xworm | 12f2da4d791bd7654bb4e89d48cef58c07e2b804be1c6f79ee3d68e9e9566906

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

playit-0.9.4-signed.exe
Size

4.5MB
MD5

b5a2f8dde0d824b64b749f0db69d00d4
SHA1

2cf1025a87a2dee9972b71f54e399e37ae75e043
SHA256

12f2da4d791bd7654bb4e89d48cef58c07e2b804be1c6f79ee3d68e9e9566906
SHA512

107a05c44148d9b4c7ae597c94e1a99809addeb43ade7178effd83758bd443afbaf9d3008894c8e5834ac9acb308517097418bc8a5f9f0d50d25a373aa6637d6
SSDEEP

98304:yJd9khieA3BPOtdBrkFVYBh7IoAyTzZwFkQoGtczBOlzp2ybcBk:yJnkvAxPO3BrkFVYBKoASaFJekl92AcB

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

147.185.221.23:24311

Attributes

Install_directory
%AppData%
install_file
RegEdit.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0010000000023b54-14.dat	family_xworm
behavioral2/memory/2092-24-0x0000000000790000-0x00000000007A4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1092	powershell.exe
1520	powershell.exe
2256	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	playit-0.9.4-signed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 5 IoCs

pid	Process
3124	playit-0.9.3-signed.exe
2092	XClient.exe
5332	XClient.exe
5912	XClient.exe
4000	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1708	msedge.exe
1708	msedge.exe
4760	msedge.exe
4760	msedge.exe
1092	powershell.exe
1092	powershell.exe
1092	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
3636	identity_helper.exe
3636	identity_helper.exe
6096	msedge.exe
6096	msedge.exe
6096	msedge.exe
6096	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	XClient.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2092	XClient.exe
Token: SeDebugPrivilege	5332	XClient.exe
Token: SeDebugPrivilege	5912	XClient.exe
Token: SeDebugPrivilege	4000	XClient.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 3124	4412	playit-0.9.4-signed.exe	86
PID 4412 wrote to memory of 3124	4412	playit-0.9.4-signed.exe	86
PID 4412 wrote to memory of 2092	4412	playit-0.9.4-signed.exe	88
PID 4412 wrote to memory of 2092	4412	playit-0.9.4-signed.exe	88
PID 3124 wrote to memory of 4760	3124	playit-0.9.3-signed.exe	91
PID 3124 wrote to memory of 4760	3124	playit-0.9.3-signed.exe	91
PID 4760 wrote to memory of 3368	4760	msedge.exe	92
PID 4760 wrote to memory of 3368	4760	msedge.exe	92
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 456	4760	msedge.exe	95
PID 4760 wrote to memory of 1708	4760	msedge.exe	96
PID 4760 wrote to memory of 1708	4760	msedge.exe	96
PID 4760 wrote to memory of 2520	4760	msedge.exe	97
PID 4760 wrote to memory of 2520	4760	msedge.exe	97
PID 4760 wrote to memory of 2520	4760	msedge.exe	97
PID 4760 wrote to memory of 2520	4760	msedge.exe	97
PID 4760 wrote to memory of 2520	4760	msedge.exe	97
PID 4760 wrote to memory of 2520	4760	msedge.exe	97
PID 4760 wrote to memory of 2520	4760	msedge.exe	97
PID 4760 wrote to memory of 2520	4760	msedge.exe	97
PID 4760 wrote to memory of 2520	4760	msedge.exe	97
PID 4760 wrote to memory of 2520	4760	msedge.exe	97
PID 4760 wrote to memory of 2520	4760	msedge.exe	97
PID 4760 wrote to memory of 2520	4760	msedge.exe	97
PID 4760 wrote to memory of 2520	4760	msedge.exe	97
PID 4760 wrote to memory of 2520	4760	msedge.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe
"C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe
  "C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://playit.gg/claim/1e8fa71aea
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb430246f8,0x7ffb43024708,0x7ffb43024718
      4⤵
      PID:3368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      PID:456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
      4⤵
      PID:2520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:3484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:4164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
      4⤵
      PID:2664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
      4⤵
      PID:464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
      4⤵
      PID:5024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
      4⤵
      PID:3504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
      4⤵
      PID:3484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6096
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3804

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5332

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5912

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
72bff377710c82e6710e58b876069ec9

SHA1
8d520a609f7f22585231bf6a37dd4c7598253335

SHA256
b4472aa8945c42972be44ebb6df6ce39c5e6c4aa3bf5579ff25f0285d8b21f2b

SHA512
160d0a7ecce424785c4f1dae23dea6402f8b7294816fdf6a1349b4267d1a2cefa3ab5d442f000522bbb5ade6918fad65960398edf324bd5490979069b35cf8c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
89de1c68f92a862fbc325bf3fc60bc00

SHA1
b842cd736c22fa9c8431f5d83a953d077ea62563

SHA256
f9d1b2304ba6555163a2583c092830dff76e5899bb95eb47a2364df7bce95196

SHA512
fe39ef901e04b0dcddd5c70b5b9e95130275f86e60a9efb0f8eaae86b384a02c712b7f3a34d5015be8e56c10fe760b6785031afa5a171877bf9ab81a054041b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c6776e3394b05afbf8f65cb2d488d809

SHA1
a5effc87dc732afde3fa41e9fc139d4cdfd6f201

SHA256
38a74918dbffa85c78a0c23a8d3a3e939244481d789f0771617b886a623068a0

SHA512
9046da0e05c4b24f539d3ef732d7745a079c7a612a76ce442b7fcc13dbec264672fc490cb68ceaeda6835b1eb99ac7df03587619ea69ff898b9dd2ec98310a9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bcb5986dbc024b0e3860efbbc039ab93

SHA1
320b20ea66874eb0901ab51591c26e791c89a437

SHA256
307e96e4f62729c4c84ba3db03f7fa2a2ae175eb3618b05f5683bf14b1a84df1

SHA512
48c4e4ff213e27f7807182d8a2986eeb11840cbd96b84bd2b1b9e48c1b92d500ec4db7087f5527bd2b40868ba4ac523460adb75adbc871fbb9c24618cac1cd44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3e893abd878de43807a4187b076fa683

SHA1
e54b0748f9c7e1c6e9c35451fbb128f884fc45f3

SHA256
ae231dc1b89a77239448b59d2aa2592fd9052fab00b644558f964d6053c30d87

SHA512
31656ce35beab07d379ddfd795ca66a8af00ccce452b593bc73646746a89270b8c51b2955eac79aedb37a7d2e8733911d4583ae61103fb315d8a69d610e47274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6eaffbd8517e4331e6d5087007ed71d1

SHA1
55fbe164647a758f535c30f7e193a4619313a79b

SHA256
f1897c71edb60ca69ac11433492f284463989eb8930e4446f829fc699fea1371

SHA512
1c296d3b82c242b387233ef7aa2ca9d8264e380c11f1561db6361fd1ed62cbf434af8a9ad62451e9785fd51430505455be1d0f706d5850cd84edcca595436f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
57KB

MD5
f2a9ba24fda65a5e298a37965de4258f

SHA1
5c91e7c89233c45933ac106cd4d1110d293c9206

SHA256
6ea59e69f350e9f0311dfc3d58fcc3ebd22f2401b3047f454a518e73a12569dd

SHA512
e53b4e702ba04350d3c5f4c3780394b53360100b67f9856831a49235d1561cb864616823be3308911629416a5e69d88f2c3fdff8907547a9d821714e1eb94386

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pgkl3qz1.sw4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe

Filesize
13.1MB

MD5
da0750733bf36c61222eefaba4805dcb

SHA1
304e90d123300e646b768f1f358e59ba506b7dce

SHA256
c9ff8f05cdde137cb0e1e386184a42d4889988c4cfd235fd3340fe545f5e06ac

SHA512
f9a8e89f294257f785388e237a6da1f363f8d78af7c9b473d67261b99526224eb84598eacbba17f01a9f2eb2f6fea0740f7e37df92891df8fa39a33820287454

Download Submit
memory/1092-67-0x0000027C26430000-0x0000027C26452000-memory.dmp

Filesize
136KB

Download
memory/2092-137-0x00007FFB34540000-0x00007FFB35001000-memory.dmp

Filesize
10.8MB

Download
memory/2092-23-0x00007FFB34540000-0x00007FFB35001000-memory.dmp

Filesize
10.8MB

Download
memory/2092-161-0x00007FFB34540000-0x00007FFB35001000-memory.dmp

Filesize
10.8MB

Download
memory/2092-24-0x0000000000790000-0x00000000007A4000-memory.dmp

Filesize
80KB

Download
memory/3124-193-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3124-228-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3124-162-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3124-236-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3124-180-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3124-181-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3124-182-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3124-233-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3124-200-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3124-230-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3124-224-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3124-229-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3124-227-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3124-140-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/4412-1-0x0000000000CC0000-0x0000000001142000-memory.dmp

Filesize
4.5MB

Download
memory/4412-2-0x00007FFB34540000-0x00007FFB35001000-memory.dmp

Filesize
10.8MB

Download
memory/4412-0-0x00007FFB34543000-0x00007FFB34545000-memory.dmp

Filesize
8KB

Download
memory/4412-22-0x00007FFB34540000-0x00007FFB35001000-memory.dmp

Filesize
10.8MB

Download