Analysis

  • max time kernel
    237s
  • max time network
    238s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-05-2024 04:53

Errors

Reason
Machine shutdown

General

  • Target

    https://github.com/0x77ff/Byte-Stealer

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot5536756167:AAFMcQrFbMZMBynbrtZUudaOT9ndCJXIqT4/sendMessage?chat_id=2024893777

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 57 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/0x77ff/Byte-Stealer
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1f3c46f8,0x7ffb1f3c4708,0x7ffb1f3c4718
      2⤵
        PID:4864
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        2⤵
          PID:2988
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:828
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
          2⤵
            PID:4432
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
            2⤵
              PID:2984
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
              2⤵
                PID:3536
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
                2⤵
                  PID:3388
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1628
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
                  2⤵
                    PID:2148
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
                    2⤵
                      PID:3096
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5456 /prefetch:8
                      2⤵
                        PID:4648
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
                        2⤵
                          PID:5008
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3200
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
                          2⤵
                            PID:3908
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
                            2⤵
                              PID:640
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5884 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1676
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
                              2⤵
                                PID:3772
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1696 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4032
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:640
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4248
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:4496
                                  • C:\Program Files\7-Zip\7zG.exe
                                    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Byte-Stealer-1.3.1\" -spe -an -ai#7zMap19918:98:7zEvent4848
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    PID:2688
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\FormatUnpublish.js"
                                    1⤵
                                      PID:3612
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Byte-Stealer-1.3.1\buildExe.bat" "
                                      1⤵
                                        PID:3024
                                      • C:\Windows\system32\OpenWith.exe
                                        C:\Windows\system32\OpenWith.exe -Embedding
                                        1⤵
                                        • Modifies registry class
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2092
                                        • C:\Windows\system32\NOTEPAD.EXE
                                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Byte-Stealer-1.3.1\Logger.py
                                          2⤵
                                          • Suspicious use of FindShellTrayWindow
                                          PID:5052
                                      • C:\Windows\system32\OpenWith.exe
                                        C:\Windows\system32\OpenWith.exe -Embedding
                                        1⤵
                                        • Modifies registry class
                                        • Suspicious use of SetWindowsHookEx
                                        PID:208
                                      • C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe
                                        "C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe"
                                        1⤵
                                        • Loads dropped DLL
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SetWindowsHookEx
                                        PID:3540
                                      • C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe
                                        "C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe"
                                        1⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3624
                                        • C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe
                                          "C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe"
                                          2⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3060
                                          • C:\Windows\System32\schtasks.exe
                                            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
                                            3⤵
                                            • Creates scheduled task(s)
                                            PID:1324
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpBA58.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpBA58.tmp.bat
                                            3⤵
                                              PID:1776
                                              • C:\Windows\system32\tasklist.exe
                                                Tasklist /fi "PID eq 3060"
                                                4⤵
                                                • Enumerates processes with tasklist
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4804
                                              • C:\Windows\system32\find.exe
                                                find ":"
                                                4⤵
                                                  PID:4836
                                                • C:\Windows\system32\timeout.exe
                                                  Timeout /T 1 /Nobreak
                                                  4⤵
                                                  • Delays execution with timeout.exe
                                                  PID:2540
                                                • C:\Users\Static\Update.exe
                                                  "Update.exe"
                                                  4⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4168
                                                  • C:\Windows\System32\schtasks.exe
                                                    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
                                                    5⤵
                                                    • Creates scheduled task(s)
                                                    PID:1136
                                            • C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe
                                              "C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe"
                                              2⤵
                                              • Executes dropped EXE
                                              • Checks processor information in registry
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              PID:4664
                                          • C:\Windows\system32\wbem\WmiApSrv.exe
                                            C:\Windows\system32\wbem\WmiApSrv.exe
                                            1⤵
                                              PID:4584

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              2daa93382bba07cbc40af372d30ec576

                                              SHA1

                                              c5e709dc3e2e4df2ff841fbde3e30170e7428a94

                                              SHA256

                                              1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

                                              SHA512

                                              65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              ecdc2754d7d2ae862272153aa9b9ca6e

                                              SHA1

                                              c19bed1c6e1c998b9fa93298639ad7961339147d

                                              SHA256

                                              a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

                                              SHA512

                                              cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                              Filesize

                                              1KB

                                              MD5

                                              537551b0b2407b8743637c13e2ebdfb2

                                              SHA1

                                              45c03d172680454c4443bc955f83de5ebe1a3b33

                                              SHA256

                                              8c5f2321be64df26d2c0a9664cbf494d3f4ce9b7552eb1efa6903463d5bb422e

                                              SHA512

                                              50cc578688d1ec3b6d42d8711df6c54b0b667ebc779fd9f7ed54c7664f3af7a147d54f459bd3b6ddaf8f7fef58101d0c20604c2a378aeaceae6d5bf2775cb935

