toxiceye | d5b3402bdb244a4d5358830834e066ea4cd64f5e88bca8c5d35c99ac3128d833

Analysis

max time kernel
101s
max time network
101s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
16-12-2023 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rgbslowerlogin.bat
Size

64KB
MD5

629c572046fba05f8809c6754ccb1588
SHA1

83753e26a0ab7939bd135917124b3c6718ae392d
SHA256

d5b3402bdb244a4d5358830834e066ea4cd64f5e88bca8c5d35c99ac3128d833
SHA512

934461f98a9f0daa7c390841f2f642e1f3fd633b0a14603bde705481e04d6c476d999f2d287b6c6047a00d1d0984c4edd32a5222db2528d72b94428455ff2af5
SSDEEP

384:clllllllllllllllllllllllllllllllllllll2:v

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot5536756167:AAFMcQrFbMZMBynbrtZUudaOT9ndCJXIqT4/sendMessage?chat_id=2024893777

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Executes dropped EXE 3 IoCs

Processes:

win-xwarm-builder.exexwarm-rat-builder.exeUpdate.exe

pid process

1516 win-xwarm-builder.exe
4900 xwarm-rat-builder.exe
1936 Update.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3516 schtasks.exe
4636 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1376 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1320 tasklist.exe

pid	process
1516	win-xwarm-builder.exe
4900	xwarm-rat-builder.exe
1936	Update.exe

pid	process
3516	schtasks.exe
4636	schtasks.exe

pid	process
1376	timeout.exe

pid	process
1320	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe
Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exeUpdate.exe

pid process

1324 chrome.exe
1324 chrome.exe
3172 chrome.exe
3172 chrome.exe
1936 Update.exe
1936 Update.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exechrome.exe

pid process

1324 chrome.exe
1324 chrome.exe
1324 chrome.exe
3172 chrome.exe
3172 chrome.exe
3172 chrome.exe
3172 chrome.exe
3172 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exechrome.exe

pid	process
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exechrome.exe

pid	process
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Update.exe

pid process

1936 Update.exe

pid	process
1936	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1324 wrote to memory of 3188	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 3188	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4948	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 2184	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 2184	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe
PID 1324 wrote to memory of 4084	1324	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rgbslowerlogin.bat"
1⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffc25ab9758,0x7ffc25ab9768,0x7ffc25ab9778
2⤵
PID:3188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1808,i,12454915400238717138,3052311380251543122,131072 /prefetch:2
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1808,i,12454915400238717138,3052311380251543122,131072 /prefetch:1
2⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1808,i,12454915400238717138,3052311380251543122,131072 /prefetch:1
2⤵
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1808,i,12454915400238717138,3052311380251543122,131072 /prefetch:8
2⤵
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1808,i,12454915400238717138,3052311380251543122,131072 /prefetch:8
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4016 --field-trial-handle=1808,i,12454915400238717138,3052311380251543122,131072 /prefetch:8
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4672 --field-trial-handle=1808,i,12454915400238717138,3052311380251543122,131072 /prefetch:1
2⤵
PID:892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1808,i,12454915400238717138,3052311380251543122,131072 /prefetch:8
2⤵
PID:3896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4924 --field-trial-handle=1808,i,12454915400238717138,3052311380251543122,131072 /prefetch:8
2⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3680 --field-trial-handle=1808,i,12454915400238717138,3052311380251543122,131072 /prefetch:8
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc25ab9758,0x7ffc25ab9768,0x7ffc25ab9778
2⤵
PID:3372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:8
2⤵
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:2
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:1
2⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3168 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:1
2⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:8
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4460 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:8
2⤵
PID:4272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4488 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:1
2⤵
PID:608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:8
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:8
2⤵
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:8
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4572 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:1
2⤵
PID:3256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:8
2⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:8
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5340 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:8
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5012 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:1
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3728 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:8
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1636 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:8
2⤵
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:8
2⤵
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 --field-trial-handle=1828,i,1264317425864840993,1950183989614294742,131072 /prefetch:8
2⤵
PID:3956

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2344

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe"
1⤵
PID:380

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe"
2⤵
- Executes dropped EXE
PID:4900

C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe
"C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe"
2⤵
- Executes dropped EXE
PID:1516

