Resubmissions
01-05-2024 04:51
240501-fhbe7sgc8w 101-05-2024 04:43
240501-fch8vsga9z 1001-05-2024 04:43
240501-fcbh1sac65 401-05-2024 04:42
240501-fb44yaga8s 101-05-2024 04:42
240501-fbt9qsac53 401-05-2024 04:41
240501-fbf24sga6x 101-05-2024 04:40
240501-fahjjsga4s 401-05-2024 04:38
240501-e9jp8aga2s 401-05-2024 04:34
240501-e67ymsfh4y 10Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
01-05-2024 04:34
General
-
Target
https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-
Malware Config
Extracted
asyncrat
1.0.7
def
37.18.62.18:8060
era2312swe12-1213rsgdkms23
-
delay
1
-
install
true
-
install_file
CCXProcess.exe
-
install_folder
%Temp%
Extracted
toxiceye
https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
ToxicEye
ToxicEye is a trojan written in C#.
-
Async RAT payload 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc45b63cb8,0x7ffc45b63cc8,0x7ffc45b63cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1528 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2776 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9643568421799349934,12393918192678968634,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1644 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\sysfile32.exe"C:\Users\Admin\AppData\Local\Temp\sysfile32.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"1⤵
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp77FA.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp77FA.tmp.bat3⤵
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 3664"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind ":"4⤵
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
-
C:\Users\Static\wsappx.exe"wsappx.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"1⤵
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DisAsClaimer.exe.logFilesize
3KB
MD5cf355a48aab33e6555453f79e17ea4c6
SHA1c82bfb8c743023b3f3b65f06f3def4000c0c5cb8
SHA25608b60202b6afb3c2b8d72f1623616281e653297a492637f9593faa7e06a8649b
SHA512d6c48f34736188fd73de18ebb0eacc0ad4b0bde2d507dfe47ec6bde18c60866ac58572c68ef4fb8460ddbc5da941c3b2852ee710d241e6a60b42b9752ca052eb
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XHVNC.exe.logFilesize
1KB
MD583a6d67cad74bdf09fae0d831ae8c960
SHA16a784572026f0de970906f8969efa4347906eb5b
SHA256110f043b9baa721e31452d1e110139db110e0305b2cc2692be2cf518ed2d102d
SHA512848eb3e95aa8b26c46a04fc39b836ba04a4d84b3b79e8190d4dcfe613cab3975a9104d6ca58edbd4ab38593b758c34035c8162bd76fd25e9ad147aa53c1edeec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\377e6d55-6c4f-487b-b395-ef6d847af836.tmpFilesize
11KB
MD5e6f733f94dfc90c9afe1f99357f8d4f8
SHA1f9a639ee10fb0c9d5cc5fce4aa80d84bf3d42400
SHA2560a0d286b1573ecc036d88df84a4e6e2d1b3d7c91100848cd459542e5a0d7ec90
SHA512d09fe756cb4503a120053f95ec211e38efbe6e6f5d17495977862916e91eead958f2dde8fdfb8efeac8b76a5db88e247af0177ab9bc71718d132f9e2a6d44ff8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50354ef8afd53bc4c27ab99144970a9c9
SHA17105316ebb6a50dc71cc5402c64bba847a7c95ae
SHA256acef151efdca7eef151e0cc9e45d5945737c4ab7cd8493e3dd9acb49d8df6020