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                              Filesize

                                              2KB

                                              MD5

                                              8607c1bbd7cf7317fc998461677b3c5b

                                              SHA1

                                              21b74399fade6dc196e25fb29bd8db62d955dc87

                                              SHA256

                                              a97cf7f324214ce6e13e95fa090d8c13664ef06b216b7d83d9b784904d83674c

                                              SHA512

                                              f35ad41792232ea8952381f8f6c313fd2c34e84e8b8616538361f2117ab7880892ee0e2b3852901c385b54cb2b4b8aef77d78c4e577331bc62c4cdbc2b8a2d9a

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                              Filesize

                                              573B

                                              MD5

                                              b83fd52731b5bcb3ca5d3fdd07cd2c79

                                              SHA1

                                              3d57744a3cf0fcf5d742fd4522068d42d9a8c41f

                                              SHA256

                                              64a49262d2532e8f0260ac66aa059ba483dbf6c4979220534f7c7ea601bd170e

                                              SHA512

                                              dfcf9d33bf5e3d44d0cd4cf09d660b53a94d1101f45b86d994e928f25e5e187eee068e409bd5c2bc91444a3902f5cac31df9ffb866193a3e489eb946c9f846ed

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              a428c6e1c7b3ed52f7e4a0b9463dfe55

                                              SHA1

                                              e0ba66c90a2fbaa0b2306f940214eb6fdb3baf38

                                              SHA256

                                              ac2beba894563d1f3195996fe15efda6fa28d3a3f31d2312ca2ee8ed17a55563

                                              SHA512

                                              ab77ec8a8d346e0f8990bd019b2d7d4048cbf4b0a7487e06d2964764da228c0879235ca920ed7e0b7d8df1ee555fccd8640ca2775ecb3414e1538f9a27133e57

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              b99b5aff7e4b2a1eb478739ff551ea03

                                              SHA1

                                              7d95ed8d115950ea353f37a9dd02a84233579f32

                                              SHA256

                                              406cbe8107b4d5376a1e846930373ca731844e181442a9eb89acc6b9e5ad66ae

                                              SHA512

                                              822e6b202ed34ccce27e684da5eccce936fd535d6275a50f81abbc20596a357d73321b0672178f0b0bc353f19819180cd67ded425981d628911b6a585ef947fc

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              87d5c8ffd3d0d709e7f7e19b76ca91b0

                                              SHA1

                                              6a4d34ef7e3251d419c65f3e1bb6ed26dda2daa7

                                              SHA256

                                              92d691c26e45aa43d64bbe3e900e196529283dc91ae05c6ece3816a6925e879e

                                              SHA512

                                              f131dcf0734618187c2d51a9479a2ddb374d7cfb8b2995d44a05fd8520d2ec602c31695f58d16c23ee1de5afa1796b0c2dd496b3421167c72e7b2404865c82a7

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              d3c517d2ba724a9e7f6fd96fa220704e

                                              SHA1

                                              51a0d98ae53edb8aeec44ab794d4ad5d63e606f2

                                              SHA256

                                              83eb69623a1ddfad9abb9954b8e2d14eb85d4cf1981a7c555942f22e9b2145ff

                                              SHA512

                                              90832dde13ca6360ce70c91eb411e7cfa249661105632728ad1c04a52f2ceaa085a551faa982ba26e8da335d5e636f36fb9d4e4c0d6c887ea5ee62fe53bbd1a1

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                              Filesize

                                              1KB

                                              MD5

                                              372ba489f9230f663f64342b6604b2ef

                                              SHA1

                                              004933b38b908b2abb351f185bb00407eeeaabe5

                                              SHA256

                                              f1c51692841e8fe57f04954655ca37419f0d6706a78f59224b039a4c9a585a40

                                              SHA512

                                              5fe84eb7a8c9948804dc68abdef67c094d784baed499f2b60c709ea0c42031973033c350bb4f19fc7c81aa0cc1f03a26d2220466395dcb9eb5b3be89cef64ff9

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                              Filesize

                                              1KB

                                              MD5

                                              05843ab5ddd5529c91b77074d53679bb

                                              SHA1

                                              a5e224a478f7cf9e98e2a50b21b4ee16fd7be417

                                              SHA256

                                              032ef10839133a3297a1f96468927e92e072d87a572b055b5864709116ccd97a

                                              SHA512

                                              96d8c454b9347afeba8b39a521cc28b82f7ebd5b114f4edd5ca1238bf2f3cb18ba9d0ecdc42c5a7ec529411ea09d73f56c0c8162eb7c76448ad1ebecd250f92f

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                              Filesize

                                              1KB

                                              MD5

                                              85c8b36f4feb1c3b7d3736df77c8edb8

                                              SHA1

                                              814891f8ef8ea2bae1ded112c4c61b9567bcac30

                                              SHA256

                                              8224bbc43e170d9cc2db2c70817be01c837a6960c278aa1dcd76050ab67776db

                                              SHA512

                                              1e070cec26c41b5c9dfb120838c7e947330cda818258c41fa448c0202a597393048a544646e8faf35798ad992f388faf4733ec9a56fac6dd5fa39694e35c870f

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579059.TMP

                                              Filesize

                                              1KB

                                              MD5

                                              fe333cee0a3ccc3bfca7bd2e6f45ebce

                                              SHA1

                                              59e3d7c928c73f2c77d3c5f9eeb35e9f9f5c1531

                                              SHA256

                                              0802dae252a9de197bb08f7cefa6ac67bd46b45f6ad4841a2a015146854370f1

                                              SHA512

                                              ae3f769bf035abad057ea2edce471ec244005033c7b5c06a52621b3719952a83b40856bd3afc76648df5ab937ea01464e9eb99f8f73ad9ec8c31dbfe7d68d68d

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              6752a1d65b201c13b62ea44016eb221f

                                              SHA1

                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                              SHA256

                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                              SHA512

                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              11KB

                                              MD5

                                              13e8a6a0d1de2fb297b9cb829ebc8e9d

                                              SHA1

                                              b633d2a123716be00a188db2eaaff00c148bc9ac

                                              SHA256

                                              280245d5314379c54f3cdf14dfdcb798db718fb14a8fbca6e18a4facd7949219

                                              SHA512

                                              3761a5515e573cf43f6987baf732999ff4cb99e796969d6fedd073903b9554185334073ede4a4060666eb2abe1ff5e7852c0245b475735d7b87ef89d75215b4f

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              12KB

                                              MD5

                                              a8d81f17d96152a14e14151d3e5b75c0

                                              SHA1

                                              630ed034fce02c28c027f802dd505abc8033d349

                                              SHA256

                                              0500538cd26a800c366e5877dc1962a2e2ea6b5a02b693f4a7e33d9a6de84aa8

                                              SHA512

                                              41df998a0fdb1b125fd58a68704dc30cfee833a86bd0734ef281eae96234551030224597d79f5eef2617726e82eb2558ff3ad45358f37740c7747d6eccc287c3

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              11KB

                                              MD5

                                              1ba0a0e873b657409f329f549dde96b2

                                              SHA1

                                              9949093a8d7d467521e2dbbb9471dbe295b8df73

                                              SHA256

                                              59a0693cbfeb0aba3f13ac69cf14039e0e3d2657440097977f006369cc96ebd7

                                              SHA512

                                              b2b4fd985c59c2c463d3ae712bc774e524ac66b99bc128545858437f74ef09cf34990fb4f68ccd65e262deab6055003f6c0cc4e39ce3f93cc1384502aff371ab

                                            • C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll

                                              Filesize

                                              94KB

                                              MD5

                                              14ff402962ad21b78ae0b4c43cd1f194

                                              SHA1

                                              f8a510eb26666e875a5bdd1cadad40602763ad72

                                              SHA256

                                              fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

                                              SHA512

                                              daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

                                            • C:\Users\Admin\AppData\Local\Temp\tmpBA58.tmp.bat

                                              Filesize

                                              195B

                                              MD5

                                              2163b0f972053758766e0033e0906c41

                                              SHA1

                                              addef9ad9234a46992bea332bba18b4ed94b8502

                                              SHA256

                                              b06d5ccafedead890e60badec65aafa0774d1a4546248af1d29818a91d4d99c2

                                              SHA512

                                              8664483dc6869702ad7ad8868dff2be8d338b6295eb18e8695d2f18d3849e2d3270267914236a9185381158a1d1a8d1e033f38d93267b7a7a2f0d4d84e2afd9a

                                            • C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe

                                              Filesize

                                              127KB

                                              MD5

                                              f6f686df785d0abdc66d1f90fa508c4b

                                              SHA1

                                              75f348132001df30cbad9c7cae2e2072fcaca38e

                                              SHA256

                                              61b52af14fc66126a4e7f09b3cff7d3c09e5ad35acf23fb9ba43293fac0c995f

                                              SHA512

                                              7daa425723caade3ec747fbe6e425e26bc419e1a7dccd6253770fe1a118a8b90e0f40f6cf4bdac259e68a0198a384ed1b5de7515958f5e17e4e35219b9077d77