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
3⤵
- Creates scheduled task(s)
PID:3516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCF80.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpCF80.tmp.bat
3⤵
PID:1908

C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
4⤵
- Delays execution with timeout.exe
PID:1376

C:\Users\Static\Update.exe
"Update.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
5⤵
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 1516"
1⤵
- Enumerates processes with tasklist
PID:1320

C:\Windows\system32\find.exe
find ":"
1⤵
PID:436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
a6e8ddaf25aea83cdaf70aa1f81889e9

SHA1
135d02767163d5abbbe3c43d248cc282f917db5e

SHA256
194bd580031d069353a996878c16b849be4f65a7b8ae1f64d4910c1cea0bb859

SHA512
cab49f905cb90e14739f22539712b17629f7d6b523dd268bf50c955769421845ddbc186f8b0bee54967bf0bf5b9427b95bbe5e32e33726768b9fa63414b17bda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
Filesize
44KB

MD5
0908ee0957be398ebbbc8a03d8ee5a95

SHA1
3428af31c16be67d7945afcc3fb5a4fc73aa0136

SHA256
989c446ce789872265e62b3bd837ed14dacbc05c7f7d581af6e270ebbb2edad1

SHA512
5f31f1689aba159ce8691f0742968f8e8cca54f8289549b9e0970fb375fb781b33db31af1313af4e9440096ea6f3ffb7e226ed692c1b05d8e1c4af77539ee21b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
Filesize
264KB

MD5
e435094e77847ed6f4616dbe035fb5d5

SHA1
916466d516ca8a9214385675e8364b218cbc935a

SHA256
afacadbdb9478ce625dd4fedcd29957e6d1d4d5d92b09844f322d70dc436cfba

SHA512
83332ed169bbdf4f2a2addf1058f51716a434aceb11b5bcca4e19351114bc6a9b601bdbd7bc009fdf21f2eb645cde3903643bebec2842791d1b4e32776c6e74f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2
Filesize
1.0MB

MD5
83169109276c4ec953f0e254058b0925

SHA1
16b918e29e47ca2f8b418817f0ddb604a243eca8

SHA256
b3174d4e33bf9931c5f2c48d4a389bdd5b6479a02bd58dd82bf96d20707d0052

SHA512
2641b1c6fac6fa2025540e24d12c5d7db7a42553274a59d7fb3852c3f75cae942e435b40b352647b7ecf4e77028319ff2b0af3a1c83606652f57305e463381ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
Filesize
4.0MB

MD5
3f82891005ddaaf3147c67e36d5715ea

SHA1
f2a89d6f21e08c6179590ffde4cba215191fc819

SHA256
0bc088a43e973fa059b5720c83bbd1531cdfd239c1202c46cf7c353f130032a4

SHA512
c0fd0a185b46deafa409ffb49f89d0a90132e591c0372e4a4c947842443850aa48af2b724d8473e55e2bb1caa4a03bba682963fb1997db4f80268b62c6383ff9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
36KB

MD5
a03779565f6842e45d396bcfcc799d08

SHA1
63236dfcbd95e66300f6375b74503c6b656bbf72

SHA256
8f8d5797862cff951dc4c6b9098adeab2693a8578fd4510ee24c25f433d375a5

SHA512
cee99af0547b46668efefc6ce5951c62e0541e93cbf1a88bfd7702d4616c7873947912cd5e930a9eb96b5456b13de46a08e8d841bd6020a46bb9736254cd1a83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
0706d2d221afbcfd6dcd9dca18a724bd

SHA1
c5a3c1dd67246da29fa393eeb860be9f2fd0a366

SHA256
db2e65a26f1c5440df97e3e4956a9a178e95d7d4146b9b1727beb1be0fb143c5

SHA512
1f0ae2fdfddc35cc21843907f30637c8f93100ae47d85811c84f4acd42912c4caca8393ef298eb55de5b4e74a4a6f6d63907fbcb7478e77a6f2fe4ab192b29ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
Filesize
317B

