xworm | 8605ee7e95cfa1e4227c4d19acf8418cd18157515efda8f8ebbb7ce6eeaa7857

Analysis

max time kernel
149s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
01/03/2025, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

67KB
MD5

b5ea7d94e5e61976ad39908ce98d3717
SHA1

23ef2cd169718cf5eb00e4a6a972888e4caff74f
SHA256

8605ee7e95cfa1e4227c4d19acf8418cd18157515efda8f8ebbb7ce6eeaa7857
SHA512

51c37b8c79f40bef577ee75c37471e358cdd3f80fea5477b33fdd3325f0320223aabdbd20ea7b481fafdb13316e2b4d566e4497255612581404662c3b4c7eb62
SSDEEP

1536:clLmeR5RsNC/70/KlTLHYd+bk81FxJRgZ6fwQOCDPnOdNL:cpPvRQu0/KlfYd+bnaQOEPnOfL

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

currently-rochester.gl.at.ply.gg:30522

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/5016-1-0x00000000006B0000-0x00000000006C8000-memory.dmp	family_xworm
behavioral1/files/0x001f00000002ae91-12.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 3 IoCs

pid	Process
1424	XClient.exe
2784	XClient.exe
5048	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	XClient.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	XClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133853356095817926"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
5016	XClient.exe
2340	chrome.exe
2340	chrome.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe
5016	XClient.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	5016	XClient.exe
Token: SeDebugPrivilege	5016	XClient.exe
Token: SeDebugPrivilege	1424	XClient.exe
Token: SeDebugPrivilege	2784	XClient.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeDebugPrivilege	5048	XClient.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5016	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 3896	5016	XClient.exe	77
PID 5016 wrote to memory of 3896	5016	XClient.exe	77
PID 2340 wrote to memory of 428	2340	chrome.exe	85
PID 2340 wrote to memory of 428	2340	chrome.exe	85
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 1772	2340	chrome.exe	86
PID 2340 wrote to memory of 3456	2340	chrome.exe	87
PID 2340 wrote to memory of 3456	2340	chrome.exe	87
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88
PID 2340 wrote to memory of 1076	2340	chrome.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3896

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb5826cc40,0x7ffb5826cc4c,0x7ffb5826cc58
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2080,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2176 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4628 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4452,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5028,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4456,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4504,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4616,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4656,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5168 /prefetch:2
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5296,i,73828918501534370,1918403563902865653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:2556

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2076

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
84d0d8507f21d1e7b71c6f937aa3eb33

SHA1
6fa7a83e11b74c336537685790ca8dd8687f176d

SHA256
88eb0f8f96abe0da8b304b3e56729dfcf81c2ce335c1466da266ef0dbe7f119e

SHA512
ea70b2b3a0e9022c9480f980a9dc8287ece650bd6d8c4f0e9fc623ea2c18cb00b32c81df03ee84743ae56d523b633f468610b721953e6ae4be8cd5e5fbe3d206

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
376308c9efd25dcf0d3cdeed1b1422c8

SHA1
f8d75325f0af01a153af3d587b1c5651afb7e97b

SHA256
458f71ad679fe2537f69abd68186742423786a8b6f72a9c64c9edc6027acefaa

SHA512
73b0a86bda1450bb82a7f7c15e20bd9d2301c523dd8ec4462b1f8105abe377418efa2ae417b93bf17810c46b25cc3a5ca4002968347b3a0268e03bd014bfcca4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
76674801c1c22f800dc52f1beaa4d9f0

SHA1
c7a0541ae6141a9ca32122151b2a8422347c8207

SHA256
3333f21b6ffffdd0fa291f15d501cdc1fed80cd5d6d3c66d454860e3f778ab3d

SHA512
c426d0dde99d37600138fa03c43f91c0dda3085a9deea4b3e3695f3b80f4bc1fae2ccd7099a87bfadbb26596c1adb0bb927b253950f5681dac20441a5bee80de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5a7184f82650ba178ec27c176afbb93b

SHA1
71f95da5b0f8ac7bbd2fa8cb37ef0a45b09b6b13

SHA256
6adebb3ecb5cd113748b5f0edbfe6e5461a1d83aba17d92af716708e1e2bf568

SHA512
d701318be2cbc280566896aa793f083ec1392c2507af567c97d694def65edc83fd2bd6cbaec4f617d34f5b6a286fcd5d75db89bbe888bf285b8f2c6f1c1e51f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7ea83c6e924d222237226bc6bdb4a4b5

SHA1
1533bca16661bc78f56193a7d5b02a6e42169d9d

SHA256
94143306146c704ff47f54119d23044aeb033f777e94ec9aba66940a8b09c62d

SHA512
464efc62df5d5bb362cddbdc7c95f0da8b89f3b3725adc730e503f2b5d35e43bdf67ea3209c25c87cc2bebd0f4aad53d1ac930002b4ff5323f082f1b6a91b6ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
90cc5e04a00d5696697d47454a1307ca

SHA1
1030a90c68cb0f35b1f4ce1d7fca01a77a5c4fea

SHA256
88dee4139a41fe114a3b6ccc17f2f2ecf0ece79ead8af053cb4fa2939198140e

SHA512
008d5407347b7929b94770dbb21f2a2189731b7e277faf72f11e1f5647842187c3d0bde17e1d8243d8b7c690de23e9e17cf81b7c7f4cb458264708f0882c8f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2340_703826542\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2340_703826542\cf208f34-af1c-42e2-bf29-7db6feb3db98.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
67KB

MD5
b5ea7d94e5e61976ad39908ce98d3717

SHA1
23ef2cd169718cf5eb00e4a6a972888e4caff74f

SHA256
8605ee7e95cfa1e4227c4d19acf8418cd18157515efda8f8ebbb7ce6eeaa7857

SHA512
51c37b8c79f40bef577ee75c37471e358cdd3f80fea5477b33fdd3325f0320223aabdbd20ea7b481fafdb13316e2b4d566e4497255612581404662c3b4c7eb62

Download Submit
memory/1424-16-0x00007FFB5CBD0000-0x00007FFB5D692000-memory.dmp

Filesize
10.8MB

Download
memory/1424-14-0x00007FFB5CBD0000-0x00007FFB5D692000-memory.dmp

Filesize
10.8MB

Download
memory/5016-1-0x00000000006B0000-0x00000000006C8000-memory.dmp

Filesize
96KB

Download
memory/5016-11-0x000000001BF10000-0x000000001BF1C000-memory.dmp

Filesize
48KB

Download
memory/5016-10-0x000000001CED0000-0x000000001D3F8000-memory.dmp

Filesize
5.2MB

Download
memory/5016-9-0x000000001BDC0000-0x000000001BDCC000-memory.dmp

Filesize
48KB

Download
memory/5016-8-0x00007FFB5CBD0000-0x00007FFB5D692000-memory.dmp

Filesize
10.8MB

Download
memory/5016-7-0x00007FFB5CBD3000-0x00007FFB5CBD5000-memory.dmp

Filesize
8KB

Download
memory/5016-6-0x00007FFB5CBD0000-0x00007FFB5D692000-memory.dmp

Filesize
10.8MB

Download
memory/5016-516-0x000000001B7E0000-0x000000001B890000-memory.dmp

Filesize
704KB

Download
memory/5016-0-0x00007FFB5CBD3000-0x00007FFB5CBD5000-memory.dmp

Filesize
8KB

Download