rhadamanthys | hxxps://github[.]com/koyaxZ/XWorm-v5-Remote-Access-Tool

Analysis

max time kernel
62s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
22-06-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/koyaxZ/XWorm-v5-Remote-Access-Tool

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2964-216-0x00000000022F0000-0x00000000026F0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2964-218-0x00000000022F0000-0x00000000026F0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2964-217-0x00000000022F0000-0x00000000026F0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2964-219-0x00000000022F0000-0x00000000026F0000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

32 camo.githubusercontent.com
27 camo.githubusercontent.com
29 camo.githubusercontent.com
30 camo.githubusercontent.com
31 camo.githubusercontent.com

flow	ioc
32	camo.githubusercontent.com
27	camo.githubusercontent.com
29	camo.githubusercontent.com
30	camo.githubusercontent.com
31	camo.githubusercontent.com

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

XWorm.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	XWorm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634953791320702"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

chrome.exeXWorm.exetaskmgr.exe

pid	process
3108	chrome.exe
3108	chrome.exe
2964	XWorm.exe
2964	XWorm.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3108 chrome.exe
3108 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe

Suspicious use of FindShellTrayWindow 59 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe
3548	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3108 wrote to memory of 1152	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1152	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4808	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 3328	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 3328	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1392	3108	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/koyaxZ/XWorm-v5-Remote-Access-Tool
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88791ab58,0x7ff88791ab68,0x7ff88791ab78
2⤵
PID:1152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1816,i,2849937363186133815,3045479314480192096,131072 /prefetch:2
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1816,i,2849937363186133815,3045479314480192096,131072 /prefetch:8
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1816,i,2849937363186133815,3045479314480192096,131072 /prefetch:8
2⤵
PID:1392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1816,i,2849937363186133815,3045479314480192096,131072 /prefetch:1
2⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1816,i,2849937363186133815,3045479314480192096,131072 /prefetch:1
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1816,i,2849937363186133815,3045479314480192096,131072 /prefetch:8
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1816,i,2849937363186133815,3045479314480192096,131072 /prefetch:8
2⤵
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1816,i,2849937363186133815,3045479314480192096,131072 /prefetch:8
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1816,i,2849937363186133815,3045479314480192096,131072 /prefetch:8
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1932

C:\Users\Admin\Downloads\XWorm-v5-Remote-Access-Tool-main\XWorm-v5-Remote-Access-Tool-main\XWorm.exe
"C:\Users\Admin\Downloads\XWorm-v5-Remote-Access-Tool-main\XWorm-v5-Remote-Access-Tool-main\XWorm.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2964

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8541d3b7-a4ed-49ad-a5ad-93cd917f8fa9.tmp
Filesize
7KB

MD5
610e61c1f55aa737bc58b940c252da55

SHA1
58aa58c03855b0eac8c4a6a05f37102f6716f5c5

SHA256
c0afbe1be17db04f9a62a0c92ca87334de7e86d1f35123656d02ce7cd61af538

SHA512
d0a143896302f43211d0a6996f65c84193160dc112242329bff8e83b134c22d98bba5d56d2c9aecdf3e547a90bdf6bd28b1da03532e05010e74c33a19d54d246

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
73e87dda283c6ce59c4ff95822fc5b5d

SHA1
16cd1c75b0de1b1aafc1b3c4a682d0af311d1574

SHA256
7b27925f43d2c6943ca91f98c845a1a128c6ed264d92810a3a8b70b315f016a4

SHA512
229f6a1edd21d1e0e1d34e0eba5e010c9b2fc70b1e0966f55bc3cf3bb7e4713a4fc5165b979b0c50661b179088109c9745a40795060b97b83de0dea4da147568

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e5a51d8e1f2b665341ec0db5c935419a

SHA1
ecc40236b6c6652a9b9e6016e62c56ba0ab18d01

SHA256
ce36308ef9bb3e431cc340bfe27154a9030da01f394aa2773e9a1230bfeb5851

SHA512
ec21625e5f78b54630988fe6ecd5204614b37441418e8263a9f573e671e70118ababfb1c416b549f688a31f51b25fe50cb58de8ea7ec12b152a05718d9ce8a4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f49b29d0ef5a419f84494caf2d929261

SHA1
6ae433e47267f4998a7fb40bda6ea74944ade388

SHA256
b11de81be8707be64bce8e090b1c0ba9949f2313363d323481ecae20d53d13d5

SHA512
5ee8dc35c9321ce6fdd98a7a18bb816e5b5f63d4265938df2fccc91de6caa7060f699dd42ff34df5ff59a0c3a7794ac6e5ed6115bdba891c57562dbc95bcdb15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
94fc72512591d68b15754457d78b9ff8