MD5
1b5255874d00f08dd55a296fcea9282d

SHA1
ee745398c32860e3c9c68037dda1874a6950618b

SHA256
75bf9d414654ec513ebb2cc28b92b363775587e228b8a9532fe916cd45293eda

SHA512
f83f0f7756cb6d13d9d74993b1fde1c8acdd4441b6a88fbf9fbc011972fbfe490cee230e3ac0e70014833e622d31020a294d54eca7e6240451ee418c4d489b9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Filesize
329B

MD5
a04b635e54e319c03e88998f5d4fb00d

SHA1
4bb975d038dc6b4f2edcc623d627dc14c3d8b097

SHA256
bc8acb305bf21c3cd38eeae9e1bc664ded0d7776ea1120fe9c211e756b8f821e

SHA512
b42d4488a793363e4eb3c4b4d3eb5afa90d65959cc443ee309221e44d8d4a0981efedd609aaa70a861f17f2c4dc47800ec706484ec47cbc504f0a90f3951c81b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
3b6e3ddb6814facbed7408c83603aa57

SHA1
80e40cd2f29f1f7036bd15c2ecc7c602a8f499b8

SHA256
f160bcaddf0d4b60182b51103b5cf98fca1d25f9a2442ef8abe55a005faa5d51

SHA512
b9343dab77d482c6d3bdd46c8047fabac5d50de23246d3e8bc0949a16dbd1bb9ce624fca6af9c1bbe69550d94c5152dec10022970bda6145094393615cf38319

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
69dd034234f6a29f0b7f8bd8bdabb4f2

SHA1
68ef91aa237d97aac0c2cc1caee164ea6d25936b

SHA256
ff336a9a65991508946581c2b6743efb66619c93ca0a4dac82538f304505738a

SHA512
5b544b2d15a3249b0aa6021c423cdeda6892437fae2d1bb99209a6f84cc38c7c394d0a05d9b1415e30d1e91836d1b7288efeb09eb611dfe84d82a2d4d518c7d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL
Filesize
36KB

MD5
90f1156321430659da3ffc2be6835fe9

SHA1
5e279a55c537fc0da5dbca588a6f955eeae6ae54

SHA256
80af71c32df0e610927131b1692d9552a55b2f5b042e64cf8f2bb20e88664a3a

SHA512
57ac7bae00bf7071b1abeba569839abd15b060db33b91e4561bcdc7f264d493206bbb11fe050e2cefe2bafdc5aaf1d3fc4a57654c7d97624d31500267c02be41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ae9f85ba07c974451581ce8b0bc170d9

SHA1
2abaee1f0de6c59a51369c68fbf30c34a8ab245d

SHA256
d871462ab005f78552dd828edeb6306d1d3fd101055f5bce6443e95a8b9dd4ac

SHA512
5d08668934d8351044d62a916d4ff819b1f0f4362ba727d2738a94d9174331d78564f2188c7263213f2b26892b8fa506bbe57cc2f33eb2019a4ff4248c144568

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
2954d63550d40601ae8acc5494ae251f

SHA1
0433c4986f8a27073549a297b91ce5bffaed21c1

SHA256
691a9229568a2aea711205e3143253f07d7499e50f8100402ed51eaf311e7cc8

SHA512
edf2cdd1fac90dc9044b2a7fc6c8ddded17b4ec6303cd22c31410919c3e8b912e7f8913139c6924dfc0f4b9a49289bec758112b7ee2a5b65c44fb71c071d2621

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
c3569b41efe7b9004620fd7401402d1f

SHA1
874ecce163eaef90ba4b55e76269fdc50e4d594d

SHA256
5c27eb81ed007c32cca1c3b6dcfcd71e8f75965065800700b992dce8abe71959

SHA512
cdf56935f496249e5ff6dfc1f2373592a03bf837aab6ab7614ea23f8bfcd81abfbf696dabfabf6e53716cbfdf630bf308504ae9a572790a2c81be8c6008ddadc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ce4de98c1e8acb75a8c1ac95ad925434

SHA1
343525295b0431faec8b7c308ecabc9879ebfdc8

SHA256
bbf88c61d5aed82127151682a57c9beab9abeaf129f47e2fbcf58d9b197afdec

SHA512
44679eb22849bbf4d7751e50d786288d589e38aeec204f8f3bedd279f701dfa656c987edbf8b2d1964607e45143742d53d0a0386c1a0937944842039665cabd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
82381e3c32a202b20a6db9675b822516

