xworm | hxxps://mega[.]nz/file/KcEEHDib#fL_iHtuAy0ybrztVhQP53dE-DgVYmkgVEd99EYZKRGA

Analysis

max time kernel
177s
max time network
171s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-01-2025 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/KcEEHDib#fL_iHtuAy0ybrztVhQP53dE-DgVYmkgVEd99EYZKRGA

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

blood-pattern.gl.at.ply.gg:24558

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7704029346:AAHPre1lXQa0UfPCpOUXJZ9UXA9mFxvH4Gk/sendMessage?chat_id=7590668020

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002abbc-344.dat	family_xworm
behavioral1/memory/1768-345-0x0000000000CF0000-0x0000000000D0A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4756	powershell.exe
2408	powershell.exe
3208	powershell.exe
4072	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\security.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\security.lnk	XClient.exe

Executes dropped EXE 2 IoCs

pid	Process
1768	XClient.exe
2060	security

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\security = "C:\\Users\\Admin\\AppData\\Roaming\\security"	XClient.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XClient.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133818813010832434"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XClient.exe:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3740	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1768	XClient.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2912	chrome.exe
2912	chrome.exe
2408	powershell.exe
2408	powershell.exe
2408	powershell.exe
3208	powershell.exe
3208	powershell.exe
3208	powershell.exe
4072	powershell.exe
4072	powershell.exe
4072	powershell.exe
4756	powershell.exe
4756	powershell.exe
4756	powershell.exe
4420	chrome.exe
4420	chrome.exe
1768	XClient.exe
1768	XClient.exe
4420	chrome.exe
4420	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: 33	3628	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3628	AUDIODG.EXE
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1768	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 1692	2912	chrome.exe	79
PID 2912 wrote to memory of 1692	2912	chrome.exe	79
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 4660	2912	chrome.exe	80
PID 2912 wrote to memory of 1676	2912	chrome.exe	81
PID 2912 wrote to memory of 1676	2912	chrome.exe	81
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82
PID 2912 wrote to memory of 5060	2912	chrome.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/KcEEHDib#fL_iHtuAy0ybrztVhQP53dE-DgVYmkgVEd99EYZKRGA
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6879cc40,0x7ffc6879cc4c,0x7ffc6879cc58
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,2505773384134971793,13886183725624887095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1852 /prefetch:2
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1776,i,2505773384134971793,13886183725624887095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2156,i,2505773384134971793,13886183725624887095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2340 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,2505773384134971793,13886183725624887095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,2505773384134971793,13886183725624887095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,2505773384134971793,13886183725624887095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5004,i,2505773384134971793,13886183725624887095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3408,i,2505773384134971793,13886183725624887095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=212,i,2505773384134971793,13886183725624887095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5388,i,2505773384134971793,13886183725624887095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5528,i,2505773384134971793,13886183725624887095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5664,i,2505773384134971793,13886183725624887095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=940 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5444,i,2505773384134971793,13886183725624887095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4420

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3436

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004EC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1212

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\security'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'security'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4756
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "security" /tr "C:\Users\Admin\AppData\Roaming\security"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3740

C:\Users\Admin\AppData\Roaming\security
C:\Users\Admin\AppData\Roaming\security
1⤵
- Executes dropped EXE
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
990e2214b409545d517401b85aaedb40

SHA1
99dc38853b3b9678f4c59a144140aefafb3af204

SHA256
5b8ed15793a2d87b3ef5b6d1f4c87dbe6b120386d0f528d74879de4d598a012a

SHA512
0d227892f5f3a7bda3164645da1c0aba7239321b87e39af1111fe8774e626e50a9bf872a35b07257b8e7ade4ac540d9df2b2d093a2d834fc1056b7353d5e2da2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
403473fcddb11b15e08dc68466db3023

SHA1
b5ff968a0cf629bb6bfac7ad1be7093d37ef8aa0

SHA256
260d121a48e257cc8183112bb69db3d4982057309659a88f63e06ae42d8347bd

SHA512
36311de7669464a45a452973af983a61840b03ee88df018d45c0cebe3c9a5672f81c08bbbe4c59c6a2280de9754e868c7c878724d016a806d70bed2562870a31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
808b1f04a29ca2f0a8ef4b0d6d1846b6

SHA1
c8e5aed3ca320bbb0c9e73ef7d81d5c9abb33ff5

SHA256
de2ca0d90ee3a35175ec998505574180bd7891003c8d978131bee71c2983690d

SHA512
e1414323fc5993cbc0a39ae99fe5ec6d3d4615de328680aa66f8c538563202a972d44a1088152511a17489095811e80dea604b83e258bf9513d07da26c371285

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
919f2cd2fdef9f5dcd39040c1d486e2f

SHA1
b83fb17eca42355986232c9f86843bb5f6db7641

SHA256
cc85a1b158d49fb3c0174ca2fe337b098a4015a1016092124296e2616b5516dd

SHA512
975cb0903a0826976c3341a2d39834d59f6a1efe93136b26003922a9becee6110cb4d975ccd34dff40d212975ccdc1a08cfa6a719712382bed6a648ff9dbcca7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
7d2d169976ea87c2512bdaeef00d8f3c

SHA1
a67a0de4d41c65c30e149c7963bbafd2a8de2909

SHA256
9c73b9340c65521982f9b5f3f82bd8b9f5054539a135444871e939c2cecb717a

SHA512
df88361ceadc1098842c267db89aaa89dad86796dec209d49116266eac174a11e9e0f25cf3f6e4ada3ee3514bcba69d96982e33f13e805b8e635aeb14128296d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
644a8ec0569408572db178b038dd0662

SHA1
00c2810caf9659474028cc464cdfe4832fff6455

SHA256
0ca6ccc3e5d695d4d7d28ca3ba94ffae8aba883bbc797607702ae49bd61c9d71

SHA512
ba46c540f9836fe4ad9105e1e9b6f81ac9afcf74df7e748dd2cd2fb9179486213249239e192ebc61df01e28a5887a6f33ff717a02d942c59abaac3ed8ef8d615

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c74d6fe5-6555-41ed-b92e-17f4dcae5a8a.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4051f36ff650c26ac8fc9c571566b896

SHA1
83b96f717d806844102c3a7ca8328dccaacfb9fe

SHA256
c92ac0ff21c5fc359269e06936614f260120a7e10f78af769d3a637b227e52ad

SHA512
00a6b6d3135a384eca29399ce99dceb8b44ee1b060ab519f8d38ad9d9f2b6383f4e1b6d1caadeeae47340a77f582e0b5918e5438ad582b2818778ef582b90522

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
76f6d5311c34562fdb8a2da09ec0c4ee

SHA1
e239b960c616ac1f59334be2497451583838d121

SHA256
0e417d52807f6e59a61b69a5d8c344547f328216cbf5be95a9aa16370b69a058

SHA512
57809a463a42847d5bc3dbbd0dfdf1c20f580cadc45c91dbcecda1c90183b9c53f1fd105292ce48328ff4019649b7d2831a431b667c8a236832f11ac81d78910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5d37d4658bb5b1489ce1b36e9d133f76

SHA1
2d0463e78da3c6e7fd79d51a86310d9bc2f6f2c8

SHA256
ca3234f731d31a636eb231308a64049141b2e23c7996589d616ddfee310413b3

SHA512
d5d5db0a83fa6a472e5af1216b5088a43ad37c4d19d2697ad5804db205e75c0d4fccb2e18e97c6efab2180972db3930d70aea51ca11e60207e8cf2b28ac5f899

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
506eeb05a01a0bd57cc197d1c8d898bc

SHA1
2b167376a3ba8a8b96dc4a39a97a1e710e220305

SHA256
c7ff5536f7f0c29a7c342e2199024e74900d3f3fd0242cb4c04885facf4e1549

SHA512
51f7d28aff3fe0226a2df41df24ab82699ac3a0e0eb2eafb7836a1bfd9d2a767ba3031f5c34d9ef5da42192f25a5c01ee3581f45279c636e65efb13fd4f08618

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dba84f2539fc21966f53e9fde9d90b28

SHA1
e725369e164e4a626628626f4370ce137e852c03

SHA256
077c32053af4d3f544438e81b92486969b684421e9f81f12506b2907c0a80164

SHA512
d91dd90c9ecf941edced7be0c57a13c039b6393417923b4198819bd6734b0eb46bb8370aaa2f973bee8cdefa65dd7f8f8593ee1c49ce0e2ec71c37a5f3a0ddc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7ef8dd12aea255f1c693c94ce9a2bd59

SHA1
b6ec43a5932b2d3ab15333a725d215899a0eef2d

SHA256
74d361856403928aa35ec03c1842303558b2f154a14e25ca76a40082dbef2f99

SHA512
5c5d169b23b6a3cf0133f01c774355e1d4abeeb60e4aac6de7f196d196714da0b1242fa9da8617e2c2d5f6ce8dfc502f7a46c38f8f356cdf78ce02464ad5bbb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0a678e69f5e33a49baecc2e1d2ec61ab

SHA1
f4804f053dc59773c8cbb1970bf759499d2f5ec1

SHA256
da7eb18bc852d66da3d7ebb4d40c302169006ecf5f1e313176ff4b5b3565b074

SHA512
42e21c693afe177a05ceed85aaaf679b61a5ac898a97868ca4c628911f8e976cfcb8dba82a666023143fb29c6265c09eeb3172d1d6157c6fb828d9721612af9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cfcec71d80702e89119558ce5afe31f3

