hxxps://github[.]com/errias/XWorm-Rat-Remote-Administration-Tool-

max time kernel
77s
max time network
78s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
01-05-2024 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133590119302984379"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exechrome.exemsedge.exe

pid process

1576 msedge.exe
1576 msedge.exe
4916 msedge.exe
4916 msedge.exe
2960 chrome.exe
2960 chrome.exe
4772 msedge.exe
4772 msedge.exe
Suspicious behavior: LoadsDriver 10 IoCs

Processes:

pid

4
4
4
4
4
668
4
4
4
4

pid	process
1576	msedge.exe
1576	msedge.exe
4916	msedge.exe
4916	msedge.exe
2960	chrome.exe
2960	chrome.exe
4772	msedge.exe
4772	msedge.exe

pid
4
4
4
4
4
668
4
4
4
4

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exechrome.exe

pid	process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

msedge.exechrome.exe

pid	process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exechrome.exe

pid	process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4916 wrote to memory of 1392	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 1392	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 2980	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 1576	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 1576	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe
PID 4916 wrote to memory of 4108	4916	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff858d33cb8,0x7ff858d33cc8,0x7ff858d33cd8
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,15464138758303751526,9547632715313871125,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,15464138758303751526,9547632715313871125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,15464138758303751526,9547632715313871125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15464138758303751526,9547632715313871125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15464138758303751526,9547632715313871125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1896,15464138758303751526,9547632715313871125,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4268 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15464138758303751526,9547632715313871125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15464138758303751526,9547632715313871125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,15464138758303751526,9547632715313871125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8583ccc40,0x7ff8583ccc4c,0x7ff8583ccc58
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1796,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2036,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4464,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3716,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4316 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4876,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4584,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3816,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5172,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4768,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3440,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3336,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4300,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3768,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3416,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5168,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5124,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5316,i,11205590010054172909,3481758042835516945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:6008

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5a8057e6bbbebb289bd8224657440cc9

SHA1
d14fe87fe529292f7904e515927510f0d56cb0cf

SHA256
262ee189bf0458656b8e6094649a82268ae1f272c6b58e7df4219b2f10512539

SHA512
38820e29b55f5a4fa371daf3a7d9da56b72bb7616c1ddebb3f826de46a0ef192581a06adca80e3a156a99d653def4ecb39ecc0dc4eedd9181c9c8c7cb05ee75a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5d1b234e5ec174bf51a3190bfab99237

SHA1
2acf83dcb3698e36e4f7cf9ff98a49e49d6fa35c

SHA256
c2540897b4842c759425973d58f935562058c7c47a9dfe5e529c0da6ccae3803

SHA512
e997478efa9ecae39492de26b1dbc659a599da800cda4c2fb9f4c1cc0d2c80a78f71a4a03906a5c0f3f969af34a22d2b9d6b2813ddd157c731204a2906ff5fc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8baf0ddfd949ab38def24db25d6d7db5

SHA1
03f47206cf3563f465b0fa36f674eccc9f21d84a

SHA256
dbc4c51e718862d2391cf9349f9fa7d77d7987973b20a300515357a1c985f987

SHA512
91550163616a254d5501c80731bf08cdfc18f0f4cdcddf6dadae7b17eaaf7a235953819dab8084abc3b7c2e6cedcb5e432f0c03ed95ec8b700d1880c9f7aa07a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
516e1a78e81385d1e443aaaa8231cd63

SHA1
af16c8242f283f744f16c37a4ff77bb5b74510d2

SHA256
95166424bb314ee41d9247296de73e2125fd093f93c8297ab59c64cf19e5e9d9

SHA512
8a20fc705ac94b3ddf394dc76343787e0a5b1162489614a266857cdbbb1c2b050ed5ffd3c743d7a37b28b206a87e4682f67d908a2ff1d7bf11734ba87530d588

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d8918f222f011718e32d27782ed22ff4

SHA1
939026798d2a4779a7a0f7d684a57ed6b34c4a61

SHA256
cb96f266d8c3cb2583b37e1ba04deb27974c94586a711a10c00541dec160e18a

SHA512
6a20c1c846a5a76eee5dad636c1d6c9822134e3ac0269d65eb7eb3250cf030f8350e6abf19f70eb50d9223e07558104a577fc3849a4543c7f8296d045d87d72d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
f15070e6d4bccda99d91fa5b29b3efe5

