xworm | hxxps://github[.]com/farrrrrzad/haha/blob/main/XClient[.]exe

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/farrrrrzad/haha/blob/main/XClient.exe

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

Attributes

Install_directory
%Public%
install_file
SteamCracked.exe
telegram
https://api.telegram.org/bot7082888193:AAEZ-QonUE57h7crcRYyMzZXt4Pa9br_3xA/sendMessage?chat_id=6044060082

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000232ab-231.dat	family_xworm
behavioral1/memory/1620-273-0x0000000000CA0000-0x0000000000CFC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SteamCracked.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SteamCracked.lnk	XClient.exe

Executes dropped EXE 6 IoCs

pid	Process
1620	XClient.exe
4068	SteamCracked.exe
5820	XClient.exe
4888	XClient.exe
5444	XClient.exe
5912	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SteamCracked = "C:\\Users\\Public\\SteamCracked.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
67	raw.githubusercontent.com
73	raw.githubusercontent.com
75	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
92	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4140	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133558546328597699"	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1620	XClient.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2220	chrome.exe
2220	chrome.exe
5300	powershell.exe
5300	powershell.exe
5300	powershell.exe
2344	powershell.exe
2344	powershell.exe
2344	powershell.exe
5684	powershell.exe
5684	powershell.exe
5684	powershell.exe
6024	powershell.exe
6024	powershell.exe
6024	powershell.exe
1620	XClient.exe
1620	XClient.exe
1620	XClient.exe
1620	XClient.exe
1620	XClient.exe
1620	XClient.exe
1620	XClient.exe
1620	XClient.exe
5232	chrome.exe
5232	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2220	chrome.exe
2220	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1620	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2500	2220	chrome.exe	94
PID 2220 wrote to memory of 2500	2220	chrome.exe	94
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 1044	2220	chrome.exe	97
PID 2220 wrote to memory of 4988	2220	chrome.exe	98
PID 2220 wrote to memory of 4988	2220	chrome.exe	98
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99
PID 2220 wrote to memory of 3856	2220	chrome.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/farrrrrzad/haha/blob/main/XClient.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff984b89758,0x7ff984b89768,0x7ff984b89778
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1864,i,906202947281305612,1827777532897070784,131072 /prefetch:2
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1864,i,906202947281305612,1827777532897070784,131072 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1864,i,906202947281305612,1827777532897070784,131072 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1864,i,906202947281305612,1827777532897070784,131072 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1864,i,906202947281305612,1827777532897070784,131072 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5340 --field-trial-handle=1864,i,906202947281305612,1827777532897070784,131072 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5400 --field-trial-handle=1864,i,906202947281305612,1827777532897070784,131072 /prefetch:8
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 --field-trial-handle=1864,i,906202947281305612,1827777532897070784,131072 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=1864,i,906202947281305612,1827777532897070784,131072 /prefetch:8
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 --field-trial-handle=1864,i,906202947281305612,1827777532897070784,131072 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5476 --field-trial-handle=1864,i,906202947281305612,1827777532897070784,131072 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5720 --field-trial-handle=1864,i,906202947281305612,1827777532897070784,131072 /prefetch:8
  2⤵
  PID:5648
- C:\Users\Admin\Downloads\XClient.exe
  "C:\Users\Admin\Downloads\XClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\SteamCracked.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SteamCracked.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6024
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SteamCracked" /tr "C:\Users\Public\SteamCracked.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4700 --field-trial-handle=1864,i,906202947281305612,1827777532897070784,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5232

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:6048

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2664

C:\Users\Public\SteamCracked.exe
C:\Users\Public\SteamCracked.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- Executes dropped EXE
PID:5820

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- Executes dropped EXE
PID:4888

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- Executes dropped EXE
PID:5444

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- Executes dropped EXE
PID:5912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
341KB

MD5
f2b63c80f912e0ce79cfaa289d0dbfc5

SHA1
f6791b68f33f27b33272f019f0218416cf0361a5

SHA256
dba102fa9af6b80fc3711fbfe4428d7f09a34bdf0543632e1b8e9c83e6a3736a

SHA512
82edc9ba23a3bc2b490b6b6c489ad01b821898a6f5cafc3e4ea3bbcb3d7ed40778e6fb66e44ebd820b44b79adfd60ea2665aa84802ac62626100f8923f4b8576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
92e68ae547b3523d8120c99972d87eb8

SHA1
cf3d58d94c41d805f1d63b4cbda0d651af604ab6

SHA256
b2d5e33b437d49972f07b028130e1eefea284472610c7c5e6590db64c3ea7ead

SHA512
3e44a74cd31c2c7c3c2e7b37c22a7620ecccea70df8b3bd3f2cf69ea19f9216d45bd96b50a470daf2472ef58c94d38919ea1f671c86e5ed2092b29f1f318b75c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
efb526da9585ab07fb4c49b60448e5c0

SHA1
a2d05bfbbf5fc8ca41e548ddec89820a8b065731

SHA256
e548f1092e63e166b2a25408accd56581ae15385dff900b4c39a279024a1a83c

SHA512
844de96d920875fbe43aa24af9f9562e70030d3c9e810af4c9eb390c7d8de2a76e5e042369b3e4181a3da24c27f21381a614269daf7d18252ba1c0c2ee48b136