SHA1
24b369f65bdaf0ddd2825b1dccb59f1baad28909

SHA256
bb39f888055dc82d9ce801900c02acb49cc40e764f12054fac897b173ae48448

SHA512
1b66aeb15b9f24a1b9c952ff78d24e3c52f58ba7b3c68092c25be7c0de603947fb4505e25f170b22758fa674f434d9718ec82ce40ef4b4fc9a924e6c1564b3d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ff76b5185ae4006b597b116b09edcefd

SHA1
d1e34c31e595940d659ee09abb84682ccbeee656

SHA256
0307c9c2e4fd7ad27429925654b3e50be18537c4b352027f9acb8bc6d952cbe8

SHA512
84056942e301335e0cf2b1512f7c08bd183f871c29df513066236c488f36955375732d522de8d68488457760a43a98c0cd0f29fe1b8dd8a24bd9c00aaa27cf50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dd44b669e3b9349bbfb53dc93419917e

SHA1
cdaba9db3c897fabdb313eebbedc1a4e04554110

SHA256
57e61ffb56b0c7e2451cb1dbe439bd39c07551d48b609cf8b5cea9c3bb59e07c

SHA512
ec5e51a1adbe59e1b7a5ac115cc6da79d2cb5488b821e5378997e8065a47fb011467a9ef69d3945f6cf301c8a1ba7d84fb57559f93328aae9688a26513b04270

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
002ce130c0f77e7f97b8e231b258e4d6

SHA1
f1cd6a30dd8634bbabc5c496f93adcf7aa2c9fbe

SHA256
9a5a7ab226efd3961100ebb2a58f63c8ba1ddea1428d1f826a9a75dde7a3acad

SHA512
9bcdd9beae28c1c2501158feebac7e9d974739d145f009d8a5ed34e57a156f41a921cbe800695cf19656f5619c4d7105190c79212ac4faca804a344e43d6b242

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17dbfa86afbd9d05a62da85e9bf6ab7d

SHA1
947da240f16ad1d6fd03cce56e981501125a9c39

SHA256
a9b3353ac4a9e4f4c9ecaab1ccf70cf49377a29123e8d06ef0074698131a0f62

SHA512
11090d59e89590f9563be8fd9397906bdd135d06ed886c2638d6c9b8ae17ab9abb9267bb5c31201fb3ba8d22612c1e7c943f2aa7543ceff62465ee5da2d1a763

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
7e536e25713571675c205c92963a44c1

SHA1
87d17723e5639cb816df8e0dc521da84687e3a00

SHA256
853f98ac77458421901a0fa8da6ac7133e35d1bb3508a22eef227afd0fadc53c

SHA512
66180d9062047f4a988fc44f16765e8a0c74204750baa546fc4906d4a67b9c6fb12da9f6a6c55362e53a2abd882800ef97cf47a345e8abde3e9eb294bae2c7f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
043ff29b9c7caab4e64f2131bacfe767

SHA1
b6c5975a18f80f22ffacb45900bc38101355d1d0

SHA256
39e7dd3580be1e5b902b5dd35d5b1f63ed06deedac7baa0a343b94827801342e

SHA512
f154bd606b166ebb7e37e6f2752ec25b5adedf92ee0b077cf000bd6902c52ad1421c203170c068092959e3901485cfead6e8abca204eb9e57e9bdcfd5fc67808

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
46cbcc9337ba3e16260e11ed1b47a78a

SHA1
23dd3a742888ec611a0eeca387aaaa70f51e6a25

SHA256
91067297f61da32fd7ad1f5a0a0d0c1d30a62ccb8eda63e6d54fd63ef85cb2ce

SHA512
7f121c8d1ef2e0661e7be8e5cd855e10a487220096499fc17620c63ed411cdaef09e70a5d0096e8a88a74aa3cd6adca5d32771991f17c75fb1dc894e5824dd7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1yif0fws.w4c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\XClient.exe

Filesize
78KB

MD5
f304f5522655bcc6b8cd42e8cc5257b2

SHA1
348c7528cdf90e81ed68b8539d9992da130880ec

SHA256
929680b8659e4c1c1211bfa32862fe648a37a030136f6d4e3d343531582f60a1

SHA512
f4e3131a9caed15e84032c6ff3ae5862340596c7759b52782b8816f4fd5b26335d0a48ab9ad715158dbc0a7679cecfec869453292aca23851ad569674959274c

Download Submit
C:\Users\Admin\Downloads\XClient.exe:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
memory/1768-345-0x0000000000CF0000-0x0000000000D0A000-memory.dmp

Filesize
104KB

Download
memory/2408-353-0x00000286FF870000-0x00000286FF892000-memory.dmp

Filesize
136KB

Download