SHA512af6d8f1010ab8181c6cbe4c64a0d72c20ddfc56257cb862570c410546ddc52d2f1a67e58b93e7548573091b0e7173f230868c28bc6ed0abb8116f850f7122893
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50f25425fcda7474bc74cf6b914ce2262
SHA1541620b08eedb97ada0840960b2c59391ba9a530
SHA256b170ac8e893bcbc87746d28c5068393019160b9f798db01d364812cac69f1cbe
SHA512f4c7257d8729f6d6338872ca36ed128349944c9efe8989dee267230e5ebae8675a3fba3ac3038a88d5b70977b767eee0c2423481c526ade354fb335592d80b7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5907aa94de9ef103e139647a106ee5dd9
SHA1f34198212fb4389b4a2f6c94d6a3bbc344c8aa45
SHA25618d521440c9c62f55d3d7b3a3cd9cc79a8b61767a76a56ee4dfe094775c3aae7
SHA512e6c1a090253400e6cd16452c85320da14a191a7e3d792b07d91cf315b03e1513aa287227069c50cef108149fa561a8da4cd6f6f8281da3ddc21b078bc12ee3a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
573B
MD537baf21f6884d62dd3fae3bcac0e3f54
SHA186387f81e0e639f4b89ac148a2611dbe17c692e5
SHA256fd6b196dedb818f06d7e045bc0ca39921765ba16deeb416261c8605de41aa1be
SHA51213d36ff793b191e5036fad9a998d653eba70f27900f205c8eb1e2b336837f6a6b9977e0129b0645844b6d40a08883ccbc71b132e22f5577c5db8b44ad4f74461
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e6d402dc68a4067a88f9ecd2c144d1a0
SHA191c7f154e14a388128fd07850b4efc90a9a03683
SHA2569c72afc72f0054dc254a6944af61f1aa69d3722a2e34d0248084cc26542e9d8d
SHA512a50bea969982e18e5488d0c24c7572917d4013ac02d6b4da7b4b48d5b49330771720cd48fbf36c10cf89d4654198e49e1849847ff8465c3b128951522c1c3859
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD55726dd87b318523d273886e66a420667
SHA133280345fe002a3169c36ea94dbd3b11fddb0bf8
SHA2562440f4b308da7ff4ea6d089f6a5eeafde3e2a5d9d7f84244d50844011e9efe20
SHA5124ae9ed1911735803b9e039d1ab0c957ef1e6c4317f16c88cbd8f898220855d88864427e64a3cf3adaf0cdeb58e4871392b01d77a6f0512e88840cec3f9423b47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5666472088acbeaafd8d7ff1c3b4dd047
SHA1483b79f30d127b505ab8c753f1906babc1eb422d
SHA2568a22b1c81b2c863d94246b84a2d4a522968a6b25d287a6ae0f88014be4cb4dc6
SHA5126ea1bb8f476bc7b8b9823cb6064246d209a606a1ad9f70bb54f5190b2610b6bb7a5fef5252d138afa38562eb52c0034c2c1b995af08c4e70da6a6d2e1b4e926d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5d3b20dde0071a036a566c1d9ebbc9ac8
SHA14f2dddaa31571ac852560b4f1c814b418ccfc387
SHA256461c3dbdf519f470d445645908897f0d99891b0b8d91921e6ddf24548c0301b4
SHA512a35c92023037c78ecec82ec754ec605ffd480d636fec1a411a5004c65608f3a2fcd8e74800d8a637987b2fc25c9f1bf3ac49148ac5295d7a34e78cd26f17bd75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59986e.TMPFilesize
1KB
MD5d21b29f9a7b1f14a90d2820b58bf5da3
SHA185afeebfcdd142947b73f67964a0d3a5cdb54b86
SHA25687eb3636dd75fc6c44439675230b40aa0fec00c31e4b281afc91ae350a37107d
SHA512d091165b1dbc610df63ca8b85f7c82b835884a7d0f93f4d2b57e148ff1fce2dd4a895efc85bf469a5e541647774546c155e27838d063e664cef2a80eccffa861
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5510ded8e3f93e6402a71d103cd282205
SHA16e0735d59de1c158eac117d8d9152ae2ade382e5
SHA25650dc2f8404a7dae52da5fcbfe6ebc1819840b95aa586d1028de5d5fb8c6da7d9
SHA512e9ff825516f8411a0e4c9a2c86d83b97cb583b530a4190a8ab6bfb0a468c9b2bea27870bf83ab2eefb97ad7789be5483e1e304915ce549ec27069fc6f2bc2f48
-
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dllFilesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zxakdobg.lqx.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\sysfile32.exeFilesize
52KB
MD50c2d61d64f4325ca752202e5bf792e9e
SHA1e7655910a124dd10beb774a693f7caccf849b438
SHA256d0dd06d26f09eed4755de33c63e29aeb8161cd9b0ca123af3474c5594df57ec1
SHA5121205a69419c38605e9a84200b1cc7731a3e169fae265dfc324a9edaf98bbc06f110bdf63d08f6b97d312cd0ce1fffe9ef8649f116ac27eb8b659ad88519d9c46
-
C:\Users\Admin\AppData\Local\Temp\tmp77FA.tmp.batFilesize
195B
MD588e0c12ab565c73777b89ed3bc3acb46
SHA1a9c5e204f263a567bfe7a8f59a940099e7871879
SHA256ecd4b3840e37a296cfa8ff5527bf58b49b9b24e6e015e765af499c4e5139fa16
SHA512fe4d9872daf7656045c62058e82e4deee169a0e51864dac59187ef5596ca1c62c48911f7a81056f3589a81070bf8f1687394d6c26a355bfb3784584bd572b109
-
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exeFilesize
793KB
MD5835d21dc5baa96f1ce1bf6b66d92d637
SHA1e0fb2a01a9859f0d2c983b3850c76f8512817e2d
SHA256e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319
SHA512747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main.zipFilesize
5.0MB
MD5ed997c518b1affa39a5db6d5e1e38874
SHA1d0355de864604e0ba04d4d79753ee926b197f9cf
SHA2568a7d20fb5bc7ef8b02ab6e11ef78ebc0a31ba5376bd97d40fe5d1da521324556
SHA51250699cdd035c48e431102c703d7855dc85caa6feb7a7b34bdb23c7ccc298dbcc3ab261690c3dfb078451d3e299a0b037351edcbf54e79b6edaaacbf30ec68cb7
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
\??\pipe\LOCAL\crashpad_880_WQBZLDJNXHJYUWOOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2480-250-0x0000000000020000-0x000000000020A000-memory.dmpFilesize
1.9MB
-
memory/2480-251-0x00000000052D0000-0x0000000005876000-memory.dmpFilesize
5.6MB
-
memory/2480-256-0x0000000005E70000-0x0000000006094000-memory.dmpFilesize
2.1MB
-
memory/2480-254-0x0000000004C90000-0x0000000004CF6000-memory.dmpFilesize
408KB
-
memory/2480-264-0x0000000073510000-0x000000007359A000-memory.dmpFilesize
552KB
-
memory/2480-253-0x0000000004DC0000-0x0000000004E5C000-memory.dmpFilesize
624KB
-
memory/2480-255-0x0000000005AE0000-0x0000000005AEA000-memory.dmpFilesize
40KB
-
memory/2480-252-0x0000000004D20000-0x0000000004DB2000-memory.dmpFilesize
584KB
-
memory/2540-227-0x0000000000550000-0x0000000000558000-memory.dmpFilesize
32KB
-
memory/2668-249-0x0000000000B10000-0x0000000000B22000-memory.dmpFilesize
72KB
-
memory/3664-293-0x0000025B97060000-0x0000025B9712C000-memory.dmpFilesize
816KB
-
memory/4568-294-0x0000021F3AE00000-0x0000021F3AE0A000-memory.dmpFilesize
40KB
-
memory/4568-292-0x0000021F3AD90000-0x0000021F3ADB0000-memory.dmpFilesize
128KB
-
memory/4568-280-0x0000021F38C50000-0x0000021F38F8E000-memory.dmpFilesize
3.2MB
-
memory/4812-329-0x00000000735B0000-0x000000007363A000-memory.dmpFilesize
552KB
-
memory/4956-208-0x0000000001910000-0x0000000001932000-memory.dmpFilesize
136KB
-
memory/4956-199-0x0000000000EF0000-0x0000000000EF8000-memory.dmpFilesize
32KB