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
26a4cc8344eac0e42e9e79c208b39898

SHA1
87546e5b56d2eef871a8392b24f60db86f902a4f

SHA256
b95f06158b7738ff4a96bbf3a258a04e80047d1227b3a400f4fb66f37e0fc35f

SHA512
a1d9304be505830f009d607403328e189a858bd286f6df41c896a98f4ce7f1165fb94429fd31eaaab64a522fcc839a9530ab08f00895dcd8487cc054e9925783

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3ce6b3318f321b8bb9ea394f56e25fcd

SHA1
81c2aaa2937534321db5bb1bcec4b731f23b8d4f

SHA256
52d54635ff3917cff4a747939da52f68c140a32139afb785eee2fe0115c1310d

SHA512
d8e800c96053dce374fa0bb74ff3d9ea5d28fef59e4100c8c5a414372d5a2c3e8d56135e9ec8f31621d41085dd4f99fa498e047e29bc8c135e72fcf0fb21aba7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
704B

MD5
d228098e1b004a3b278ebf491ea1c4e1

SHA1
f693bbb65cfcf7d4f20c5ab53203da9a2f0f9692

SHA256
9244f0d95d8c0e8aa7045ba054bf65350a32f215025aa9d3dcc0e65a8e448987

SHA512
9592cf8bc729086058b1dbaa4a9c95ce3eb55f8e639230c9bf9f0e93890c7fe527e49354ff6dd7d680c27f0392ae68cbd3d90bf23a4de72e845c54e7eada045c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fb6f1f57f2579b5c330944f635b2765e

SHA1
dda106e02ba87bdfb024a7dc394f25f30511d072

SHA256
c98fc9d20f018c0c29eca7a64c0276c5a0ef4e0e67628162452880ded3bd5c88

SHA512
e0bc31973351ece255ca822245de47b9b664aec2c8d9fc3f3b9c246bd5bf93060a694550ec060ec0c1b3d5a63992670d611f2faa7c90f1db11eb5c2a0aaf6c6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8b754739ac2e876c68ed3a7372a19459

SHA1
d3aba5f3104b7884b8a8f061940d291220500abd

SHA256
a1e1a320dbaa789a2ece74085b5e7db4bf735acf7bd7da51a89e6450bc659218

SHA512
bb6e55dd64c45b43586c2c1b8e33a4df80449a8e0551c37429919b43cdfd27fb6ee212319ca2d32937a57cbb35e34f025633a0a655128305f9d0740515db57da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
704B

MD5
7d36fa07b4982b2eb68b80e81d6933fb

SHA1
8b8456f253eaade37006fed70d02fc34795305df

SHA256
364d8b987f3e8b8c003c536ad7053ddeaa24c3edfc94b6234ba7a67cefc04e28

SHA512
f23eb11c0e452769b203b1aad6596141097be172b69ded42967bdee7aa6ce0ad49ba6399c728a49e4b5a4e9d0fcd84a9f507e05c17ee0891650f978bbaf16155

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
69c14590c66e1baff92932a7a6cd5ade

SHA1
253c046bd364b8996534f3af813acadecd3920c0

SHA256
c506d93b232a43a898a280a6fd70ca43505020d3d9b1e2fb5a608e09c752f786

SHA512
087765d9f94242d5a876928594abb51af2fb457dc63288eb92375231383f153c466efed15cd3b74347c54c40d8e864013441e2a54a63083b6d42b9c3e374be3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
05a88d0a91968d96226cc01e9b1dcbac

SHA1
7094bf52534edf71d010b1d0051d5fe42e42c399

SHA256
163ce2cce6163ea2e5252aa5235369e0fb656a87de029f53896684d4124c4ba7

SHA512
7085999f936c2810c41bc9cf539320917fd710f5911cb23f6aca37731a58008b35f74ffab469e67050f809e656547a1d9271d305298c448812539e1df87e2172

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cb8d3053716cbd41b6587ffe0899e7d5

SHA1
2a118fa825478fba68ef734c5299ff9e1b116b46

SHA256
bb8038c7f828276c7da0232ce3b456ccddf379201eae99db4572ccc48953a8ed

SHA512
5500726bbee786e01176eaa78d346f400b51ce363e814012cca764fcde98bde876812b73617bc058c0b1744c1ddc9770d3c4e3640b1492cc7846bae8e54b18a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
da814d98c7de1004bd82e2534466f349

SHA1
a93cce4b25acf071bfc5918b94749169593feed4

SHA256
adc6c674cfe0659df692fa5630aae759ffb1247859901115daaf72f74d3bd68a

SHA512
5d5d7f43305b934fe751f4cf3dc580fc9028a6427fbd249a28db700f8af8836262b47795011348d7655dabf7211edc763b0d84fd0800ad948b08f7ce7fc45b28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e625c1f68a9838f440632d82fd701be9

