xworm | 0a8d2126b0c87236de91167ebec0a0fb13bd12dc4032af3cae18053b76512e10

Analysis

max time kernel
101s
max time network
560s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download.txt
Size

274KB
MD5

f56de06a0223dccfa4f5091d189e6055
SHA1

41ffd54a745be7df1e26bd1eff1cbc5d1d028b5a
SHA256

0a8d2126b0c87236de91167ebec0a0fb13bd12dc4032af3cae18053b76512e10
SHA512

f98d10642acb8e0698d88413bb7782c18c0b4f9185c50202d5412ebff8fc1a6a9309f4e2db8afc5bcae08a28d6ef19c17d1c95cca91c91b941fe4c41c77c0c14
SSDEEP

6144:NJo3U357Z0NJYSUPVL89vHaJo3U357Z0NJYSUPVL89vHi:ro3U3573o3U357D

Score

10^/10

xworm discovery rat trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001a49f-321.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2268	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2488	chrome.exe
2488	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2924	2488	chrome.exe	31
PID 2488 wrote to memory of 2924	2488	chrome.exe	31
PID 2488 wrote to memory of 2924	2488	chrome.exe	31
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 1452	2488	chrome.exe	33
PID 2488 wrote to memory of 2492	2488	chrome.exe	34
PID 2488 wrote to memory of 2492	2488	chrome.exe	34
PID 2488 wrote to memory of 2492	2488	chrome.exe	34
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35
PID 2488 wrote to memory of 2564	2488	chrome.exe	35

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\download.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb989758,0x7fefb989768,0x7fefb989778
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:2
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1636 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2312 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2324 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1496 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:2
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1280 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3500 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3608 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4044 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2640 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2352 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4120 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1656 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1112 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2420 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1088 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3448 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=724 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4204 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4276 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=2360 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4368 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4320 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4548 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=3780 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3576 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4292 --field-trial-handle=1252,i,4681472102498449894,12561060239101017118,131072 /prefetch:8
  2⤵
  PID:2212

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2508

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0b3a2adf-8743-42a3-bfa7-ddf9ba6ead64.tmp

Filesize
5KB

MD5
932e6488c69d9b50048b6394f31c0f61

SHA1
b37c5ffa6be8b4419c08f3bc40b3d4a305cf4a61

SHA256
b1016ecbeb699121c3bd3b86b74343c768408adfb7e0c49198412a2be7892ce4

SHA512
6c44caf201dcb653606e9620855ab925bebbb4cea15c86e72d50b896b2997cab8a23285e527121adea0c9e667560b515c2bef19d8877cfac0dcb1f1f38624aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1bb382cc-b1a6-42cf-a02d-ec35d7f119b3.tmp

Filesize
5KB

MD5
f40ee0c851a66544dd79f5b14eaca538

SHA1
3753c59368232e7f17b4bf8ff1eec554ab6bbaeb

SHA256
46f936406437b91be4e9618fd18b253dc7cfb635690204ccbb524f7970c689f7

SHA512
7dac1af437816be18d8cc224c079de67067ab363e64405dadf4402b3e81b29128d56aaa123ec244f9609eb6bf0fbb0d309a4732007663948fddf21257bcf7aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
214KB

MD5
94b1e1418589b493473f77781adb4ddd

SHA1
a2646cdd1d0346e5bac8ca77de50729ccae0aefc

SHA256
b8cc7e5a5d6e29746aa50ac146ecd880481a0e336145d7d5056281d88b91c2d8

SHA512
25840fa762cede5dfed9d4feee5b5f6c8ef4c2305dd20e8faefbd2c1cfe7ed2a31aec046ef7c34817dbd42fcd7ff532149b9ecd931c2f4fbe2ec070fcf9b3c63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
695f31a7e0e2773e3027ae57df09c5ac

SHA1
3e88c11b494b1567afdc8268f9aaaecef723efec

SHA256
8b7778b0a762f6256f9e54d759364ac27921fb70bc09d428af554f3737312874

SHA512
36b35e93767e6ea00b62077c98af33edcfeff25c80682924c2e693f8eeeba2816f6585963e1d92f05116f8c42317cbc08661788258e0f186f6032c981492b99e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
b30df89fafef2aa986c67819dcb1e809

SHA1
70bedee4067be8bda295aa1b885692f7b8c3e952

SHA256
957d0d900709de942eec0c5bd195e3dc8f0df9f5967839b43bd7c26eef8f296c

SHA512
b0306e2915b9b52e11e70858bbbe493cdd15a405c19073bd090045bb20ac612b534f8fe696e2a92e31e5bf822e04c5b5aadc88fe8b58c17bd443860089a4c92e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
e4cd4ffea53e0ee2c31d52cf56fcbc8a

SHA1
dc25e511d818dfec82de426ce662f89d8bf53051

SHA256
38fd7f4a39f242386e28b36af12ad5d23a432ccdb6b4e91976598b3fa14d53ac

SHA512
aa07a81deeb3df2a00f71df70af328a94ecbec238c5b450ad847b0114c1b9f9b1c19317ae2cbead5b039ee58bbdb543b3508c198ea3ffebe9b3eac6443be62fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fe07781b81950d9419283f73684ab407

SHA1
7fe6bd735489c4491f67e411c2740e1ef7ad05c1

SHA256
9e8cef30cf932eedae1cb66498f596bd4a63713dbf9f0248fa185854ffc4bdd3

SHA512
cce049e74e143a8dff0c62caebd95810c47d16739b26ec3cceed8ab3cbf43a14754126654bc0e90efb9e48211e193371a67a9f2e5de6479d8876fc63115a75b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
54ed79fb7f2885134750157602342966

SHA1
07caffb0b556e010b2ee761f47cbeae6a45c0167

SHA256
de432e8656b2c392d6925f38fd9bb35c3291d281d52b88f8eae7afcace3fdd91

SHA512
856dce2150fbeca0ee987422f415233cac5b963e20bc4193563182d0bc97926333ec3022019aee22cdc00b37436c64d9bc5f857d53399008cb97e57105608663

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
58998f56f9c22ac478ffe44ab958f082

SHA1
68d1300c723f8d1d2ec9bb91f43e3cfec4af5226

SHA256
ff87edd552237888e42bb08cbf9b178f32593c0aca1e11666c353b5dbe789793

SHA512
d47b59aa11815aa3e728bc3f16b8a6e46d30c42661cddc6a4ca893f7bb08f4ab7c0923c320897020a19a3681dbedd9aadf08eebe043ea202389dc350fb73e73d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ceda01228d2d70f9d781a2eba1a30b3f

SHA1
34f021293d9c0419c5ce96da7098c38628d69b91

SHA256
2728809250f9c6ae6bd03bf93b7d19047f20c402cde1f19133b023d9081152e1

SHA512
f80e78493a1d28fccc643ae5565351ceabc809077b1933882b748521deda2d83889a65856dfe9a44febc819043bd0ec7193a2b6a24cebbb5248d47a9be0dd8ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
58760e7792aa56c6a0e9b90e3830ac5d

SHA1
9db2a4a4fd5af00a8a4ece60cad10c6fa6bd7805

SHA256
af30b59789667f32b27191b7b8ca439b26adbc719ad4cc2a018d1f542d4ff4cd

SHA512
1bbdad9210def8b1d5591a96352ffa078643b4f41ebf1117cc472113905cf6b7c0a59cbb214d1a11298071da587db94e29933c99eeeb3eeb71aa2fb9e8725eb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
d1d7f1f1d29056e29f9126cf67ca5d40

SHA1
f979fa74f2e56a6377c0b0727effe22cf00bfbe4

SHA256
a7781900e25662a96b091b81cdd29f75efeebe4c88e766c71b7c79a6a7459f83

SHA512
5ad69299dc7bb8a03dd278dfaf9dc44925300ac57cfbc56ead2b360880e2acb5bdccd90ab16acaa1ef8f863b369262f8b5d7e5305ad219abff6a2649daaee84a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
976661a70cd113fd2142c4c59accd635

SHA1
f8584ce448091fcca394c10e286f015ea855a2f3

SHA256
886d7e163c99d5633e360f7e3da5e34409a7bdce43675686c87c2c7fabc728e7

SHA512
2b606324c8d3ec5b86145d2ac12c671f2287d436eb0934437039acb9bf7d53d39110c00320a11ea07903f797d124d2be8a5e83d914a917e3b3565389da4ab0f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
bac3635f11fa82d9796481f4e30ea65b

SHA1
47a018520dc26378042673f9b02bd16b694c5ff5

SHA256
f7e3db3903ffe5104f85ffd43ce3f0c09699bb21ee939a68cfd4c1efe57299b9

SHA512
a3338c7fe3c68af2fcb8da1972e366dbb160ee50e5659e679eb5ac9e5e964b67b546db4af32e60b4dda5a50805fce22b1a5d816e29f83b81a747977a8c1584b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
74e226c2675078d5c7cbe0fa54edf268

SHA1
c8d21e4a8bfdd4e89ec5348a58250e84931b9f13

SHA256
7b64cf9819cdcb5e388a4a36134a2a435aeaf6492ef47149fe4c42660106bf36

SHA512
645b247776fa97e43bafca783238935083aa678bb357f2f0cc972b2380ba5a9c1c8506336912da3ee27ad6dc7e2fdb4da294085aa5cb06274393020d5977ae6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\cee65e11-87ea-4350-8baa-e0482ddbd3cd.tmp

Filesize
4KB

MD5
c3ee7e13cc7b9e9f83db6323ee3dca0f

SHA1
02fbeeed28f456cda7177da88cbd060cc0ba3059

SHA256
f712948ff7ba00eccecb524f8273d994d57d0acda7aa8adf9bd3112d371b9a6b

SHA512
97dc924b8baab1efd01c563bd1806b3eb290babd59fbf9c53c305bff9e53ac92252c43ad3d62f56386894ce75f78098b5becd9b9bb268a28b87cba249501077b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2cb4c5ea2a3581c71c29ce94efab4887

SHA1
7d1808731d8623bf5e4bad90da3a9bf5f899d541

SHA256
fcb7dcdc289c1e75723aeea4dbd1cfa19bb6b6b14c5ce13ddbbc4f6adbdaa250

SHA512
259c2a47d45584c920308e8fa51a6c590d4c798e9b33e9966c08eb85ff7d220a67c920fba77698702035ac88cf2a6c5e42bef31800ee46617299836a7318b731

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
618b57277d35b71e77e0d2e4b9d95605

SHA1
17c5447a5d3e3d8cdffa661b62d97d48c7ad8c3f

SHA256
12a05cf699ef869ea1b4ffc7aff6217244a5220f3e4cefca8cd0092000af7c2f

SHA512
061e4c7457f959af719d4247890cfb7188812659f4a0397e7dca46129ca1d1f0a85b6b5e03a2b7418559ca65681c6705174e65c353eec0079aa410e798fdeff6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e758c6e0e1862f950d233603124053e3

SHA1
7f6f64b57d679e900f4452ff4d0ed906329505d5

SHA256
489e8fbcf7913935561a6b1841e73c4e101559f474d299006fd9dbcac7f2b7a3

SHA512
28a5a092ca537b4d3f0f5743838d9315d81af7e78e5b33f6b1df69d1b6f7f03b8187c8895607307890547639fd23eaed7755c55344282489827e0292043b2d0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d1bdfe82dfd5b09f5abb67beb52f19c0

SHA1
5abb19656eee9da9883d8859d699ca085918a698

SHA256
e07018d56a02fffb4e1837b48b9df38357d23fdc565a93a6295dedd4dd27312a

SHA512
af48aec57ff16bb9fd141b7dcbd4f19c96acc49d6e731d6d4b72d79f120040fd133dbd4ec37d93e0d38513be5e6639b65c4ddd9c826d147e2664aed9e2d603aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf7b539c.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a3c45ccd-643b-48fe-a9b1-96eddac1e12b.tmp

Filesize
6KB

MD5
71717dc33cd2b15515d69a2290e354b5

SHA1
f0c8e42ced5c9b3a275ae8eec74838eebaa73fd3

SHA256
5a86f723ca0ce6e1e731c1abf153975adeaebd6d0acf9b533d03dfc77c65ca51

SHA512
b9503c96da94ed88051c335b15df5770ce6ba2a3da838c57fbf6633d1f46cd1db9fb59922d659f8a060b1a0983291f19e5f67119a82a86fe4bae981fd9fb2249

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
358KB

MD5
11d21b873be8289f61782f94d92e2815

SHA1
b50d06d26c10f047ac32be739b847933ea47dec1

SHA256
b6e69d2da66b84392abd95cb2efe8760f59dae752c1cf4ec7e06f3b7355bec11

SHA512
628a5b6cd6e5c54c3a3feeffe4391d3416f2b856dad8466d62cc6fad77200313547b0e516fcb9827836d75ee91887a472e28f0f045730ef85a0c617a0f7609ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
358KB

MD5
890fc6e3cf50cd26715bec1033ecec0f

SHA1
c91fe16fd4a29af746fabd851d577822091ffb2c

SHA256
ae8d37fe5fd95ba0efe941f9328dcf2d189fd48ae5cd9f1ee6771e37f41eb74e

SHA512
1090c5a462be99e09db32bcb9bc05d7b68959a562f165ce09101306e8754bf7c9fa2c361eb031dc437c050865405b59dae4a107f6804d42acdef80512f10c5f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
82KB

MD5
2af3f17fbf0cab3697c7080845b4efc7

SHA1
da51c9091923f15f467de0d3422ddbf8cc024f5f

SHA256
f6c3910b6fe6a22eb23c281553e31d9193f7cc544f67077f685a29ad6c361c4c

SHA512
8530af7d852153c6d1fa2c1f1a78e744db00ad660887239511bbed076f0f242921ece4abdbd54b5b8128c52693a0a623f56749f9327a7eba876cf664a7a958fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7DFD.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\Downloads\download.exe

Filesize
137KB

MD5
66ff26b6c7de7f2e338aca78b41efc2e

SHA1
7259116f94af453e2f94cb9f8703c778332d783b

SHA256
4039bb2d9c92a35ce03f426aaf1d2445a58b359f987e76449da79d333c18ab5b

SHA512
a25b637b08b6322d14ad7222c24442603a0da96b4c436e5547e545f55ae4c650eccb29490d5411b6ade87b2acea53a0914eca26d829ffc1cc70a79eb01006c93

Download Submit