Malware Analysis Report

2024-12-01 01:35

Sample ID 241110-br1n8svrgx
Target playit-0.9.4-signed.exe
SHA256 12f2da4d791bd7654bb4e89d48cef58c07e2b804be1c6f79ee3d68e9e9566906
Tags
xworm discovery execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12f2da4d791bd7654bb4e89d48cef58c07e2b804be1c6f79ee3d68e9e9566906

Threat Level: Known bad

The file playit-0.9.4-signed.exe was found to be: Known bad.

Malicious Activity Summary

xworm discovery execution persistence rat trojan

Detect Xworm Payload

Xworm family

Xworm

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:23

Reported

2024-11-10 01:26

Platform

win7-20240903-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000d4066aeb0edb136a8a03b32014e331cb756ce9c5b036aed99d3b7d819c244797000000000e80000000020000200000003d907ad6044192baa2fe1a789adc2fc114889fe021a9dbceb292c7017868877d90000000a58787739ed8470cbdc5d8631453d3af310ab86974dfe999ed2ab6805a15de3fbc84e14a13722e1be0e0fb345b3749956fbbd7b012baf9942726b34acde5b0b60f1f52660469175878314a1cc868ed84ee023f513ce0c6a3a56ede493ebb466fdd8820c8038f0e5738cfbb84183e9775886943655fc47c0b5709acae255b0dcbce5fd614acff6731d219636d552e66584000000004622cf271f62082a398514d68066012d0631f8ef2a3bb738744ddbcea0e1787d515b9e7351c14a103242e31f0b0aa6c412252a5351b6dff4eecf0d9deb55df2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000007fbec1cbbf656422821b166094a3aabf2d7f104826ea26164487a4919b3c436b000000000e8000000002000020000000433d906a81e37a8ebdd9bf482ba214ed0cfae7d27a4b76851c8afa470079868c20000000a40d4b6af0588384c8a48bd0d78553df8fa4f803e0186ca63678bd6ad5a6e18b400000006cb3411d59ccf3ec44666d91048992b0a72ccd4e6e12525c432bb57b1d310a7030391547489d80cb695323abdbfa13d4f30d845d07974d4f9b8c46253420004e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68FD2BE1-9F02-11EF-9107-E62D5E492327} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0104d400f33db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437363685" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe
PID 2956 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe
PID 2956 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe
PID 2956 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2956 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2956 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2144 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2144 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2144 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2840 wrote to memory of 2844 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2840 wrote to memory of 2844 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2840 wrote to memory of 2844 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2840 wrote to memory of 2844 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3016 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 3016 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 3016 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 2216 wrote to memory of 2448 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2216 wrote to memory of 2448 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2216 wrote to memory of 2448 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2216 wrote to memory of 2600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2216 wrote to memory of 2600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2216 wrote to memory of 2600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2216 wrote to memory of 2020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2216 wrote to memory of 2020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2216 wrote to memory of 2020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\XClient.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe

"C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe"

C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe

"C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://playit.gg/claim/05cb33ea3b

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:275457 /prefetch:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {79A3FCE1-B55E-4DEB-9E15-7C7FE93CE862} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.playit.cloud udp
US 172.67.208.239:443 api.playit.cloud tcp
US 8.8.8.8:53 playit.gg udp
US 104.26.5.160:443 playit.gg tcp
US 104.26.5.160:443 playit.gg tcp
US 104.26.5.160:443 playit.gg tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
GB 142.250.187.227:80 c.pki.goog tcp
GB 142.250.187.227:80 c.pki.goog tcp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.227:80 o.pki.goog tcp
US 147.185.221.23:24311 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 147.185.221.23:24311 tcp
US 147.185.221.23:24311 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 147.185.221.23:24311 tcp
US 147.185.221.23:24311 tcp
US 147.185.221.23:24311 tcp

Files

memory/2956-0-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

memory/2956-1-0x00000000002B0000-0x0000000000732000-memory.dmp

memory/2956-2-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe

MD5 da0750733bf36c61222eefaba4805dcb
SHA1 304e90d123300e646b768f1f358e59ba506b7dce
SHA256 c9ff8f05cdde137cb0e1e386184a42d4889988c4cfd235fd3340fe545f5e06ac
SHA512 f9a8e89f294257f785388e237a6da1f363f8d78af7c9b473d67261b99526224eb84598eacbba17f01a9f2eb2f6fea0740f7e37df92891df8fa39a33820287454

memory/3016-17-0x0000000000D90000-0x0000000000DA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XClient.exe