SHA1
dc6910eff5d1113d8432386bdaeb7269c44503a0

SHA256
51e9be6963bb9e8f4ab7f2d5a6eb65851d777e684243111859d2a57012d58973

SHA512
7101272b7331df59ee6cc5a7be48577fd2e9a5064bab9467db1a41f2859df0c35022051cf8b8ba5927b0e0a223238b77e2b46350379dba2b09c51339629ddd49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
f26f2e435934495a20c17d42f2c4bdd8

SHA1
8783dc5513a0bbae272dbce4110ec7aeb84219d3

SHA256
45edd3326e94fca5e95ae9bdad92f83822a24c23f4e83282e4388669ba6785c0

SHA512
19eb9d97e41b14a060a85f453e3ee83d55ed4ee2b8bf2f1edfd61c0e86392bd1049cbd774943baa418b6c7d85cf2d612ed6abb7308e448b38fa4c3a9e8a696eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
94KB

MD5
c451e193518b29b95bbe2143fc545982

SHA1
6fc7d61641d8d22bb330c6338d502303fddf3bc6

SHA256
5cfbbb684f55c807181418dc04e00ee796eb75d97327677d7bd98c96a711363e

SHA512
ee1c2f214a89e2c50ae566edfd65c1b6220eb86f58a5927c6077fd558cb9ac19a12974bd1da8bcf0c5db160b1329d1cb6398d4d1e86132b3de624644269a8312

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e00f.TMP
Filesize
88KB

MD5
04d0ff4d377269b290d20524bdadfe21

SHA1
761052bffa564d454fd356ef28362f4c22243d2a

SHA256
ff19617dbf84cbf6b058890b37b71d17d9d5c3505a3fd5c25da2f87d6dcc8bf9

SHA512
be0cc371eae171790fd7fcab529d940612d67091e74bd1ae2acbb17ab6dd6b43e37f1a4222ed13a70b253a4f489d8e0297b63a3478ec0e3c95a0d84b28a5492e

Download Submit
C:\Users\Admin\Downloads\XWorm-v5-Remote-Access-Tool-main.zip.crdownload
Filesize
5.0MB

MD5
4009932a7e44d607b529598df00ff375

SHA1
ff8bff1c6f707101215aee8d7ff315cba991001d

SHA256
50505aa9a36faa076b8a6894297bc8fed02269938e6592b7b7be7c9c809897dd

SHA512
b77816e1aaaf9a09155f91aa91070a099fcd09acec92c28ac6afa4bdf2abcec3d4e1eaa028efc4ff9b0999fc6b90ceaa71146d9023aaecc074a49945364c38de

Download Submit
\??\pipe\crashpad_3108_BXRUCDNIVBCMNJRV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2964-216-0x00000000022F0000-0x00000000026F0000-memory.dmp

Filesize
4.0MB

Download
memory/2964-215-0x0000000000710000-0x0000000000717000-memory.dmp

Filesize
28KB

Download
memory/2964-218-0x00000000022F0000-0x00000000026F0000-memory.dmp

Filesize
4.0MB

Download
memory/2964-217-0x00000000022F0000-0x00000000026F0000-memory.dmp

Filesize
4.0MB

Download
memory/2964-219-0x00000000022F0000-0x00000000026F0000-memory.dmp

Filesize
4.0MB

Download
memory/3548-231-0x0000017B5A5D0000-0x0000017B5A5D1000-memory.dmp

Filesize
4KB

Download
memory/3548-230-0x0000017B5A5D0000-0x0000017B5A5D1000-memory.dmp

Filesize
4KB

Download
memory/3548-229-0x0000017B5A5D0000-0x0000017B5A5D1000-memory.dmp

Filesize
4KB

Download
memory/3548-235-0x0000017B5A5D0000-0x0000017B5A5D1000-memory.dmp

Filesize
4KB

Download
memory/3548-238-0x0000017B5A5D0000-0x0000017B5A5D1000-memory.dmp

Filesize
4KB

Download
memory/3548-239-0x0000017B5A5D0000-0x0000017B5A5D1000-memory.dmp

Filesize
4KB

Download
memory/3548-241-0x0000017B5A5D0000-0x0000017B5A5D1000-memory.dmp

Filesize
4KB

Download
memory/3548-240-0x0000017B5A5D0000-0x0000017B5A5D1000-memory.dmp

Filesize
4KB

Download
memory/3548-237-0x0000017B5A5D0000-0x0000017B5A5D1000-memory.dmp

Filesize
4KB

Download
memory/3548-236-0x0000017B5A5D0000-0x0000017B5A5D1000-memory.dmp

Filesize
4KB

Download