SHA1
dd1f6fdb4416c4d966197a89f24bdd0170f726fc

SHA256
0b2e7e534703c5616b9ee3b2418ea5b794892aeb432c7bb20f0c35a83c6cbdb1

SHA512
c5f58902c30ea7241752281353ec64408c833d231d2fc3a8520c4f753a1111ff5a844d04b93eee020e1845f6a92891ea2c7563c2ac6cd136d85888ca6198dddd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d736cb660915c7b29ebe6a4e413b28be

SHA1
07949b63afeb23123d0de753f2199ebbb45040ff

SHA256
06fe5323240cf3529f8202e3641615867a99c18eb751a8131b0f7bee7920864c

SHA512
1161fcf65cf90297195fcf653514682bf38c3f193f442c187de9b863f8f0b455bf7176ee685dee973264801e908ad51f7ef194d6372627fd4701a39dc8b68fda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
94ea0caef49efcc7de54dde2fb86ffa2

SHA1
b2279fa6205ba0a74faf183e449fde8375fcdc76

SHA256
d9732207a0ebd6bdad4b92dfea088562c96770ccc0b7fc107aca4d5e8ab28b93

SHA512
69ed1f792323f4201eb65cfcba0ee479832e23df0a160acb4499034bb06a4548e168ed4e5d145603569b901e0a327c1566a3e7958d15552ea4e213d1f0b20d56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ebdb16c6e28ac343d7f28d9c47ad4861

SHA1
aea68efc2263c43974cda67b37d9f7b464c0a669

SHA256
4696258542017277a27f61540084850b6aada9cece1df4290209b80792c04afd

SHA512
cba4aadd15e20fdbe262b2f416c71a47d92f8f65e91e3d7a3f4b7299b9e3d91edb47a1db547ca93e14817105d8943740ccff230fc0a8a96a113700d973ed8ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
15980d62414008be6f6c5d0d552a2196

SHA1
3d166f08c2a8e25fc09e63ad2166d52c153397a0

SHA256
f11f021cbddcad83ddfc450c6f5a2c046ef1c925ddb107363d22078429ff475d

SHA512
cd0787af6a2cf01763125db4495df3b3fe1c0d9b678f3873620fe993e790bbe23cbcde9b5e32b9e1fe6305a262cc2e6f98166b831ab8f54506e6d78c83c215df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
735388b98281cec7d063b1b470c13632

SHA1
7536ce1c5f3732fac491d7038e24124551c4290a

SHA256
843fced254477f5ad803cc98e853d7ab674852d5e94bc174497691b736d49e69

SHA512
30244c596f4c3cc0194186a210170f04985b77fc90f10cff0a2fbd07e079944e5f8c9998759219363033c450b6a4093ad1b3d75e0a0fae1aa6208a61a88a9717

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_11j30nor.q3u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1620-392-0x000000001C570000-0x000000001C5AB000-memory.dmp

Filesize
236KB

Download
memory/1620-345-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/1620-329-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/1620-284-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/1620-274-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/1620-273-0x0000000000CA0000-0x0000000000CFC000-memory.dmp

Filesize
368KB

Download
memory/2344-319-0x000002DF635F0000-0x000002DF63600000-memory.dmp

Filesize
64KB

Download
memory/2344-317-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/2344-331-0x000002DF635F0000-0x000002DF63600000-memory.dmp

Filesize
64KB

Download
memory/2344-333-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/2344-318-0x000002DF635F0000-0x000002DF63600000-memory.dmp

Filesize
64KB

Download
memory/4068-434-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/4068-421-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/4888-448-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/4888-447-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/5300-312-0x000001CE24A10000-0x000001CE24A20000-memory.dmp

Filesize
64KB

Download
memory/5300-310-0x000001CE24BE0000-0x000001CE24C02000-memory.dmp

Filesize
136KB

Download
memory/5300-315-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/5300-309-0x000001CE24A10000-0x000001CE24A20000-memory.dmp

Filesize
64KB

Download
memory/5300-308-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/5300-311-0x000001CE24A10000-0x000001CE24A20000-memory.dmp

Filesize
64KB

Download
memory/5444-450-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/5444-452-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/5684-348-0x0000027F73B30000-0x0000027F73B40000-memory.dmp

Filesize
64KB

Download
memory/5684-360-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/5684-339-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/5684-346-0x0000027F73B30000-0x0000027F73B40000-memory.dmp

Filesize
64KB

Download
memory/5684-347-0x0000027F73B30000-0x0000027F73B40000-memory.dmp

Filesize
64KB

Download
memory/5684-349-0x0000027F73B30000-0x0000027F73B40000-memory.dmp

Filesize
64KB

Download
memory/5820-436-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/5820-432-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/5912-455-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/5912-456-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/6024-376-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/6024-361-0x00007FF980490000-0x00007FF980F51000-memory.dmp

Filesize
10.8MB

Download
memory/6024-363-0x0000018E7CFE0000-0x0000018E7CFF0000-memory.dmp

Filesize
64KB

Download
memory/6024-362-0x0000018E7CFE0000-0x0000018E7CFF0000-memory.dmp

Filesize
64KB

Download
memory/6024-374-0x0000018E7CFE0000-0x0000018E7CFF0000-memory.dmp

Filesize
64KB

Download