MD5 f2a9ba24fda65a5e298a37965de4258f
SHA1 5c91e7c89233c45933ac106cd4d1110d293c9206
SHA256 6ea59e69f350e9f0311dfc3d58fcc3ebd22f2401b3047f454a518e73a12569dd
SHA512 e53b4e702ba04350d3c5f4c3780394b53360100b67f9856831a49235d1561cb864616823be3308911629416a5e69d88f2c3fdff8907547a9d821714e1eb94386

memory/2956-19-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

memory/2628-24-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

memory/2628-25-0x0000000002960000-0x0000000002968000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b38d9e92930809d62d4a9ffdedd24152
SHA1 9c6b0c610775c2d8ce0a244e4c96c6337c15976e
SHA256 5ba9aee71b36fdf5010520e3e092e67fe6f18ff23d574e008abb5bf5192ff76c
SHA512 1028f61205f2a7a1886e3a35c3c3081ebd9d9e3b29c515e9bfad3e646c987ece4fd233e1fdbc16e31dcd9718e038e1aac241b9b2cd93391e61f0083281ff7e12

memory/1356-31-0x000000001B690000-0x000000001B972000-memory.dmp

memory/1356-32-0x00000000026E0000-0x00000000026E8000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\CabDB73.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDBD3.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ef09cca38c3707dfad1dbe948bf24fa
SHA1 bf1fd2e97bf7e8019f23a3fd20944497ff7ff521
SHA256 65f39786f625f8ed9407cd3dc5c04c39e82337dca10d45725da66d767e32022f
SHA512 56e11d03dc312d8134536f71cbb13f39b9ab46c90cc427638671db5a2226bef9ba5a7031a5a6f242a0fece14ee730426e7b044ef033880575e41bf587269afed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7368c4b853bbed0fe5e18ae5c656c32
SHA1 58932820d9c562f836f69233796b590257af6a5f
SHA256 9ebff48f2f937f79892ab7ab96075b9979185872c0517efa7e2b49419bc5f1cb
SHA512 3842c6ed6bc97d00f84bd2d07a22a6fe92b2ddd6867a131452ab0135b1104baa1d78653b65b8f7e043f9924d466a6f6523e3f521dc06c96806fff80cf036c3f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 64fecf92ad820154729ed1313b3756b9
SHA1 9a3c055995beaa3bab8bd6222ea2d284f7601af3
SHA256 3287f5c84451bb0099921d26225cc11312f4ab70e95106f4108ab465b071e420
SHA512 da9d960936f8627462e173831071e7bb0e09e0606677662eae137d6452e0e9d36c1b7051c03182fadee9a5f04c65b9164c484558e078688dd56007d5c5e63bf2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\favicon[1].ico

MD5 e15402a41f04d656bceedb8d0a3ea40a
SHA1 31fee0b94d2a286a3d9b8094d5549a9ab1def5b0
SHA256 d8004341ba5458033d06eaa55af945a158f0bf170c5cbfb30a626e930e048bbe
SHA512 ffe902b3466bd6e96110ffe20a800b96a82f4042a6826fcea1750d0ffdde0aacc164aca51bceda7bdfef5047fcd41bb2026ba1e3b5109888396847881e944470

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9fajjbh\imagestore.dat

MD5 1f76c0f3c86ba8f5b539bd62b774a62a
SHA1 66ec93bbd4bf80fa501ef2d5e5dc60175178f16f
SHA256 dc07181558f89052090764bba2d361d92e92ecf38fc8d56328db18b6dc1758a0
SHA512 256b1d7ac39f62156c77e8b08cc0cc9cd7f485c13d76c1042859b922eb05f2d5f6dd8ab46e119eb96a7d6f7c506f0de7343241c7e9e50889ac1181706a61f139

memory/2144-211-0x0000000000400000-0x0000000000C1E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7aa445e8988537e1857a9264f9330a0b
SHA1 06fe259d99d54a2454bd20ed5c38234e0634a4d0
SHA256 48c22410d2fcf4456de25e5a9a1a3497d162c70553fc08fc88bd68c947569e62
SHA512 5dc58ab8c26f1adb798917ac14757795ba87c59bbfc815548fd30ed60a72fd7489bcc86313f98168e305e2b69be0658465e26d2af3de8ef9117c4b554bcfb962