SHA1
b4940d4b9eef84bb307572cf3a0a647e17bb3bd8

SHA256
aaa8b2f6c16894f712126242b2a9923a75471f86c46da862ceee28eaf11dbe60

SHA512
9c7f084f22b3ea92d18a1e0b507ca0f93041ce622680216a93d728a8a86ba16232aff7398a7b658e2d85c9773d6b58ba8c46fedab1ced4bfcd31873e08e12c6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
bc450e9e513c496171840db172baf317

SHA1
1fed4cc4f5b9497c11bfceceecdd191674dc3469

SHA256
844e813a23c19f93a6070898d750f44e3808647a8477ada802b3684babe600bc

SHA512
6b40f02a7ad23045caa4cc83e110baa0811a3b24b09c519edfbaf431b7bfedb2cbf65eaa4cd35b6a44ff7a6ee7f6766b9f563988fde5373ca4ec9a03272c193c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
aa10e72ffe9f5e3bce2d9ece0f2abeab

SHA1
258178497768a62d378d633ab7cb33e678b00f9f

SHA256
f448d08da6ca2180afa616313896a138fb6a81d22a5ce84c2cd7ca47c3c1cecc

SHA512
d9fa2a2ef8acfea58be34caa667ebb79ab6b1731ce1cc6c55ee6920e06eb116a59875988d905df8adad66a527ed93bda0cd11d9d638239f22c75a72cb8a07d89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d6ff79061c3cbd05f70be55514e46cab

SHA1
38e6f2c8bd8079d473665db2477f5e80b11e4e98

SHA256
67f39ae4f5c851f32e2217211835041b2e09ac2dfb9a9727b5f7ace546e7a2ea

SHA512
b3e0c8909138cb685280869ce94d11191c426503bcdb3c34f551a0843dc573c0d1a574bf765c2cd0adc129d279cd7ae34a2a5144d578965ceff26870ef58dae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
843917db829af1e6e0b08f76c05e6956

SHA1
1f4832640697d99e8a00abf7c77bad6703c6f984

SHA256
0ad0f4bb38e4824a89215f9f7b4179ed3be62f82c9ff0bcf176f01afdf6d4dd1

SHA512
04954c3163eb7fd4702048f0c9d3a15d6cffde7e9fac15c12ddc79552bf625dfc04900514ad0610a745a855b636795056edf5f8a0f37de8a51413ccdae91d195

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a1b077c3505f0a83f617a579120f6f02

SHA1
6854b8232a478de62b489020369566d61ff441b7

SHA256
9670e69b1eda0e94b63db6cd20380d67263abdd2aac52f30bc9616b715b267e5

SHA512
b66f5e2f16950f6258297ac5f5746f04f7406bd0349717315b90bec1b3310b7a675a779931ce15d806b67bb2b04803887ee763191eb5a1bfd4f953652fa8595c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
11f087e6546c00ee9f7bccf5b9501f2c

SHA1
d6cf3e5eb87ad1b84bb2bc2e0eee7b828db0979f

SHA256
fc1bc7e48e6e29314ba17472c41c23d9319f2b78b9e5f02bb352c297366d2e57

SHA512
22e9e494efe1813e4bcdaaf9f6504824d871ed13c4efd632f3bfbe81eee7d8bedfc6fc7880acf88c1cb25f5ee78d3c9d5b52f9f23a61caac541c973efdd7720a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Search Logos\metadata
Filesize
1KB

MD5
0bb88b46bd0b69da906f81bf22f807e2

SHA1
823f3144cdbad1fb5308d3a3f6015bebb7649e21

SHA256
a6af878729c81051ec6ebaf8a971ff08ddca688f954f831df7974e29b96ca6c1

SHA512
eac4ed58a46833c397983eebfb9e2ce0ad888335d540b2497fe3b7edc201df56f96b2654ee9bf3f48bc045cd8b4592fa059ad8961bcfcffc515e4c7a8b9fe6c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log
Filesize
232B

MD5
8a30a1fdd0459d9ea8b1e78a8e636856

SHA1
9d7225e97f9cfcfb225cfbfd0b0bba21d4efdd20

SHA256
88fe1d31608930f2738d102d45c75dc77acdf01a1b69bfb7e7c0281575b75e33

SHA512
b529bce870cd8165bf82f3ebf94f07552467bd0993b9d35145182e54e26fb2ae8e7bb167d88267b632757e2146f27dfddf8867db0c66e5dcc306db12ec6b7bef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
Filesize
317B

MD5
ac67bce12d4caa66d0a1d87f508f5fd9

SHA1
92f6a0b57e5cf045dd07b57e4aa2f599fd34f4d9

SHA256
41c0362f64a964418d3ff5a1c397d9bbae220315dafb9a514fb119efd66981a0

SHA512
3bfc25a677aa8165a52a3e40f37f09c537e0fc1e4fec84e37c23e560c9d6c26e824a4351b58223593234b364ca5b3e02db8acbd55c768f932a83a5d3d0860715

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13347176638220263
Filesize
3KB

MD5
c4f33abd6d9344235f8a7486595041f1

SHA1
13db048d99467eb7f0488921865ae5c17aa0c383

SHA256
e6974f704612c6880915941f9426ab48da187cf97960b27b620ee4b105317a97

SHA512
af50ec38556488ba44730617cdb0db1bcaa19350563957476ffff4b28dc8d96256953a054a202aa27ad19fe25b6db3573a0f8e4dbf047f06201c1f797c6ed182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
Filesize
345B

MD5
f62cf76f963216fe3c75d04eae9331da

SHA1
3ee774183c576ba831a2b1d6a8b0a1cd3649c2ae

SHA256
0247a967ae2c3c0746c930057410f165c930a9f12b5e028a6b022c3f347cfb8d

SHA512
6b76cccd5b517666b6a721a90d0cc703bb690e98dc98f993f92f587a1cfe8374fa1b219a098ee7541cb326b1c1aedf080500a93a849857bd8f29931ee452c8f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
Filesize
324B

MD5
3f0764bcdb01770334617fd947429d16

SHA1
0eecdd1a172c6a6125634a95959500b5a99e3781

SHA256
6f0c7f5a601b00538a2d3b8f15e47eaff86bf3129542d24296285dad1b4b4bf2

SHA512
fa131b81159bcac519d9167dfbd5b0811b05a2013fbf8f15f57df37f40c09a747a9f164052ce7b6d121554e2305dec3dc353f0fd9ef056545b37b7978b56275f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log
Filesize
836B

MD5
2d28591dfdaaca14baa34b1f66ed6601

SHA1
0d9438f017a8c8550cd5f3e427694e9a0937841e

SHA256
056a9f0e26e74d4dd1e3a14beefcd5e6402766aa2457fcaf0f853c2b11dfc33b

SHA512
61cbcac2cce81dfa3d3dc2c3420a1214b1d12d5574a08c864a1833792bee80fab8f1857e333732838f460ddb8f47e852bfe594a3524fd6a445f8b5d08b43f697

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG
Filesize
317B

MD5
ba5d4754b9b58c3ab6a7043959aa2719

SHA1
5b94e2689f56aa03588800548f7ba14409a7bf73

SHA256
12003e30d593fc8c35050059cfcf6921977946b7495744f6c430b50f1fdf2f3d

SHA512
8f2ba32ad949a01529da51dbbb52176bdab8a7a91459e8f8276c936ccbdf82c490671a460a995820f54751065ac5dac9f24436c54c067cb206c08536a4b4c62e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log
Filesize
889B

MD5
fb6b6be754bb614a556bf410f62cd37b

SHA1
0358665458998e873f66c492f9aebb2ceb8d69df

SHA256
d41ea7997cef55636c98f8e5b5c3c5f2ebe5427d1f64e0a546fed3912d9ba341

SHA512
2686487a1ad628dacde8855b4d130bbeaee889374105129b461fcddd10ef5f5d263b6b48bc37d946d41d1c2b5327e7845dfdeb89c8b8c36425886bf15e7171fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG
Filesize
335B

MD5
a07067a6f0f12554595df86caae28a52

SHA1
e125c075ff46f0f688c91e3bb79b7c14e0367d6d

SHA256
159894c6eca0e69293db009f2c0349a055c38e642791711232f5b4abdc7c1ce4

SHA512
ecb6bc6c4d6a38648727797e93fe933139c93cd2cf5cec70dd0bdd117365be82f02a03ee9c60ef74442407a1a088453e78b264c1df1abd8b43f55bd8acf8c603

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0
Filesize
44KB

MD5
680179528cb48ae9efd68e5c7b803ead

SHA1
4fcc71aff5cb2dd4538a9d3df3f9f901ed25307e

SHA256
a744707907b6a5930df632e4efc823ccf50c6c7438b78cb473fe85f524da3c71

SHA512
6f655d69f97de06691f7dd01c6e95c410465183b5aa6fb7f8de77350da71394a42206f95683fb77cb0a805727076d5f8083d54c26f6f6db14223ffe6f19c0229

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1
Filesize
264KB

MD5
6d30d61239514da39c47fbc4218b7042

SHA1
a25067aab9dabdcdfd02db196f9053905290b97b

SHA256
0304c78398b0113383d5d357aa0a2e35ad6d7ca75126fda66ce0c8bf4d523544

SHA512
33f55daddef8c7957abf6723578269a4600c384faf3ea4e820af5d8d0776f910c3b67faba2402bb9b4b9e4b281d15e047cc43168b5890d5be4aedfb29d4ee453

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3
Filesize
4.0MB

MD5
a21e6a6f0ee60c512df1ff90776d23e2

SHA1
7fdcd43347d95f94c3802d6bedb3e75384c5ec1c

SHA256
acc08033d76f5d30af159cc08ca21d82b604a45a4aa4b3e7c92207dbf30dc50e

SHA512
599549a9ee603eb47332e52f49c50bfb8a9a334f2bcda63ef3f421329e0c96ee3994f1bc9ebb400650cdc2e56bf600bbad1ee7e41f18d118d658d0ec2dad3d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
224KB

MD5
ecf44c677e917f381e1e067a7354ee93

SHA1
fdea6f0e4edc5f6d3df1a7f34145722ed1273e28

SHA256
e9e6a1e83ab16fee2f5d1b77887b99493088fb52e3c6ec682b0ac2ef6af69c85

SHA512
48be8f310664b0f4b0f26dfd1d8c87d63e95c97fb50e82f82409e70776e487c8694f8bae7674452ef0558a3dadce63ec468eb73fe94895bf835890cb20f2b9a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
5279cbca05c3a91c5501abf1c0dd6709

SHA1
e8b74cbd6774c52245d55b45ab8087a4aebe2ddc

SHA256
7140199ef86dd1929c441bd9b7ead8b607114ba99326d83c7ff4bce0ec9f1f95

SHA512
08f48b03ff14b11021fa8ad42f4db78af2d3a22f434708dca0149482f616ecea3f73dc2ae6dd2fc2b2e6bd9acb9b918d7893f9afd2b18fb4dbca693bbc8deaac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
aa7411860e74c48195c02dc70f09a0be

SHA1
bfafddbe97d9c4a036353d455473bc9de41d74f2

SHA256
496ada22f363122b0be657345772b753bfa5298df3c43020342a9a550a68e594

SHA512
b6f8c61c7b6e22e2676e547e072e368b6b672bb2859dc6215b77e1ffd10158dda2ac0e21974c55939d7eb0d14ded9ee9f48a036428c5a3748f8679620ce78559

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe588ad6.TMP
Filesize
89KB

MD5
356835f298c811a633cb38c2391f6c92

SHA1
8e9e1fad90f0c17044bd9e0849328140f8dc2cc0

SHA256
d2ebe29c080cc7bfdd2dd968112d33397410cf442f768317d1fb98166b49a564

SHA512
650a310ac4e4147de17d3bf8ebad23dca9a171d481cc8589afed19dd7eb5deaa4fde1e79e77a11fcb94e61868ba40d8a17703a6a539b5649dc356de1b80ae9ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
Filesize
3B

MD5
db720b90a30ed146e74f080ffeac6e53

SHA1
73fb69e391ad8cff0849ba14bd67790915a92ce7

SHA256
0a9548a6a77b407392da69492275d84951dd451e29c71f509e0003d2f5598be6

SHA512
5d4a3767d728c9f7e5fd67900cf084e26dd6194de58ae61a17d6c97c12d01dba6d4c2bc421e1aee0857b0f2e8963d4a2d54bf1d10ae9ee42a1c442a93366c194

