xworm | 0f278718311cb0b48b2823ebf1148dcd904f6c31f70b73dc5ae6e26e2341b156

Analysis

max time kernel
134s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2024, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

castle.gz
Size

337B
MD5

fa2698c00eafba8de01b887a8fdf44eb
SHA1

cd2595cbfec9e3d096d0db191ed4769d8b830497
SHA256

0f278718311cb0b48b2823ebf1148dcd904f6c31f70b73dc5ae6e26e2341b156
SHA512

81ed86476f45798531610cf2f4c70b1cb850a7ba8a63eb1a67e437e173ab6b68b369e7ef8b5508dca40b48d47a6e4e4ec3c0e062b46d540f06739e54e0825104

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

glitchfoda.ddns.net:1234

Mutex

52v4amqz5lLtQorX

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d25-534.dat	family_xworm
behavioral1/memory/3884-546-0x00000000001A0000-0x00000000001AE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3884	XClient.exe
4908	XClient.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133777176168899752"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3620	chrome.exe
3620	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4456	7zFM.exe
Token: 35	4456	7zFM.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4456	7zFM.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 4844	3620	chrome.exe	87
PID 3620 wrote to memory of 4844	3620	chrome.exe	87
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 4236	3620	chrome.exe	88
PID 3620 wrote to memory of 5064	3620	chrome.exe	89
PID 3620 wrote to memory of 5064	3620	chrome.exe	89
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90
PID 3620 wrote to memory of 4164	3620	chrome.exe	90

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\castle.gz"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa36f1cc40,0x7ffa36f1cc4c,0x7ffa36f1cc58
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2060 /prefetch:3
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4080,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5056,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5436,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4752,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:2
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5496,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3520,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5608,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3596,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3312,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5524,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5256,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5688,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5716,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5652,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5724,i,727295984262603404,6587490118530807891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:1664
- C:\Users\Admin\Downloads\XClient.exe
  "C:\Users\Admin\Downloads\XClient.exe"
  2⤵
  - Executes dropped EXE
  PID:3884

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3592

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Executes dropped EXE
PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a1ebc0dd46502ab9b8f984b8242345e6

SHA1
d2bdd7ed3ce55a22cdb93dcdc6bf2f44122af529

SHA256
035ff48ec82ef7c74b33523a63788966d6c62fda9d263433b36141e9d5e31fe5

SHA512
cfe8713ec8fd82278301a669b510c5779d9df6d7d7ae66a2ea010b759fc7868432f1bb95083b908b8a586ac4604e9a7433326fbd5b5914fe49e921e781e159b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
effd52d237988d8fcd6a2b0176640ffa

SHA1
c81075ca9ff243642856d3d8240657f835e0a3e1

SHA256
bb74309abc94ae800144b21eb4c866604919831ccadad7e242915edfeb7376ef

SHA512
cf9227a461cba97a9430a75849b8f098a27d4c9d6bcfd9cf9033e85e53898f58df1072ddab1784c95dfc277fbebeed50f2cd523fec903ff2012bb3f9face1518

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
73c523aeabbd54fbb9601cd38b66e30a

SHA1
55455850edfd66dc2d323cad5e27f9c074b82f71

SHA256
5af45da283307b019448540a6f5a3868b6802afcf9d25f6a2619d1bb5c0d6ce1

SHA512
3a3e55f21fba1f27eb0b2596ea43662faa000a85975fa61b4d2db812c3cb166bd744dcb0e9a613906e05dbf8ac6fc256ca2ffd5d5fca376928012049f687b7b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
50a4cf8959e2f928e73c9a1bc9b1c78a

SHA1
5625ea2db7ffdeb57f5b282333383ae60a0fe316

SHA256
6c971593808a5248c468874e9d7f329f66b35aeafecc7375198022789ce74fab

SHA512
cb632986178935a0eaddb83674abadb9533ccb95e2b11c7bd1dbf7a8da1731eb930065943df712a33d3c6d0401f3d8c7240d0a03cbe6f384d1b91491530d355f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
684B

MD5
7ace8c554c9271ae77fe33ff98ac56b1

SHA1
81dfb4628a6df0ab19999a9e7a7cb7c4de9318c6

SHA256
bcda81b026b9d72f88072b9b4d972a6fb77115380c7eb9cc5db4103f364d911f

SHA512
7ede6dc80a8399e664b8feb48a3bbec9eb6e7e6660529911f7d2e2e99215226dad31cfa42f60f404c459a3f93fe32159a83cdc0440ef831a11599f3c46a9e41e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
56eec95619b37ee84f12ab52ec51a454