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74d852583a69ea615aa6af1bfa9e6114
SHA1 4955eb31bf90c5ec8be3e8e658f562cfc82cc77c
SHA256 151920fe8720b00d188ee9d305b06862cb305888df374de1f38a536c203c3165
SHA512 831cb4567ff0ebc8460f7277ca7b9142675b84b543dd471b9dfbce985cf6f1ef9eaba9ef3adbaedaf00b6462b854b3b396c8516053024265291dcb197500f2e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e7a6e33165fe9b9f21f1327e0c9d7ad
SHA1 b845ce1e25315dc63b7d50d28aef81d70a58aa1f
SHA256 7e3be9be6a3d147c95a64ce8c90665ce14acce1e34e3153521f3acf6f80ab21b
SHA512 ce481820f49eb610fd5a3e976aa32df34c6feaecc6f337e2f5cb3829dea8036d1f0e797889d8b8e86fcb2fa495c4707ffdb62e7ab343896922cf6172fa8fba9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b099432d126bb32592e7fe046c631c9
SHA1 93bc25d0c8b7106a867f38735a7eb0ee7a6c49cd
SHA256 9051544fb96b802ff74c5c51961f6a629680bd34b1c55b0c6f1c1d840c1b4021
SHA512 cd512bb93868d313d87a50b0886526a5b6604a675591b97f419fb6b000c1946eb94a7b67920ae9e221b2e379702a9480f442b18752aa02e328b11cead5dffce0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98ba2d75e26f5d14e648d6e1b0712d8b
SHA1 655b15f52d8589a938a568b75be78a411a15bbf3
SHA256 06e7dbebed51df62dc7d5b5302f7efb83202f55d5fba9262ada3ac1212160142
SHA512 c494febf5267ad574cdfcb2914382a570e1de8cf529d1925cec65671260c99da1a481914d407871593f84ca1974a72281b0130f674c8c475275e04f642e0e286

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab18a1a23eb6168f2ce432e7d344aeff
SHA1 07ed05dafcbe7c4355b2945b584feb6b6ec9beda
SHA256 c93a44c9aeecb178b28f61a8fc36c1be44bbbd31e6c2ca3cc4a08d06ccb22ba7
SHA512 3aba5ab44583f58f12e2af763dfc9e59740eea7d50c153e48db662c74069b883aa285e8d0ae249d1d708bad8929a85da6cdd75afc782df0b8244747de5ccb74a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6af7bd0a42cf19f440c4ceb898284b4
SHA1 f8823cc885375f2716eeef6c9fac2377c0898ecb
SHA256 a7c9d3444d38c79b9354ed028db65278b81c63699af1f6f14d3a2ce045c2a103
SHA512 16fa04e6c5f7b33a7128d7a140c861290f49a0da1cef9cbb7879f720d4f74da501d09385c69144ab97b63e73688030d55e3f0333c72e60f0d8e9f12f4224c5ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38f1a1bb89deb5082c46db928072c249
SHA1 5718562c9ca0bf028d6d5018a592f594f2e427d8
SHA256 72cce7d8cae05253c2253c6ba49cbd46be1eb2eb0b3fc05fd1c562d1c0cd50e9
SHA512 8bcf53cc3c64ca59b66bd274ce8b8dd811d69d43b7012e6572efc36ed3d4ecf0d7eed0895fd115121ecaf247d0ce7029873ddc00916154ec0e024b8bf1fc0005

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39b0fa5bbe16db8d5f519d7da735cc3b
SHA1 1c0d84f3cb55068c1f17fe1969b703a740df70fc
SHA256 b7e7372d668b9db15f48d68ea1753af874773a251212d91d7eb12abe70b6aa3e
SHA512 68d2ad8d74595c6029e82317a1bbe55a94f80090951dc8b072064245b479ebe10b095a95f3610dff79e88b71ca12f8e568b9dfef3dfda03da9dbfd00c3e069c3

memory/2144-641-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/2448-645-0x00000000002A0000-0x00000000002B4000-memory.dmp

memory/2144-646-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/2144-647-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/2144-648-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/2144-650-0x0000000000400000-0x0000000000C1E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 348ee8ddd7b9683f5ba9c9b3ff1edbe0
SHA1 160dd73c182192159e75f16196412db02a5a7b39
SHA256 5b404ee494c048cc712d960e4aa68aee37a011cd3200df394dbedf9ee2a6ddff
SHA512 4408cef85aa2fdd9f278ad824bd348dad647e0432e16302f617cfd66ac878cc21c47245a43d33cbf540a324f6d62dcb913955f13f2b725e3d07762058b82052a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 ab6da43179e65283f0573cf718d5f4bf
SHA1 ec8e1dbf97a1337c7bae71a0f5db979a630c0bd5
SHA256 4cb6c6b40c4c7f66f5a5cac292c0586003ab0bede15eb1097cbcd634c81ebbe4
SHA512 981b96540fb4412e2c46a6f8dbd210e516d75794b7b80efca68a297b81d23ef671442f2c9c1e9126e408cdef91fd5248d8c44574e95e653a12f3de939cbcc046

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0bbed9754c6b92563377d668c5c02d6e
SHA1 970e97dc86755ed374af79fad92f1cd276ce8f3e
SHA256 987dfcc5665f069a2ee11803d36f6e0032df422e9b5c5172f2147c9e4aa12ea7
SHA512 52cc847c496036abe2e5606d5de8b897335a914ec07f463125b32c0a81b45cb612fc782aab0f3fb518a54174b220270362c111821edc4a1b1c15d6060c65a554

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7601ecf94aaa3238ab9e43d4c66fe948
SHA1 6f1c4825a130a76d777f3eb6c552a3bc7a1f32b6
SHA256 9fadccc7366e43e62a4d63ffcd5bd8b48c3a835105a18ac187b4b97eab9d2251
SHA512 a031b22501b541937a0475e41917e1213515156b748d8aff77465e0d82984dd68d7161aff16c025337d4435ed8738dbe6a603135480c41a5aec4f55f27481ff0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e384363b122c4d05e092f681c536fe0
SHA1 3f4cd9b7b3f3fe745e4349ec7e9268b3cc144b19
SHA256 539de95e011a1fe1b6cbe1c77daef45513280cb4f9a1458e9e289d23edc3c540
SHA512 e19e3fc03102b7697a4d014ad8d9a7613fe3d3b33f3338fbb0161f13094bb7150736142f8e4e408ecb3fd3edb4e55eeefef1509860a3f4a4a3fa2d4c6bbf2629

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc5769ad645ca0fa7ba68ad3f7e96e5a
SHA1 c5cbbd0c2e2d11ad2eef896db7e685a3867a9f87
SHA256 2c06d01194b357b31e2ba0a467f724e1d17b0a645eb0fd4f6d3a25ab621c1562
SHA512 357359e453f1113a3dfc87743987bf24ec788da5c801a5b89c354ae201f13f984124bf21a465c104fa8db4cb65c897d55a1ecf5d33c52d807c5657a5e6a282ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef71e4ac40854b4e3f908b4bfa0ec698
SHA1 4355a90dbfcccea2f0572046e34c48d5b7c90323
SHA256 f789ded265aaeecc7b69ad136ce7a26fb5f43335e080283c2a12c19cd3fd85bc
SHA512 98628d07097081252f017a71590935806e7fb9e9069f04da508135a9d507b9c894697ffee5a2ff4c9aadbc21cf9e9797bec3bfa4dea2f1778dba788e4f34fc21

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ce4295ca71da3b4d0853478a86c223d
SHA1 a54ae9d3aa2b9f211c8cc9f7995262d3bc17f815
SHA256 279c70d26039a4ca78f5541ad7c981d36578ce2c5d918ce0678c95fecc5d7563
SHA512 2942d8c242765c6cfd0f5a1c0ee4f08f6d547e8ca688c565f451958d0411763245d951fda6d4a1db2c6f18adf86cd9fc9607c8ed6883dbd002a739f7c99c2cb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 877cceaeb459498dd359b5cf66f1d218
SHA1 17d0fad3e5fed8477694769213c6c6db2660ae81
SHA256 855ce507e869b14c16c100bc1044db9df156491376f68cd7040be9873f4abe1a
SHA512 902d0dcaeab8199afc0bfe91ef801ec7cae3a78ca0fdc109e44a5d6df7e90e8b66fb342639415e747ac4092d370286e920ba2156f55153a3d6789f9b1f8d7ffc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a6ebddb0acf9058515907a5ef93767f
SHA1 9060721d26b424b7914bcb8042e9a2839b30c1b0
SHA256 f03ca13e0ebde56517fd0dd3980d47b9c2dd7bd3c3386c3a8c473bd554425d32
SHA512 6f19c03fd9345691614f3957aad44660b5c5d7869fbf04ad78eefbfe73f56e529fb310635ec4719552043d77bcf05b5f2c13f0920f256dabc9250105261af5bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 bffd6b04a3a7aa506dfb49323756e174
SHA1 bcf97b94f6542ba9ab33ec760b3e3a40ad426299
SHA256 8e1d6b0daef7cec5488f92c7d0fa599218a79789829421e09ccfc59526897787
SHA512 366e1c9174bd4254905ae80bbf8862b88a3b24704f03c6c2609ee4d9e248de0c9e5f5acd23c9bd6ae1ded7ec3bd981f5cfe376f5f8a7f7ecba7d842bb4b585f8

memory/2144-1195-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/2144-1196-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/2144-1198-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/2144-1199-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/2144-1200-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/2144-1201-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/2144-1202-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/2144-1203-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/2020-1205-0x0000000000280000-0x0000000000294000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:23

Reported

2024-11-10 01:26

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4412 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe
PID 4412 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe
PID 4412 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 4412 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 3124 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4760 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe

"C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe"

C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe

"C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://playit.gg/claim/1e8fa71aea

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb430246f8,0x7ffb43024708,0x7ffb43024718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6549154180483691753,2189160692011527866,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.playit.cloud udp
US 172.67.208.239:443 api.playit.cloud tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 239.208.67.172.in-addr.arpa udp
US 8.8.8.8:53 playit.gg udp
US 172.67.72.68:443 playit.gg tcp
US 8.8.8.8:53 68.72.67.172.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 200.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 216.239.34.36:443 region1.google-analytics.com udp
US 147.185.221.23:24311 tcp
US 8.8.8.8:53 23.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 147.185.221.23:24311 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 147.185.221.23:24311 tcp
US 147.185.221.23:24311 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 147.185.221.23:24311 tcp
US 147.185.221.23:24311 tcp

Files

memory/4412-0-0x00007FFB34543000-0x00007FFB34545000-memory.dmp

memory/4412-1-0x0000000000CC0000-0x0000000001142000-memory.dmp

memory/4412-2-0x00007FFB34540000-0x00007FFB35001000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe

MD5 da0750733bf36c61222eefaba4805dcb
SHA1 304e90d123300e646b768f1f358e59ba506b7dce
SHA256 c9ff8f05cdde137cb0e1e386184a42d4889988c4cfd235fd3340fe545f5e06ac
SHA512 f9a8e89f294257f785388e237a6da1f363f8d78af7c9b473d67261b99526224eb84598eacbba17f01a9f2eb2f6fea0740f7e37df92891df8fa39a33820287454

C:\Users\Admin\AppData\Local\Temp\XClient.exe

MD5 f2a9ba24fda65a5e298a37965de4258f
SHA1 5c91e7c89233c45933ac106cd4d1110d293c9206
SHA256 6ea59e69f350e9f0311dfc3d58fcc3ebd22f2401b3047f454a518e73a12569dd
SHA512 e53b4e702ba04350d3c5f4c3780394b53360100b67f9856831a49235d1561cb864616823be3308911629416a5e69d88f2c3fdff8907547a9d821714e1eb94386

memory/4412-22-0x00007FFB34540000-0x00007FFB35001000-memory.dmp

memory/2092-23-0x00007FFB34540000-0x00007FFB35001000-memory.dmp

memory/2092-24-0x0000000000790000-0x00000000007A4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a0486d6f8406d852dd805b66ff467692
SHA1 77ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256 c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512 065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

\??\pipe\LOCAL\crashpad_4760_QPMLEACWZMJGWHBZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dc058ebc0f8181946a312f0be99ed79c
SHA1 0c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256 378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA512 36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c6776e3394b05afbf8f65cb2d488d809
SHA1 a5effc87dc732afde3fa41e9fc139d4cdfd6f201
SHA256 38a74918dbffa85c78a0c23a8d3a3e939244481d789f0771617b886a623068a0
SHA512 9046da0e05c4b24f539d3ef732d7745a079c7a612a76ce442b7fcc13dbec264672fc490cb68ceaeda6835b1eb99ac7df03587619ea69ff898b9dd2ec98310a9f

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pgkl3qz1.sw4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1092-67-0x0000027C26430000-0x0000027C26452000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6eaffbd8517e4331e6d5087007ed71d1
SHA1 55fbe164647a758f535c30f7e193a4619313a79b
SHA256 f1897c71edb60ca69ac11433492f284463989eb8930e4446f829fc699fea1371
SHA512 1c296d3b82c242b387233ef7aa2ca9d8264e380c11f1561db6361fd1ed62cbf434af8a9ad62451e9785fd51430505455be1d0f706d5850cd84edcca595436f52

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/2092-137-0x00007FFB34540000-0x00007FFB35001000-memory.dmp

memory/3124-140-0x0000000000400000-0x0000000000C1E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3e893abd878de43807a4187b076fa683
SHA1 e54b0748f9c7e1c6e9c35451fbb128f884fc45f3
SHA256 ae231dc1b89a77239448b59d2aa2592fd9052fab00b644558f964d6053c30d87
SHA512 31656ce35beab07d379ddfd795ca66a8af00ccce452b593bc73646746a89270b8c51b2955eac79aedb37a7d2e8733911d4583ae61103fb315d8a69d610e47274

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bcb5986dbc024b0e3860efbbc039ab93
SHA1 320b20ea66874eb0901ab51591c26e791c89a437
SHA256 307e96e4f62729c4c84ba3db03f7fa2a2ae175eb3618b05f5683bf14b1a84df1
SHA512 48c4e4ff213e27f7807182d8a2986eeb11840cbd96b84bd2b1b9e48c1b92d500ec4db7087f5527bd2b40868ba4ac523460adb75adbc871fbb9c24618cac1cd44

memory/2092-161-0x00007FFB34540000-0x00007FFB35001000-memory.dmp

memory/3124-162-0x0000000000400000-0x0000000000C1E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 72bff377710c82e6710e58b876069ec9
SHA1 8d520a609f7f22585231bf6a37dd4c7598253335
SHA256 b4472aa8945c42972be44ebb6df6ce39c5e6c4aa3bf5579ff25f0285d8b21f2b
SHA512 160d0a7ecce424785c4f1dae23dea6402f8b7294816fdf6a1349b4267d1a2cefa3ab5d442f000522bbb5ade6918fad65960398edf324bd5490979069b35cf8c4

memory/3124-180-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/3124-181-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/3124-182-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/3124-193-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/3124-200-0x0000000000400000-0x0000000000C1E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 89de1c68f92a862fbc325bf3fc60bc00
SHA1 b842cd736c22fa9c8431f5d83a953d077ea62563
SHA256 f9d1b2304ba6555163a2583c092830dff76e5899bb95eb47a2364df7bce95196
SHA512 fe39ef901e04b0dcddd5c70b5b9e95130275f86e60a9efb0f8eaae86b384a02c712b7f3a34d5015be8e56c10fe760b6785031afa5a171877bf9ab81a054041b1

memory/3124-224-0x0000000000400000-0x0000000000C1E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/3124-227-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/3124-228-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/3124-229-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/3124-230-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/3124-233-0x0000000000400000-0x0000000000C1E000-memory.dmp

memory/3124-236-0x0000000000400000-0x0000000000C1E000-memory.dmp