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe
Filesize
127KB

MD5
f6f686df785d0abdc66d1f90fa508c4b

SHA1
75f348132001df30cbad9c7cae2e2072fcaca38e

SHA256
61b52af14fc66126a4e7f09b3cff7d3c09e5ad35acf23fb9ba43293fac0c995f

SHA512
7daa425723caade3ec747fbe6e425e26bc419e1a7dccd6253770fe1a118a8b90e0f40f6cf4bdac259e68a0198a384ed1b5de7515958f5e17e4e35219b9077d77

Download Submit
C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe
Filesize
4.2MB

MD5
ad2eae7e4e6a94e4133b258b8daef74f

SHA1
a7d7ebc70c5571fe9ff653e95449a5e7d6103fc0

SHA256
1414d239c1bc7d0d555763ec716f13d0d64f2ccc3cb07221f2e1a5fca1e0c2b5

SHA512
6b2e0a8bfd1020192098926b9dd6f48e6a016fd8fd80e32ad4a80e883faafdc0f3015cf8fb2488fa570789078a8a36c78c9bf36fb938993e652fa5c7e97dd922

Download Submit
C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe
Filesize
4.6MB

MD5
204f9eb186296868d8abffecbf988595

SHA1
4c7ee5d6af87328a83c0c25319b4df3414f86e62

SHA256
414fb6f113a0985262d50831e091616af813a13c307a8f98c83e529e9d761953

SHA512
c5cbcd0b8bc086f275f7d889315c7197a0ced8cde2b7ffdcc868af14bfc49ae90bb68b0e49407a50c989bb8f16a9f784825ff0f4b0fab175e2d493f54dfeb78c

Download Submit
\??\pipe\crashpad_1324_RTQDENVUFEOEJEVT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/380-575-0x00007FFC11130000-0x00007FFC11BF2000-memory.dmp

Filesize
10.8MB

Download
memory/380-597-0x000001BF4AF10000-0x000001BF4AF1A000-memory.dmp

Filesize
40KB

Download
memory/380-562-0x000001BF306E0000-0x000001BF307CE000-memory.dmp

Filesize
952KB

Download
memory/380-590-0x000001BF30BF0000-0x000001BF30C00000-memory.dmp

Filesize
64KB

Download
memory/380-600-0x00007FFC11130000-0x00007FFC11BF2000-memory.dmp

Filesize
10.8MB

Download
memory/380-584-0x000001BF32670000-0x000001BF32690000-memory.dmp

Filesize
128KB

Download
memory/1516-586-0x0000020267A40000-0x0000020267A66000-memory.dmp

Filesize
152KB

Download
memory/1516-587-0x00007FFC11130000-0x00007FFC11BF2000-memory.dmp

Filesize
10.8MB

Download
memory/1516-604-0x00007FFC11130000-0x00007FFC11BF2000-memory.dmp

Filesize
10.8MB

Download
memory/1516-591-0x0000020269960000-0x0000020269970000-memory.dmp

Filesize
64KB

Download
memory/1936-606-0x00007FFC11130000-0x00007FFC11BF2000-memory.dmp

Filesize
10.8MB

Download
memory/1936-607-0x000002E1EFCB0000-0x000002E1EFCC0000-memory.dmp

Filesize
64KB

Download
memory/4900-594-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/4900-596-0x0000000005940000-0x0000000005996000-memory.dmp

Filesize
344KB

Download
memory/4900-595-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/4900-599-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4900-598-0x0000000008AC0000-0x0000000008B26000-memory.dmp

Filesize
408KB

Download
memory/4900-593-0x0000000005D60000-0x0000000006306000-memory.dmp

Filesize
5.6MB

Download
memory/4900-592-0x0000000005660000-0x00000000056FC000-memory.dmp

Filesize
624KB

Download
memory/4900-588-0x0000000074CB0000-0x0000000075461000-memory.dmp

Filesize
7.7MB

Download
memory/4900-589-0x0000000000660000-0x0000000000CF2000-memory.dmp

Filesize
6.6MB

Download