SHA1
4a2c8e4c600eb2a7d84563667ce99d4153ee0b6d

SHA256
08ea566294043f2dee189650e7845a160cfe2412a67492892f35dd1b367a12a6

SHA512
e3489a11e465bc48ee550bf5e7d998b2b9a713ba09697cf693dd941b94448dc7c65655c9adae452ed20f307e04edef1f89d8873a5bba86ffa4f0a52d57c5db5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
8ce5e02d5d72035fb2624f2791344215

SHA1
bdb08fa733bf9304cf83a7b90d47bd52e5b5fc4f

SHA256
d4e3f97d3f67ce534d9301dce84ae43fbcaacb6ad644677dcc78a46fe67e95c1

SHA512
ece7006c28ee053f033b331c4d0887566ffe3c8f9b594e89e593e29deb40c048b498ba04d6fdd7a7619cee62996480c38225d7c2fecdfb0bd469f2ebeb6c5dae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
d90febacb6f9d522aea60860ddb082ac

SHA1
0dda28a7fa14dd34795af30c2f6a3d4dea64f580

SHA256
4e254bdb087434f876d18d3e09eaa5cedd2d9da7392e16b8277dcad1357366b6

SHA512
f239b399bd2e79ecd41c6435bb26e9617d3cd33892efb982b17212115c902b38ec693f0f166fb751b45b20649468426740fbc6cf7511461e1f92d86753ba4f42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5a85ad170d758e61ae5648c9402be224

SHA1
e6dfce354b5e9719bc4b28a24bb8241fc433e16f

SHA256
af0da8b5ad8127ae0ef7773bc9c4b145ed3fe7fbef4c48278649e1e3aa5ce617

SHA512
641414d91c993f74b6b71654522359d606c7f94ac0fcca6478d1bc33c30f4a9fdb9ce6f8e281c79a2f9b9670fda8a4ccdd80e7d64347c1f66d8c9ef024bcb09b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
22cececc69be16a1c696b62b4e66f90e

SHA1
b20b7f87f8bc64c1008b06a6528fc9c9da449c2f

SHA256
d940b85bc83f69e8370a801951eb6b8bb97efbb3aa427664105db76e44707258

SHA512
2b2e548f2c8f84d321ef2afdf31128065c3593b884ca8111b05800960b5378b99c7efa6165d02fba4c11e6e4b49b14e419d89f76d55ef574f4ac2b7d6ecb3d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1389f09da4418a4106d3be9c5fc6a472

SHA1
55a0dee7f4a2d54901147b7b008caec66d9565e6

SHA256
d87791aa04f319d4da89d5e5ea173ae33908969755c06fbd0c644f96fe421a4f

SHA512
f5afe68abb32a989aa9228df1bce8f476f53a361be9d80bb0526b0efae1b37ed5e3360cec61ad6519c145f822c105b1bee379023e3a514459099328deb8cea86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6fccf6886f25d34d04f5b1c286d01877

SHA1
448a89a43a4d5fc28ab2b03057ab8acdfdc56f78

SHA256
62d41f9d2aa93876970852f97d3d0d40c4cd78af2a2101d861abef35cbab8628

SHA512
f239a71382ec184f27a6993fd54a455dd19b2eded007f697ab6ad8ac7c4ee2e25ab4504aff0287b866729107fb4869c446fd290c13aeb5f61685cdbd3afd97a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
58fbb0efe637fae45f83f14d3495abe1

SHA1
cbb51d20c118d8218dff7aa62783d4e250af1ce0

SHA256
81cf56b7380b7f5888d67f22de53eff429108777559cfa5731e7a803ebf27a9c

SHA512
e573a0d95083ab17d1ccf5a54acc5f4b41e1d30d4c7e01468b0062903c24522e1cf2ba6f3da7fcfa08ee8b9d72afde525a9304169ca33e5c5254138d71ca7b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2b942aab12081a1abc55c52d2d53891c

SHA1
e70aa6ffcdcd31444b88e0f578775d05aa121cd9

SHA256
633b51ad28f7ef80bd8b42df489841247ffde0359422e508e6afd56ae2c2483a

SHA512
354ebce2830a8465a45a351417c1cc5436271e0d010b2b1431fd94519ec1319d2f4fae71d3c9620111a20bc192f0da04c2bd9bd5341432c7f1f206f2cb958255

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
\??\pipe\LOCAL\crashpad_4916_NWDXXNLBRVMLAKLC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit