toxiceye | hxxps://github[.]com/0x77ff/Byte-Stealer

Analysis

max time kernel
237s
max time network
238s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 04:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/0x77ff/Byte-Stealer

Score

10^/10

toxiceye agilenet rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot5536756167:AAFMcQrFbMZMBynbrtZUudaOT9ndCJXIqT4/sendMessage?chat_id=2024893777

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Update.exewin-xwarm-builder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	win-xwarm-builder.exe

Executes dropped EXE 3 IoCs

Processes:

win-xwarm-builder.exexwarm-rat-builder.exeUpdate.exe

pid process

3060 win-xwarm-builder.exe
4664 xwarm-rat-builder.exe
4168 Update.exe
Loads dropped DLL 1 IoCs

Processes:

XHVNC.exe

pid process

3540 XHVNC.exe

pid	process
3060	win-xwarm-builder.exe
4664	xwarm-rat-builder.exe
4168	Update.exe

pid	process
3540	XHVNC.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/3540-490-0x0000000006EA0000-0x00000000070C4000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

23 raw.githubusercontent.com
21 camo.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
23	raw.githubusercontent.com
21	camo.githubusercontent.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xwarm-rat-builder.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	xwarm-rat-builder.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	xwarm-rat-builder.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1324 schtasks.exe
1136 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2540 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4804 tasklist.exe

pid	process
1324	schtasks.exe
1136	schtasks.exe

pid	process
2540	timeout.exe

pid	process
4804	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 3 IoCs

Processes:

msedge.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exexwarm-rat-builder.exeUpdate.exe

pid	process
828	msedge.exe
828	msedge.exe
1396	msedge.exe
1396	msedge.exe
1628	identity_helper.exe
1628	identity_helper.exe
3200	msedge.exe
3200	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
4032	msedge.exe
4032	msedge.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4168	Update.exe
4168	Update.exe
4168	Update.exe
4168	Update.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4664	xwarm-rat-builder.exe
4168	Update.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

1396 msedge.exe
1396 msedge.exe
1396 msedge.exe
1396 msedge.exe
1396 msedge.exe
1396 msedge.exe
1396 msedge.exe
1396 msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

7zG.exewin-xwarm-builder.exeWin-XwormRat-builder.exetasklist.exeUpdate.exe

description	pid	process
Token: SeRestorePrivilege	2688	7zG.exe
Token: 35	2688	7zG.exe
Token: SeSecurityPrivilege	2688	7zG.exe
Token: SeSecurityPrivilege	2688	7zG.exe
Token: SeDebugPrivilege	3060	win-xwarm-builder.exe
Token: SeDebugPrivilege	3624	Win-XwormRat-builder.exe
Token: SeDebugPrivilege	4804	tasklist.exe
Token: SeDebugPrivilege	4168	Update.exe
Token: SeDebugPrivilege	4168	Update.exe

Suspicious use of FindShellTrayWindow 57 IoCs

Processes:

msedge.exe7zG.exeNOTEPAD.EXEXHVNC.exexwarm-rat-builder.exe

pid	process
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
2688	7zG.exe
5052	NOTEPAD.EXE
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
3540	XHVNC.exe
4664	xwarm-rat-builder.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

msedge.exexwarm-rat-builder.exe

pid	process
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
4664	xwarm-rat-builder.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

OpenWith.exeOpenWith.exeXHVNC.exeUpdate.exe

pid	process
2092	OpenWith.exe
2092	OpenWith.exe
2092	OpenWith.exe
2092	OpenWith.exe
2092	OpenWith.exe
2092	OpenWith.exe
2092	OpenWith.exe
2092	OpenWith.exe
2092	OpenWith.exe
208	OpenWith.exe
3540	XHVNC.exe
3540	XHVNC.exe
4168	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1396 wrote to memory of 4864	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4864	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2988	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 828	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 828	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4432	1396	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/0x77ff/Byte-Stealer
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1f3c46f8,0x7ffb1f3c4708,0x7ffb1f3c4718
2⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
2⤵
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
2⤵
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
2⤵
PID:2984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
2⤵
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
2⤵
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
2⤵
PID:2148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
2⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5456 /prefetch:8
2⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
2⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
2⤵
PID:3908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
2⤵
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5884 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
2⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1696 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4496

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Byte-Stealer-1.3.1\" -spe -an -ai#7zMap19918:98:7zEvent4848
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2688

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\FormatUnpublish.js"
1⤵
PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Byte-Stealer-1.3.1\buildExe.bat" "
1⤵
PID:3024

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Byte-Stealer-1.3.1\Logger.py
2⤵
- Suspicious use of FindShellTrayWindow
PID:5052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:208

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3540

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe
"C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
3⤵
- Creates scheduled task(s)
PID:1324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpBA58.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpBA58.tmp.bat
3⤵
PID:1776

C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 3060"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\find.exe
find ":"
4⤵
PID:4836

C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
4⤵
- Delays execution with timeout.exe
PID:2540

C:\Users\Static\Update.exe
"Update.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
5⤵
- Creates scheduled task(s)
PID:1136

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4664

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
537551b0b2407b8743637c13e2ebdfb2

SHA1
45c03d172680454c4443bc955f83de5ebe1a3b33

SHA256
8c5f2321be64df26d2c0a9664cbf494d3f4ce9b7552eb1efa6903463d5bb422e

SHA512
50cc578688d1ec3b6d42d8711df6c54b0b667ebc779fd9f7ed54c7664f3af7a147d54f459bd3b6ddaf8f7fef58101d0c20604c2a378aeaceae6d5bf2775cb935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
8607c1bbd7cf7317fc998461677b3c5b

SHA1
21b74399fade6dc196e25fb29bd8db62d955dc87

SHA256
a97cf7f324214ce6e13e95fa090d8c13664ef06b216b7d83d9b784904d83674c

SHA512
f35ad41792232ea8952381f8f6c313fd2c34e84e8b8616538361f2117ab7880892ee0e2b3852901c385b54cb2b4b8aef77d78c4e577331bc62c4cdbc2b8a2d9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
573B

MD5
b83fd52731b5bcb3ca5d3fdd07cd2c79

SHA1
3d57744a3cf0fcf5d742fd4522068d42d9a8c41f

SHA256
64a49262d2532e8f0260ac66aa059ba483dbf6c4979220534f7c7ea601bd170e

SHA512
dfcf9d33bf5e3d44d0cd4cf09d660b53a94d1101f45b86d994e928f25e5e187eee068e409bd5c2bc91444a3902f5cac31df9ffb866193a3e489eb946c9f846ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a428c6e1c7b3ed52f7e4a0b9463dfe55

SHA1
e0ba66c90a2fbaa0b2306f940214eb6fdb3baf38

SHA256
ac2beba894563d1f3195996fe15efda6fa28d3a3f31d2312ca2ee8ed17a55563

SHA512
ab77ec8a8d346e0f8990bd019b2d7d4048cbf4b0a7487e06d2964764da228c0879235ca920ed7e0b7d8df1ee555fccd8640ca2775ecb3414e1538f9a27133e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b99b5aff7e4b2a1eb478739ff551ea03

SHA1
7d95ed8d115950ea353f37a9dd02a84233579f32

SHA256
406cbe8107b4d5376a1e846930373ca731844e181442a9eb89acc6b9e5ad66ae

SHA512
822e6b202ed34ccce27e684da5eccce936fd535d6275a50f81abbc20596a357d73321b0672178f0b0bc353f19819180cd67ded425981d628911b6a585ef947fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
87d5c8ffd3d0d709e7f7e19b76ca91b0

SHA1
6a4d34ef7e3251d419c65f3e1bb6ed26dda2daa7

SHA256
92d691c26e45aa43d64bbe3e900e196529283dc91ae05c6ece3816a6925e879e

SHA512
f131dcf0734618187c2d51a9479a2ddb374d7cfb8b2995d44a05fd8520d2ec602c31695f58d16c23ee1de5afa1796b0c2dd496b3421167c72e7b2404865c82a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d3c517d2ba724a9e7f6fd96fa220704e

SHA1
51a0d98ae53edb8aeec44ab794d4ad5d63e606f2

SHA256
83eb69623a1ddfad9abb9954b8e2d14eb85d4cf1981a7c555942f22e9b2145ff

SHA512
90832dde13ca6360ce70c91eb411e7cfa249661105632728ad1c04a52f2ceaa085a551faa982ba26e8da335d5e636f36fb9d4e4c0d6c887ea5ee62fe53bbd1a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
372ba489f9230f663f64342b6604b2ef

SHA1
004933b38b908b2abb351f185bb00407eeeaabe5

SHA256
f1c51692841e8fe57f04954655ca37419f0d6706a78f59224b039a4c9a585a40

SHA512
5fe84eb7a8c9948804dc68abdef67c094d784baed499f2b60c709ea0c42031973033c350bb4f19fc7c81aa0cc1f03a26d2220466395dcb9eb5b3be89cef64ff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
05843ab5ddd5529c91b77074d53679bb

SHA1
a5e224a478f7cf9e98e2a50b21b4ee16fd7be417

SHA256
032ef10839133a3297a1f96468927e92e072d87a572b055b5864709116ccd97a

SHA512
96d8c454b9347afeba8b39a521cc28b82f7ebd5b114f4edd5ca1238bf2f3cb18ba9d0ecdc42c5a7ec529411ea09d73f56c0c8162eb7c76448ad1ebecd250f92f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
85c8b36f4feb1c3b7d3736df77c8edb8

SHA1
814891f8ef8ea2bae1ded112c4c61b9567bcac30

SHA256
8224bbc43e170d9cc2db2c70817be01c837a6960c278aa1dcd76050ab67776db

SHA512
1e070cec26c41b5c9dfb120838c7e947330cda818258c41fa448c0202a597393048a544646e8faf35798ad992f388faf4733ec9a56fac6dd5fa39694e35c870f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579059.TMP
Filesize
1KB

MD5
fe333cee0a3ccc3bfca7bd2e6f45ebce

SHA1
59e3d7c928c73f2c77d3c5f9eeb35e9f9f5c1531

SHA256
0802dae252a9de197bb08f7cefa6ac67bd46b45f6ad4841a2a015146854370f1

SHA512
ae3f769bf035abad057ea2edce471ec244005033c7b5c06a52621b3719952a83b40856bd3afc76648df5ab937ea01464e9eb99f8f73ad9ec8c31dbfe7d68d68d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
13e8a6a0d1de2fb297b9cb829ebc8e9d

SHA1
b633d2a123716be00a188db2eaaff00c148bc9ac

SHA256
280245d5314379c54f3cdf14dfdcb798db718fb14a8fbca6e18a4facd7949219

SHA512
3761a5515e573cf43f6987baf732999ff4cb99e796969d6fedd073903b9554185334073ede4a4060666eb2abe1ff5e7852c0245b475735d7b87ef89d75215b4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
a8d81f17d96152a14e14151d3e5b75c0

SHA1
630ed034fce02c28c027f802dd505abc8033d349

SHA256
0500538cd26a800c366e5877dc1962a2e2ea6b5a02b693f4a7e33d9a6de84aa8

SHA512
41df998a0fdb1b125fd58a68704dc30cfee833a86bd0734ef281eae96234551030224597d79f5eef2617726e82eb2558ff3ad45358f37740c7747d6eccc287c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1ba0a0e873b657409f329f549dde96b2

SHA1
9949093a8d7d467521e2dbbb9471dbe295b8df73

SHA256
59a0693cbfeb0aba3f13ac69cf14039e0e3d2657440097977f006369cc96ebd7

SHA512
b2b4fd985c59c2c463d3ae712bc774e524ac66b99bc128545858437f74ef09cf34990fb4f68ccd65e262deab6055003f6c0cc4e39ce3f93cc1384502aff371ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA58.tmp.bat
Filesize
195B

MD5
2163b0f972053758766e0033e0906c41

SHA1
addef9ad9234a46992bea332bba18b4ed94b8502

SHA256
b06d5ccafedead890e60badec65aafa0774d1a4546248af1d29818a91d4d99c2

SHA512
8664483dc6869702ad7ad8868dff2be8d338b6295eb18e8695d2f18d3849e2d3270267914236a9185381158a1d1a8d1e033f38d93267b7a7a2f0d4d84e2afd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe
Filesize
127KB

MD5
f6f686df785d0abdc66d1f90fa508c4b

SHA1
75f348132001df30cbad9c7cae2e2072fcaca38e

SHA256
61b52af14fc66126a4e7f09b3cff7d3c09e5ad35acf23fb9ba43293fac0c995f

SHA512
7daa425723caade3ec747fbe6e425e26bc419e1a7dccd6253770fe1a118a8b90e0f40f6cf4bdac259e68a0198a384ed1b5de7515958f5e17e4e35219b9077d77