                                            • C:\Users\Admin\Downloads\Byte-Stealer-1.3.1.zip

                                              Filesize

                                              733KB

                                              MD5

                                              0904c967075086e1879eaf3c4fb88579

                                              SHA1

                                              d61c3717644820c986c9f268377db1044e0da655

                                              SHA256

                                              97edea8bc010bdce4a0d3a732e16bf1390fcfeba1845f87610927eeda2a4d5f6

                                              SHA512

                                              6e65c9babc221f0c1acaaf031e2918efa07c7956d4ba9e4265f1cfe4273d04dbadc2718be4a82991b3a67fcb65e8ecf1e758b7efb77d4a8878908357b8741a12

                                            • C:\Users\Admin\Downloads\Byte-Stealer-1.3.1\Logger.py

                                              Filesize

                                              32KB

                                              MD5

                                              2c6958c6eae0d304d6e0c6589d994aea

                                              SHA1

                                              c9d402a572fe0efeef6788c9769111cd097b4adc

                                              SHA256

                                              9ec46a55c9cf3dd5cbb4b720c8880261dc79c62f61e5e9c328a846b27b07a012

                                              SHA512

                                              e6e642936e2d5fb73fb834c0e71ef5b889e559f6b3c91e55acf1b3f4c3eb5eff2b2273c34c089f6affb44b3d65dd2388d0b6ba3d6a6ced0d6fe5056462e20ea4

                                            • C:\Users\Admin\Downloads\Byte-Stealer-1.3.1\buildExe.bat

                                              Filesize

                                              485B

                                              MD5

                                              cf8fe53bb0caa1560661a15691814a4d

                                              SHA1

                                              bd434b814986605929630d7ab3cd35fc840f3623

                                              SHA256

                                              5c2266b0eb1735a2f1be564cb89e43f1a1df75add6c2195ef9ab38dffc64d34b

                                              SHA512

                                              102e2636a76a61c2e54c671327ecc79c79867be4b159362c6f7597940c2a75f377b834edc7baec16e511d8e41e947f2b8c494d2afade1b7ca3e1180d294a8966

                                            • C:\Users\Admin\Downloads\XWorm-RAT-main.zip

                                              Filesize

                                              33.7MB

                                              MD5

                                              3c583f36fdd166613ec8b5f81597e5e9

                                              SHA1

                                              f3e9cbfb5749212f2d54f36b391b7d03bdd303a9

                                              SHA256

                                              8f71cc2fc5fd1b3e16377f0ca36067467280f6a63f7924f3fad273717c1f505e

                                              SHA512

                                              072931cc7b3812d7681c879169b0ba0a1981e0c23d3549e223e29331a24c4ec5249964d2c636ec07b0ba2c3e3c81c236e0ccaf3e40d373dc2a6adc235fbcfa6b

                                            • C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe

                                              Filesize

                                              6.5MB

                                              MD5

                                              a21db5b6e09c3ec82f048fd7f1c4bb3a

                                              SHA1

                                              e7ffb13176d60b79d0b3f60eaea641827f30df64

                                              SHA256

                                              67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5

                                              SHA512

                                              7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c

                                            • memory/3060-514-0x00000213593B0000-0x00000213593D6000-memory.dmp

                                              Filesize

                                              152KB

                                            • memory/3540-489-0x0000000006BE0000-0x0000000006BEA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3540-490-0x0000000006EA0000-0x00000000070C4000-memory.dmp

                                              Filesize

                                              2.1MB

                                            • memory/3540-488-0x0000000005D40000-0x0000000005DA6000-memory.dmp

                                              Filesize

                                              408KB

                                            • memory/3540-498-0x00000000738B0000-0x0000000073939000-memory.dmp

                                              Filesize

                                              548KB

                                            • memory/3540-487-0x0000000005CA0000-0x0000000005D3C000-memory.dmp

                                              Filesize

                                              624KB

                                            • memory/3540-484-0x0000000000FE0000-0x00000000011CA000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/3540-485-0x00000000061B0000-0x0000000006754000-memory.dmp

                                              Filesize

                                              5.6MB

                                            • memory/3540-486-0x0000000005C00000-0x0000000005C92000-memory.dmp

                                              Filesize

                                              584KB

                                            • memory/3624-526-0x0000025F6ECF0000-0x0000025F6ECFA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3624-522-0x0000025F563A0000-0x0000025F563C0000-memory.dmp

                                              Filesize

                                              128KB

                                            • memory/3624-499-0x0000025F54520000-0x0000025F5460E000-memory.dmp

                                              Filesize

                                              952KB

                                            • memory/4664-524-0x0000000000590000-0x0000000000C22000-memory.dmp

                                              Filesize

                                              6.6MB

                                            • memory/4664-525-0x00000000057F0000-0x0000000005846000-memory.dmp

                                              Filesize

                                              344KB