xworm | f23d6c7169a3df4e47c6773884b98507e145ac38ca007aed55e45b72565b9dba

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PornoK1d.exe
Size

150KB
MD5

bfe2ce9a03e202907315519a601ec49c
SHA1

6c5b3c5d0628a5f59cad599ff5a5284a3ce9ef27
SHA256

f23d6c7169a3df4e47c6773884b98507e145ac38ca007aed55e45b72565b9dba
SHA512

aec9ab17e52479cbe594a4318f3ed5b6480610a1a827ffb8e29d8a43cb5538ea36997bc5b5dde51a25483bbbd74bed075fad58c6602226279ee647ba08efecee
SSDEEP

3072:ek2csT/8rJFf9HxOMo4NpVq8BxFRzaqF+o2GQJ7/JzqVfGv1:eDT/uf9QgVqwlL

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

york-latinas.gl.at.ply.gg:51154

Mutex

bhDm93QvQg6Pocut

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/4988-1-0x0000000000350000-0x000000000037C000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

resource	yara_rule
behavioral2/memory/4988-1-0x0000000000350000-0x000000000037C000-memory.dmp	family_xworm

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PornoK1d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XXXLoly = "C:\\Users\\Admin\\AppData\\Roaming\\XXXLoly"	PornoK1d.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641773766054268"	chrome.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

PornoK1d.exechrome.exe

pid	process
4988	PornoK1d.exe
3488	chrome.exe
3488	chrome.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe
4988	PornoK1d.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

3488 chrome.exe
3488 chrome.exe
3488 chrome.exe
3488 chrome.exe
3488 chrome.exe
3488 chrome.exe
3488 chrome.exe
3488 chrome.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

PornoK1d.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4988	PornoK1d.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PornoK1d.exe

pid process

4988 PornoK1d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3488 wrote to memory of 5000	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 5000	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3952	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 2980	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 2980	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe
PID 3488 wrote to memory of 3244	3488	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\PornoK1d.exe
"C:\Users\Admin\AppData\Local\Temp\PornoK1d.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff95d42ab58,0x7ff95d42ab68,0x7ff95d42ab78
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:2
2⤵
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:8
2⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:8
2⤵
PID:3244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:1
2⤵
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:1
2⤵
PID:3628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4324 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:1
2⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:8
2⤵
PID:3576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:8
2⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:8
2⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:8
2⤵
PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:8
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4864 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:1
2⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4032 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:1
2⤵
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3324 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:1
2⤵
PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3124 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:1
2⤵
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4616 --field-trial-handle=1672,i,15426295017248519831,6784879189541845070,131072 /prefetch:1
2⤵
PID:2508

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4764

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
4ab3ca035d5b2c3a92d855c30d1fb07e

SHA1
4cc5d2d36dede5eecfd1559ce3227e0cdfb8b9c7

SHA256
69de2d2894abeb7c4b3e22ab8fef0a90fe8218e80b06c01a3678026d0d136dac

SHA512
8cf9fa0efa254441b99c2e36d3a136ae694af9a0368c3207cea5aa7f2dbfd8c3cdbfeeb925793d5b3a0ec7fec7e96ce19439d239baf2525cbb3697e1e0b441af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
2f36cdad77aa42c8d88d8f03f0e72e73

SHA1
0add9dcac95c693473dad8017bea9bde2d15b204

SHA256
da16ce59b0c45bd15a264540dbd22b565471f0fb13d122327db741d511d9fe3c

SHA512
8c471693c80236681c16cb92ea2012dc07e4e26a32c3c5b92f371cce8c6c115efa9ed69c50aca6ab76918f043a2a7de9db71a9d7a5180e78ee4546bf0e87f28b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d66e66ab97e216315cd3bf0bc1ddb6e0

SHA1
90546f1af5ae3d271a13ece4120a6788a0cf261b

SHA256
59f756419dfd3f054cb89ebe91fa2ecfd15453743c8c080905c60478a3cc8cac

SHA512
7bd5c889944c5f0114c258afb8e05af17a4b022591644815a9d9ad7b6e953746c09b1fe72e9a9df3f0c697d93360401947dce54799a8ed8b561b5c841e2c8f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
9b93d27fd6274787974f48f1af80a8ee

SHA1
c54454ead65483818e9d2c2e8834f81c03c66095

SHA256
bd66545894010663653aa457e516c2f38a72ebd99f61691be2ba413df3abe0ab

SHA512
95e89e26f14d0b50b964935225f9f0902eb45b106674ceb12ee29ac94bafb444724853c58e49b69400e43a345efe77536ba9da08d864eceb925323d081049332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
0aec9825d123481fee5fd784ae7c4251

SHA1
4e08ce77e2993a743c1998e9ca0c29e763e587a2

SHA256
a7f5a875318722fe2e3a473af6bcdc6ade1fcd4d1e2b09461cc4121e0abd7253

SHA512
34f57bcaeaed73ecb8904e94513a3f8ef3343cdac25e9f2e068ed5b781edd97a1a2a38b1ee1e7cef66907d499832ec538b3717ed649c38070b93e49c62f400ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
272KB

MD5
5e809f8df01ca1ac6da2067bf1a7dd0a

SHA1
7cbdce04938f69c42c3204d35d13862938fe5a6e

SHA256
32608b649424fcd56722557d57cca87ca1cd4d0296d7c1e3d81c637bac340cae

SHA512
c1fee0c8ab134c3c98decb4fe0f1548ed082be7206156d7ff9118d6d5ec68cd5e575a3c2656f34ee1a8a4f65864c0181d2650ba48ba757962ab11597eeb63541

Download Submit
\??\pipe\crashpad_3488_XXGYQOVKIVXXZKQI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4988-5-0x00007FF964730000-0x00007FF9651F1000-memory.dmp

Filesize
10.8MB

Download
memory/4988-4-0x00007FF964733000-0x00007FF964735000-memory.dmp

Filesize
8KB

Download
memory/4988-57-0x00007FF964730000-0x00007FF9651F1000-memory.dmp

Filesize
10.8MB

Download
memory/4988-0-0x00007FF964733000-0x00007FF964735000-memory.dmp

Filesize
8KB

Download
memory/4988-3-0x00007FF964730000-0x00007FF9651F1000-memory.dmp

Filesize
10.8MB

Download
memory/4988-1-0x0000000000350000-0x000000000037C000-memory.dmp

Filesize
176KB

Download