106e405fccb35cc022124a59df1fc6497708bafd0f578dc84a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
5c14e74a12d6a351dbcc8d67081a7d17

SHA1
92db230261b0921bed0d6ad00b569047775bcdac

SHA256
f4ebeccce741c84da3eeaaf4f42cb83683f7e41ec7917c66aee30bc1ad128646

SHA512
0bb6b57400c10ced6f6039297a11e89d356436a42b8c80fcdf0f662a5cf2b86ef6b5af4c443bcedcc0650bb1fd184aa9853976ba4507f88b39723c4f1248dcbf

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\aeb9ef5f-b8f5-4155-8b67-326cd143c2f8.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Roaming\VC_redist.x64.exe

Filesize
24.5MB

MD5
c0077fe61901918d4e99c9d631245c60

SHA1
89c70cc31f94bc1fba8b7b5394e2eb235bcbe34a

SHA256
8f9fb1b3cfe6e5092cf1225ecd6659dab7ce50b8bf935cb79bfede1f3c895240

SHA512
c021453f6dbc8e79c5b97ca1f5d717868e9124e503391cc133a76f10643e2b41043e47d98836f524938d581c610d5f887c710cd5e6c036dc8f868074e3759c8f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
81KB

MD5
acdd71e49f0624f8de316906632f37bc

SHA1
27901382113394036c44069994611a36193503c1

SHA256
0ceb4d0f8ad552aa499a71899b0607b402d550991e2f52fc0ce254902db7acc0

SHA512
6104534a92b4130f45dcbb7a83f99cc4fd9705c51b239c91ce297df374579314afc8fd4336ceb0119ee6918ea7d4acc6e98e73b13dbafa819f443112df182fa3

Download Submit
C:\Users\Admin\Downloads\VC_redist.x64.exe

Filesize
24.5MB

MD5
1e609672a0bdfbd37712c9a24fd4a245

SHA1
74f2f862572ab57aa4efd6d2c8556741f2cc6681

SHA256
5e63aa2150aeee2d7f634eeb8e4a6448b597e3ed6dac460085c13d489fdddf48

SHA512
590e6c2d6d4c57a82887cfb6b37bbf69df0c168d9ee0ea026310e6f38a719a1343423112e0f5d03d65a27333ce90c3623d008f45345f2e48c2c0794c68ef3845

Download Submit
C:\Users\Admin\Downloads\VC_redist.x64.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\kucx1UEf.txt:Zone.Identifier

Filesize
111B

MD5
84d37e4469c175f439e6aa33f3b09290

SHA1
2eb11a249fe934fafcdf27885f0504582ab9da16

SHA256
6d9aa33bd47a79a5f521d71edd010a8676c6af680ea9168530be08c985d86c30

SHA512
806270c88ca030079eef4eda619f03392e721e918e831e83d107a5011dee7c92df1cb576bb946f48c4e0506308c27a9ee8130edfe2a98b40f1cb5a0b10eb1ed0

Download Submit
C:\Windows\Temp\{17891A1F-9B39-41C0-8087-D483452F760B}\.cr\VC_redist.x64.exe

Filesize
670KB

MD5
beacb8e6c5675cfb54090616f4b3a319

SHA1
9651105490b5eebe4545aae2816abafbc2265b43

SHA256
bd25d6a5c9ef835802ba25100ce66c9402dbca74d309db5fbaefa1532af31d5a

SHA512
c36c145ebf2743770ce17b671fbf41708b232aaa5a7d159b91899b2e264024d50b91d450c2d6426a25cbb44aaacdba29ffa09481ccfcb579460a8d97363b863a

Download Submit
C:\Windows\Temp\{29320594-4FBE-4A8F-BC7A-B2F15CC29382}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{29320594-4FBE-4A8F-BC7A-B2F15CC29382}\.ba\wixstdba.dll

Filesize
215KB

MD5
f68f43f809840328f4e993a54b0d5e62

SHA1
01da48ce6c81df4835b4c2eca7e1d447be893d39

SHA256
e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e

SHA512
a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

Download Submit
memory/2112-252-0x0000000000800000-0x000000000081A000-memory.dmp

Filesize
104KB

Download
memory/4316-235-0x0000000000A70000-0x0000000002302000-memory.dmp

Filesize
24.6MB

Download
memory/4316-234-0x00007FFAE46C3000-0x00007FFAE46C5000-memory.dmp

Filesize
8KB

Download