SHA1
996f621a4bc803015b3ec360f9d8db3270ee27c1

SHA256
411854d92f2e0ad78cb22acb266a2a7615e9946c7249920c8583ae5d7a7dbb47

SHA512
cd8c123d3b86801eba220959b73071040542fb3d02a4334c53ece32756a023d69c8ddf270029f6fc545d34c594f86c80a05836950e22c34cecb19a4ae39cc188

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f17dd9a7222b6c9b887ce3244c5761b4

SHA1
c13d3ace352837b647c5964577f8d5788d1f4cc4

SHA256
e3a07d11a144e291740ef6d4ff679a60f7c119c10790585c999ff53ad067488c

SHA512
ca45ee3014ef0f1913943e0a855df641562e9fd1475543ccf6433d11815b7aba77bd7fc4130c148ebd108da0dbfec185df771313c735ab57ecab6afc41d86924

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8aac799c411277f58137d1ba73fd0428

SHA1
b99262709a13b3b8cfef991abc18b3d240f20054

SHA256
bac3e0e43377f81f0c16c9f8ac3ef1ee954dfbdf04d5f2b8d0b4a061d167e7f8

SHA512
7ef18070a04f5bce39999f1d37cadc5cb2bb3a345902910faee03d8f1c3cefc35d9e32ba2f615948337579b288b18d934d9a322a70790eaeea6fda9b58078314

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
96a5c23db366b8525848bd8c7a58f9c1

SHA1
b774689efabf5ee789f56e78da368016a2f7902d

SHA256
6210baf3277596f627d3960964bfc1c52ee310b676547591c1bfa5b135959e96

SHA512
08a6da145ee27f45bacd0d2f0cbef1a00e298ce7e193d3097592f379f728ca923859c297e99f57ae8d10c1d67f5f336d01c341d8e3feaa790868db5c3712c795

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f0c1a3231e1e75237d86063f4b47becd

SHA1
c8829e8327ebc88cbe67207076d75a4e4adfd39b

SHA256
117282271e1979a9637917c80a6d9426ba2d1d941e8b16b3a2f0de114c3bdcfd

SHA512
ad2dcfe7239d8578cd938bc64b52bbb75ed5c3248c94944afd4cc6f6f659d521b060035d5ff07398404c977b1b99f05ff46921123dd5550c04328a4df6fbf23e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3591baccec76ea4ef6908e5bd30ea828

SHA1
e055d9dc9ba5cfee7cb3d6deb0b980a298780512

SHA256
240537e90bfe1347a5355f5a8ee41ed67794e4521c7e1afe2857c05c85fae1c5

SHA512
e32574a526f7704d078f2db6f5075f55d21b84cba65151d8aea2a6e659d4090a21e422182c95b4fd79b0bec67dc6ae3c74ac60028c0f0ca5b281ffdf0b10c978

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
97c8235054d07fecaa5785c260001457

SHA1
73716b7ce01ae22bfe0d98edb2ec0676f250785c

SHA256
c7b266e9a8993235d65f964620d0e1284a01f65e1038c4e40a055d1d7132aca5

SHA512
80e6f0b612fabb8a2c95f9a0d6ee04e97a61693d8ac944bd7ab3436b63a7685db1ce5154e55dfeb5fe753b49b8f7f7ab5c8abed46f3ff6ac756b9e84b6237e5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
3686d1e186efe0f519de109aced59c05

SHA1
c8740f94e07726a1fc2d5268ffccfa6da83ccd27

SHA256
0a66b0995300df38b58aeb62787727d834018b01673ad3e65ed478ce140fcb39

SHA512
6ca6d255b7be0d880c2f030bf7f56eee3bc8ddfb5943ab1dd4f71d398fdbca76bb0cda641d272beab22bf1aca5ea235f2363addad02c83dde5ab69f9b86d67cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3620_1060095760\4fa9a199-1033-4463-9541-a8fe605b808e.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3620_1060095760\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Downloads\XClient.exe

Filesize
32KB

MD5
1c22f5a5b498571db4c6806e9b37158b

SHA1
461187f8283c07d7e7ec25da7393d4fc6ccc8b87

SHA256
1f4e0db0fc3fda6ac7898d707c9f9d5ebacaa61cf0b73f2d0444da106fabfb6a

SHA512
554db5ccec86daec6ac525975ab7de4bf03c753e3259c3f36c587199521abfdc7a34635cccc34efbb0a509d96abec32cff5f61064d746020f990b835d90c4d07

Download Submit
memory/3884-545-0x00007FFA32673000-0x00007FFA32675000-memory.dmp

Filesize
8KB

Download
memory/3884-546-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download