rhadamanthys | 9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm.exe
Size

456KB
MD5

515a0c8be21a5ba836e5687fc2d73333
SHA1

c52be9d0d37ac1b8d6bc09860e68e9e0615255ab
SHA256

9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae
SHA512

4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522
SSDEEP

6144:2uWP/BtSnurUylcrGYlnIttxv8HbcLgsd1Gus5psdrvV44dixP+MHDkBYdxtG9+V:2uWP/BZUyoLu8Agsmxwrvejkd2

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3248-1-0x0000000002490000-0x0000000002890000-memory.dmp	family_rhadamanthys
behavioral2/memory/3248-2-0x0000000002490000-0x0000000002890000-memory.dmp	family_rhadamanthys
behavioral2/memory/3248-3-0x0000000002490000-0x0000000002890000-memory.dmp	family_rhadamanthys
behavioral2/memory/3248-4-0x0000000002490000-0x0000000002890000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

Processes:

flow	ioc
240	camo.githubusercontent.com
241	camo.githubusercontent.com
237	camo.githubusercontent.com
238	camo.githubusercontent.com
239	camo.githubusercontent.com

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

XWorm.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	XWorm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133581208422623328"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

XWorm.exetaskmgr.exechrome.exe

pid	process
3248	XWorm.exe
3248	XWorm.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
1696	chrome.exe
1696	chrome.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3780 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

1696 chrome.exe
1696 chrome.exe
1696 chrome.exe
1696 chrome.exe
1696 chrome.exe
1696 chrome.exe
1696 chrome.exe
1696 chrome.exe

pid	process
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskmgr.exeXWorm.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3780	taskmgr.exe
Token: SeSystemProfilePrivilege	3780	taskmgr.exe
Token: SeCreateGlobalPrivilege	3780	taskmgr.exe
Token: SeShutdownPrivilege	3248	XWorm.exe
Token: SeCreatePagefilePrivilege	3248	XWorm.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1696 wrote to memory of 3128	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3128	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1920	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1844	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1844	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 4800	1696	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\XWorm.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb5a8dab58,0x7ffb5a8dab68,0x7ffb5a8dab78
2⤵
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:2
2⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:8
2⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:8
2⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:1
2⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:1
2⤵
PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:1
2⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4428 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:8
2⤵
PID:3872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:8
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:8
2⤵
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:8
2⤵
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:8
2⤵
PID:5396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:8
2⤵
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:8
2⤵
PID:5528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2388 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:1
2⤵
PID:3696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1572 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:1
2⤵
PID:2444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5096 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:1
2⤵
PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:8
2⤵
PID:6012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3084 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:1
2⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4652 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:1
2⤵
PID:3388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2752 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:2
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1740,i,8252161200908104272,14091267142790151799,131072 /prefetch:8
2⤵
PID:6100

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
c1d017e92a67d60d007f54b52b628bfd

SHA1
fdbf14bb2e7aae7a2f982bf219db92fffaab4b7c

SHA256
5025799991d98d921082b474729ad1738a7c18eab853c7a0656bfdf010817dcc

SHA512
c4514337d9df8d02e5164e4a1646522c8de0f0f04426b8ce35370d0d87926def4a88c715566e7fb9fe1f6368c37d4719314c3ac7705dbf71e75b706e292fc829

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
e8e7b3438b53145a0720c8f1810872cf

SHA1
58037c603bd4a5b4ef29ab62ede24c9a6c7892c1

SHA256
18f8d7e1a5447194d89d1d6db9fdf295bee37defec18acc2c23dd3a5fec2bf1a

SHA512
efc372407e45785e45d8114ce320930c0ecb78c7a01502bf11bf45826932c07ff7c98c15e981aaaa8fffbcb741511671e8dc72d496ae71f1a418b159d4278c8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
3e71565ce6ba1e39e5c6c05dd76e4e5f

SHA1
80c7538952e7b80a018cbdecd1c8083d90b84309

SHA256
95753f1a70b8c9d71f76c28899f50433b10385e401a4396b8358a68d0f7efb12

SHA512
ced05ea22d13adc389d863380ad99146ea5ef6064a924ee3d110ab8a3da4c843ad19a999ce8bbbcd3aa415526036f06ef453a9f42d1e1e0b7a156e922565ea2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
29917dacf4313da04a8d5b533439ab67