Download Submit
C:\Users\Admin\Downloads\Byte-Stealer-1.3.1.zip
Filesize
733KB

MD5
0904c967075086e1879eaf3c4fb88579

SHA1
d61c3717644820c986c9f268377db1044e0da655

SHA256
97edea8bc010bdce4a0d3a732e16bf1390fcfeba1845f87610927eeda2a4d5f6

SHA512
6e65c9babc221f0c1acaaf031e2918efa07c7956d4ba9e4265f1cfe4273d04dbadc2718be4a82991b3a67fcb65e8ecf1e758b7efb77d4a8878908357b8741a12

Download Submit
C:\Users\Admin\Downloads\Byte-Stealer-1.3.1\Logger.py
Filesize
32KB

MD5
2c6958c6eae0d304d6e0c6589d994aea

SHA1
c9d402a572fe0efeef6788c9769111cd097b4adc

SHA256
9ec46a55c9cf3dd5cbb4b720c8880261dc79c62f61e5e9c328a846b27b07a012

SHA512
e6e642936e2d5fb73fb834c0e71ef5b889e559f6b3c91e55acf1b3f4c3eb5eff2b2273c34c089f6affb44b3d65dd2388d0b6ba3d6a6ced0d6fe5056462e20ea4

Download Submit
C:\Users\Admin\Downloads\Byte-Stealer-1.3.1\buildExe.bat
Filesize
485B

MD5
cf8fe53bb0caa1560661a15691814a4d

SHA1
bd434b814986605929630d7ab3cd35fc840f3623

SHA256
5c2266b0eb1735a2f1be564cb89e43f1a1df75add6c2195ef9ab38dffc64d34b

SHA512
102e2636a76a61c2e54c671327ecc79c79867be4b159362c6f7597940c2a75f377b834edc7baec16e511d8e41e947f2b8c494d2afade1b7ca3e1180d294a8966

Download Submit
C:\Users\Admin\Downloads\XWorm-RAT-main.zip
Filesize
33.7MB

MD5
3c583f36fdd166613ec8b5f81597e5e9

SHA1
f3e9cbfb5749212f2d54f36b391b7d03bdd303a9

SHA256
8f71cc2fc5fd1b3e16377f0ca36067467280f6a63f7924f3fad273717c1f505e

SHA512
072931cc7b3812d7681c879169b0ba0a1981e0c23d3549e223e29331a24c4ec5249964d2c636ec07b0ba2c3e3c81c236e0ccaf3e40d373dc2a6adc235fbcfa6b

Download Submit
C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe
Filesize
6.5MB

MD5
a21db5b6e09c3ec82f048fd7f1c4bb3a

SHA1
e7ffb13176d60b79d0b3f60eaea641827f30df64

SHA256
67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5

SHA512
7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c

Download Submit
\??\pipe\LOCAL\crashpad_1396_RWJECIFTWVPBHAOI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3060-514-0x00000213593B0000-0x00000213593D6000-memory.dmp

Filesize
152KB

Download
memory/3540-489-0x0000000006BE0000-0x0000000006BEA000-memory.dmp

Filesize
40KB

Download
memory/3540-490-0x0000000006EA0000-0x00000000070C4000-memory.dmp

Filesize
2.1MB

Download
memory/3540-488-0x0000000005D40000-0x0000000005DA6000-memory.dmp

Filesize
408KB

Download
memory/3540-498-0x00000000738B0000-0x0000000073939000-memory.dmp

Filesize
548KB

Download
memory/3540-487-0x0000000005CA0000-0x0000000005D3C000-memory.dmp

Filesize
624KB

Download
memory/3540-484-0x0000000000FE0000-0x00000000011CA000-memory.dmp

Filesize
1.9MB

Download
memory/3540-485-0x00000000061B0000-0x0000000006754000-memory.dmp

Filesize
5.6MB

Download
memory/3540-486-0x0000000005C00000-0x0000000005C92000-memory.dmp

Filesize
584KB

Download
memory/3624-526-0x0000025F6ECF0000-0x0000025F6ECFA000-memory.dmp

Filesize
40KB

Download
memory/3624-522-0x0000025F563A0000-0x0000025F563C0000-memory.dmp

Filesize
128KB

Download
memory/3624-499-0x0000025F54520000-0x0000025F5460E000-memory.dmp

Filesize
952KB

Download
memory/4664-524-0x0000000000590000-0x0000000000C22000-memory.dmp

Filesize
6.6MB

Download
memory/4664-525-0x00000000057F0000-0x0000000005846000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads