rhadamanthys | 463eb31b863993ffc7ebd1e67a593c0fc01bfcef367a988191926facfb93d93a

Analysis

max time kernel
215s
max time network
214s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26-11-2024 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm[1].rar
Size

3.8MB
MD5

72ed99d6168329b94021eaf282af0552
SHA1

0be0ad479efa7b5d3021b06ab5f6b71f858ba08f
SHA256

463eb31b863993ffc7ebd1e67a593c0fc01bfcef367a988191926facfb93d93a
SHA512

b11c5657389e8e6f5af5bdbef2b22daef62e26484117c9a30de184a63980e6108cd804e43db7494f24057eaeec32ced7ab5ebd6f7aedb6467a207a209a2bd2a7
SSDEEP

98304:AdRaDzmLW/nQDItjvhd8cMOBmYS1svAJFFa6XmeuwSqUjGMtokcqh:AAearjJd8vNYNQFzEvBVtoFqh

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

resource	yara_rule
behavioral1/memory/4936-36-0x0000000002350000-0x0000000002750000-memory.dmp	family_rhadamanthys
behavioral1/memory/4936-35-0x0000000002350000-0x0000000002750000-memory.dmp	family_rhadamanthys
behavioral1/memory/4936-37-0x0000000002350000-0x0000000002750000-memory.dmp	family_rhadamanthys
behavioral1/memory/4936-38-0x0000000002350000-0x0000000002750000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Executes dropped EXE 1 IoCs

pid	Process
4936	XWorm.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm.exe

Checks SCSI registry key(s) 3 TTPs 11 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	chrome.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	XWorm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133771127446051563"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4936	XWorm.exe
4936	XWorm.exe
3396	7zFM.exe
3396	7zFM.exe
1104	chrome.exe
1104	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3396	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3396	7zFM.exe
Token: 35	3396	7zFM.exe
Token: SeSecurityPrivilege	3396	7zFM.exe
Token: SeSecurityPrivilege	3396	7zFM.exe
Token: SeShutdownPrivilege	4936	XWorm.exe
Token: SeCreatePagefilePrivilege	4936	XWorm.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
3396	7zFM.exe
3396	7zFM.exe
3396	7zFM.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 4936	3396	7zFM.exe	80
PID 3396 wrote to memory of 4936	3396	7zFM.exe	80
PID 3396 wrote to memory of 4936	3396	7zFM.exe	80
PID 1104 wrote to memory of 2072	1104	chrome.exe	91
PID 1104 wrote to memory of 2072	1104	chrome.exe	91
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 1676	1104	chrome.exe	92
PID 1104 wrote to memory of 4724	1104	chrome.exe	93
PID 1104 wrote to memory of 4724	1104	chrome.exe	93
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94
PID 1104 wrote to memory of 3872	1104	chrome.exe	94

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm[1].rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\Temp\7zO44DF7508\XWorm.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44DF7508\XWorm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffbb826cc40,0x7ffbb826cc4c,0x7ffbb826cc58
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4604,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4960,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3752 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4740,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4752,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3696,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4560,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3360,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4564,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5104,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5092,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5348,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3736,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3756 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3476,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3372,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3324 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4640,i,17355064437875782779,11425124577028278407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1156

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffbb826cc40,0x7ffbb826cc4c,0x7ffbb826cc58
  2⤵
  PID:3040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x4fc
1⤵
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
aca1b64732bf785232906eba35945517

SHA1
4ee55290dbc37c7acedf6200e499d97f56acecc6

SHA256
49fb4a1d3a51f81155c1a3f5ad002b384abdb4081a7a17dfe8e4b4880d8df932

SHA512
3edfc259ca250e675e1965e4d9973b8e64506b63ddf9d932639d901b4a9fc0adf01b9429efa02bc97745be2b890286e43beb17b3032386d8ba28b34843ded003

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d9387fcf2b5e3de162ca9125581a9685

SHA1
100d265a026d1cc83abcfbd8b2a11b82d2bb7678

SHA256
760a3fafeeff0df34f4357185d64c3b8110c628597dbc1ffefa5c69e7b3cee5e

SHA512
9eec69e2f45f62cd5378393d6bb4e5123c0bb551e0c6ecd1644f3d6472aceaa90167c0785c05233ff1b41c159b1e3b64041084b844f142583e1dfcc8b6e91979

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
44084a3af1b43433610a7f3d20d1678f

SHA1
8f309fad38ed8cf059f4c47a5705e470ad390a38

SHA256
be8caedbc82910d46dce935c906e996ade40e9da3971d6f72e4eed28b75a8a9a

SHA512
a875d4941992ced97728e7a8e2ecfd01cf627b940e7c5e5b89cb6a28f9c07e66b6acc9e9006124a76604790adac4e8ec41a1471102b30b97c332410f3543b00b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f527316d4b2aee3664d6ff326e4c5cd5

SHA1
26b21cfeb78e4d626a67aa95875361c2c6353663

SHA256
3baa0b48b4a76b3ca1f949a3f37c7e8dbfafbd77e9498ce85777ca7320eef712

SHA512
918977bd2d56d2b6cb7e0d6e259fc7b4bb7f3571aff1b536227c787a118ae23036970b7a527e8876cb9852172ff24f1b67eff8537d2a7823a21e0d88c84e8c4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1b2edde73cc7d3ea233103f9132adc02

SHA1
109b989542ee66eaa589d73e4b6321f301c1bff9

SHA256
523942923697e790039e584c1fdebd0daa2485028307ec3faa0b47012b36d65f

SHA512
e813938f3ae85f7d00f5c3bc385f599b0f5dec0f01e785546eb687aa733a7c767a6f89157963e85872415aebbc9377e22e10e57104e8e5125f7cb25786940ae5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
291388465b036069aafb9ad492e35c92

SHA1
959eec6f17b98c38426e7ab6caa86483dfe43721

SHA256
d5eb0006032a64c2445c26b851e95239c9b305e64da9a83403c15c09e373dd43

SHA512
b58117041b0af43dd07920801a6e16da852b89b92c654461a958165642adeec96101032d8d782dc7ce8b6a60e3e54ebb9440ad9c06d454de33b6035bd398c004

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8b62e5f2293a91bb67b970c82c283890

SHA1
494505d7578476608bbce3930e4c82f55d59a893

SHA256
bc5f81b3828f3c4c8bc603600820944a5afdf5ce61d30572eafa290031f6ca1c

SHA512
d74d99960442bcb64dac3505685db334a3ba9826f7000fd1a7376919720e8ccfee9d865e881b9950ce119bb08f6a555f9fd0cde5fdc1c1e37a8f622b2e525b21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ddcd5d9931eda6b89a627199b7be769e

SHA1
2fb171467c2ed965fb361621955aa009e75deee6

SHA256
a462036cbcc39cf9e3e032cb75bbb888ed3bf2257deff02b97a10bea97b4e3e4

SHA512
399d64815f8f5b3389377ed470d137d8fce6aeedfebfdf15bbaf67838da2321f1d647bb15da9bef323122870d14aed3c06722688c144891ecc59a4b8bc0fba58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9ea4ba9a79c3af10184eb6d114676ea9

SHA1
8fbdb175367ad1f132ab99ea35914a1ed3f47da7

SHA256
b8b5da0a78760457fa20cc8c1977e3569362ac9141094acb03977a4eb80d1834

SHA512
b0b3fe4dc5eeeddb1d255fc5949cf50d455354ccd5b6e4498234f2a067af53296134df2ac9aa947db61586c45b033b7dd5e2caa75c29642d40efed6db4809b51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d7558556292b18b0aef4c8ef5de9d482

SHA1
b51c7932994295647fc95ac995e2053e9bb4cbaa

SHA256
a231b0489b0fa728e495eafbc39ffc33059ea787bd65e732b12717fff1430f96

SHA512
01b2e99e86be3f14d9e463f0bd336594a026894bff4fa71cfcf9cf0e781348dcf68656c3682ee9735d08c54b97a1e90f732cac544da94602da8220d665853030

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
54a313e9abdcec64c2fdf273fd110903

SHA1
b0e1d2c1d2422ff1387d671bcc94e16a1ab68cc9

SHA256
d903462335f1b58bd16b233200ceb65a7c99dea4eec1915fc349dd26472e8b74

SHA512
b34cab84961050e4bb51819176ad56654f9aee686cb1dd7b90ba053d72083022ff922ee0915303590e7e8039cff8747476f2b9668334611d22752c3f92147d11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
382ff7531ea6b639cd33ef606df198fb

SHA1
fa9669791d147392b881e6e5239321ae73ca0ab8

SHA256
54a0369e18fa0c2ac78a9551f3ed07e612977234adf00efae108d7bf4c278d72

SHA512
4e535158a1c55bd93ad7a6ce8725543a4a5a8aa52cab9ce9ec4e139aeb24d96cef5b38844b5bb345db8fa866765c979672d4c540c410254472a7b859297ab793

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
68fcc5e88af05a6995fdd4440d78677c

SHA1
de31e65b18b5a80d901f7eab4a3dc3b8c1a1de26

SHA256
db7086761a5a53cb2937c1e89fd1ad1bf1fc95567c0b719e966127eb557054d6

SHA512
f006fb6ae013a7408d20f60292f026e9c738778b91233e178dd5df5e7aafd410bb0346ae45ac60c325c6bcd01c19bd9a8c66e6b265bf9a396004ff61675f19cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
e819c427de84d221254f72332a8c8e04

SHA1
9427b1b6947873e0c79d70b9aca359e42eb31bf3

SHA256
bc20243eaebbdc5fee9fd72c86c18d1b83cc147747fcb70c4b2fc4f3cfc2cb9e

SHA512
ab483fd3fc6fec3fadced42bf8e21dcefb2f7fcb7ae432d7b36a9776d81488d51319611b61454468daff5b3e13252fbcdabd7a28c88d804335116230305f833c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
c642e240196c3919331858fb29b785d7

SHA1
43d8b53dbfaef31c4a40fce24c4780a21cc5f7a2

SHA256
8faa83b235cd52e225f2f51e4ea2002f1f4ac11ed0986c2dc719487fbf4f0597

SHA512
f47fb0699e5d7881c3e153d784a8c57fdce9580524b7f4e916629e92ea8aed63bd2ef26998f230fccdbfaea720c797fc2a5bc92764f474c49c8737e9cd06882b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
1c15a96b4bb5c78c37dd84aa9cdf0ca6

SHA1
468a6745515ea29da749e28b166ca3f3d88aa831

SHA256
2b193fe594a27a6edcd27eedab5d3915c6c35d3db00952271c1bf48253470fa0

SHA512
c9afcfb3792617773aa534931397d0e0759afce12b3d069bf0add064a571600dd3d736d593c72ba0392b2e15262138f1f7e6ae8f71617b645a5781d149f5e4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO44DF7508\XWorm.exe

Filesize
456KB

MD5
515a0c8be21a5ba836e5687fc2d73333

SHA1
c52be9d0d37ac1b8d6bc09860e68e9e0615255ab

SHA256
9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

SHA512
4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

Download Submit
memory/4936-38-0x0000000002350000-0x0000000002750000-memory.dmp

Filesize
4.0MB

Download
memory/4936-37-0x0000000002350000-0x0000000002750000-memory.dmp

Filesize
4.0MB

Download
memory/4936-35-0x0000000002350000-0x0000000002750000-memory.dmp

Filesize
4.0MB

Download
memory/4936-36-0x0000000002350000-0x0000000002750000-memory.dmp

Filesize
4.0MB

Download
memory/4936-34-0x0000000000560000-0x0000000000567000-memory.dmp

Filesize
28KB

Download