SHA1
c61a5c2620de5aa239f182b0ddebbf8e61250f21

SHA256
e8333aaaf3105a29dafae6551be0a446b124af92510ee695c54b46ef74c70fae

SHA512
c38dececfe3a2b0f084d1836296c3c040deb616cd84b7331315e771d2f5a4c5ff1cf6c17cec3926cb38e995305b19172309729cfc2d87ab73d11db35a821bf1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
761fc6c30d9c37679436c92f672cbb54

SHA1
48899267247df57668fb648b9502596038224a6f

SHA256
aceb2e0df8f1de30adbd6bc754dfec959aaeca463bbbf509f412fa4492c29e46

SHA512
8bb196b8d5267846c3c2c24b13b4ddd780c9d5b1441987b861b75f5763a9a244690b0f91d30407a13e45f82040491cbaeceaf990f95f2aea8052d2d047566e24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e96bf7cd4037f427a0fcf189d1fa68e0

SHA1
f45ae24e9be1f4a49f40fbc178e60a1980e4c382

SHA256
ae79c6bc9e4ff3a9848887ead73b0b46b9490b47b810495995b52ddf968b8f57

SHA512
5565c602a1100b06ab1783e40a9a2154213078cfee5dd8a074eadf6b4105c3a0087031979e235567fd61ac1cb4dbedb7a5a288c5416d9450f82c43edde497f62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
eba1d98b915af2a319d25bdc0cfb6af3

SHA1
18dc71e5a74db97d5ee9ddf87476b3de9305d305

SHA256
0f60b758116c3ef509de28e3ed400c18628161344bd07adca5c7e5ef8b09f0e2

SHA512
d39f5de3d752bb2c4f303af4fa07d3a17d4e4e2bb3505558e90f04881373ac5e54bc82092c2c24c244bebd3b11de030fe85352d7bae97ed5be558c5a668dfef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
04f3211192a97f5d0ef83bb812d648ca

SHA1
b35eea062a60b3036ea3c94396e326e868c97b8d

SHA256
1480b45e62812695185e77daada5eeb4bebd39e0569c142ba3f7272f16826866

SHA512
7bff6b0d9a740433516085782724a1e28a24fde0e6d2840103050434fbcf4baca1906a37a7d7a763bb812c86ce5ed0e5061696a54ceb945e5ddadbdba9623ce0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ed536abcc61c3440bc14af8b718e23b5

SHA1
2b8fbc3baa561608b9c1da88b67cfbe7575c7f02

SHA256
18e8c819a1e587d1be19b0014eacde4ed2914523f184a9d3bca105d6fe9d7d81

SHA512
afd37cd9f6ebd7e3006c5d6e074f12136591f91606a4e6792581b5bcc76012ae7f5c3d44471ca4c6ba0552d0421e72482bd7e4638524b0c9ed120f39d2a62f22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d3534e82aeca82a7c3380c1bad4dcfc8

SHA1
22d5d95bd6a7a670b31974bd14fa18ad0a70f1fe

SHA256
141cc8fed61629684a2534704a450364fb00a7c223b42addbd8b954e7bb170f5

SHA512
cdef7e58002aadc44ed495fb225b83c9e7f7690c38773dc532fdf3270fa25044f4e169deb0cad22f6e4fe0c15f7a4be29818c161c515acc958412221b735d79e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
abfb27e97e2f9a1814b923a089d25745

SHA1
78e2fb9e7f70d6991ffd6ca9a86aabf114da9ec6

SHA256
f9ab033236e559ff44c6eb7fd67ad6487c81ded64540b2abc13183f7679fb11f

SHA512
4684161c6be3fcc986823145bba48c8a0d4796f04a9a4be84c8c7509b60765d9648bd9fa040e0747d968d8e044a4b134c36e7818a3e3e42f7b043111a6e2ef8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
74652eb26adfde5cb4b3ecd425f54833

SHA1
931191bea64bac921c7b6a711baa8ac20bf29a55

SHA256
0e738eb924b398d3ac1ac22d7b81ab9bef2c4876cbcdb97f6150f749217f085c

SHA512
44a6d212ab8fde5330eb8687338e9f4448fdbd3b30e2b0de328057cd6fcca11869e164a10a86032dabeab7ce31878d79fdfd1e20af1672e44907aacd7ed7e28e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
252KB

MD5
412017fbb1db2c0114912f934d7a8cae

SHA1
661802b4da527504dca40bbcc8968815f0869aa4

SHA256
2473327a01fd5adeb801dd271befe6fc9bbf8ddfbfd67b4c380e569534f01fb2

SHA512
4ae825c9e5de49036e06a0e1c2eca94c4be8896340736c30d8064c5d5751b8187d7b0ec41b1f88028b340075964a440accedda67ba7ed8afb41b6f5791285116

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
89KB

MD5
6b6403c3449b79c1e654cab1304ca04f

SHA1
85b075cf02e88d3a70593a44f6370393100b99ae

SHA256
83a208fc7d71aedc9780ac82ecab9cc87d320014366b692ddae50a8e6c8c5925

SHA512
17f904dec976c34923a501062837e4f2f43f014f1c3a0097bc0494fea2f09c1e970e139c518c8fe84c3eecfcffa455da7158d939182567eaeb1bbccf88ef1218

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
95KB

MD5
74161f16a8691664d5f2d34c927b7992

SHA1
bc73cd83126e7a6fd2179362eb91f8b7920a5e0d

SHA256
472b7016192908746e7ffead84ae7e1092b52bf84f1b653124dce04cb6c342ac

SHA512
735d9aa1b055a07463fb3ab159b4e60512f26d6fd80acba086dba89be061fe7d8a8a26ce880e03dc280956f404d6b31edb635500aef65233894466831b3120d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58dabb.TMP
Filesize
88KB

MD5
69ad0a3b746bbaf6643e22432a8db80f

SHA1
25c81e5d078c1a5da573856a6d63030da6c87be8

SHA256
7bad89a81f2703693757149b2894101144aa232560eb5eaebbecbfbcea178399

SHA512
98b31f443e20f46a34ebffcd090d66fca1ade793ebcd8d0fca19bc9027ef132cb3db2d69902ed45d191dd2fd887649553576022d9472ed9a26e400ed00dbf81b

Download Submit
\??\pipe\crashpad_1696_CYNVXHRPHWQOOOVE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3248-0-0x00000000021E0000-0x00000000021E7000-memory.dmp

Filesize
28KB

Download
memory/3248-4-0x0000000002490000-0x0000000002890000-memory.dmp

Filesize
4.0MB

Download
memory/3248-1-0x0000000002490000-0x0000000002890000-memory.dmp

Filesize
4.0MB

Download
memory/3248-3-0x0000000002490000-0x0000000002890000-memory.dmp

Filesize
4.0MB

Download
memory/3248-2-0x0000000002490000-0x0000000002890000-memory.dmp

Filesize
4.0MB

Download
memory/3780-15-0x000002A209A90000-0x000002A209A91000-memory.dmp

Filesize
4KB

Download
memory/3780-6-0x000002A209A90000-0x000002A209A91000-memory.dmp

Filesize
4KB

Download
memory/3780-16-0x000002A209A90000-0x000002A209A91000-memory.dmp

Filesize
4KB

Download
memory/3780-14-0x000002A209A90000-0x000002A209A91000-memory.dmp

Filesize
4KB

Download
memory/3780-13-0x000002A209A90000-0x000002A209A91000-memory.dmp

Filesize
4KB

Download
memory/3780-12-0x000002A209A90000-0x000002A209A91000-memory.dmp

Filesize
4KB

Download
memory/3780-11-0x000002A209A90000-0x000002A209A91000-memory.dmp

Filesize
4KB

Download
memory/3780-17-0x000002A209A90000-0x000002A209A91000-memory.dmp

Filesize
4KB

Download
memory/3780-5-0x000002A209A90000-0x000002A209A91000-memory.dmp

Filesize
4KB

Download
memory/3780-7-0x000002A209A90000-0x000002A209A91000-memory.dmp

Filesize
4KB

Download