asyncrat | 8a7d20fb5bc7ef8b02ab6e11ef78ebc0a31ba5376bd97d40fe5d1da521324556

Analysis

max time kernel
184s
max time network
175s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03-05-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-Rat-Remote-Administration-Tool--main/XWormUI.exe
Size

52KB
MD5

0c2d61d64f4325ca752202e5bf792e9e
SHA1

e7655910a124dd10beb774a693f7caccf849b438
SHA256

d0dd06d26f09eed4755de33c63e29aeb8161cd9b0ca123af3474c5594df57ec1
SHA512

1205a69419c38605e9a84200b1cc7731a3e169fae265dfc324a9edaf98bbc06f110bdf63d08f6b97d312cd0ce1fffe9ef8649f116ac27eb8b659ad88519d9c46
SSDEEP

768:mqUR8bIL+Cyq+DiZtelDSN+iV08Ybygem++2O3vEgK/Jd/yVNNECVc6KN:mxIeZtKDs4zb1uBO3nkJIrqCVclN

Score

10^/10

asyncrat toxiceye def agilenet rat trojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

def

37.18.62.18:8060

Mutex

era2312swe12-1213rsgdkms23

Attributes

delay
1
install
true
install_file
CCXProcess.exe
install_folder
%Temp%

aes.plain

Extracted

Family

toxiceye

https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Executes dropped EXE 2 IoCs

Processes:

win-xworm-builder.exewsappx.exe

pid process

3828 win-xworm-builder.exe
2204 wsappx.exe
Loads dropped DLL 2 IoCs

Processes:

XHVNC.exeXHVNC.exe

pid process

2768 XHVNC.exe
1708 XHVNC.exe

pid	process
3828	win-xworm-builder.exe
2204	wsappx.exe

pid	process
2768	XHVNC.exe
1708	XHVNC.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral9/memory/2768-692-0x0000000006FC0000-0x00000000071E4000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

27 raw.githubusercontent.com

flow	ioc
27	raw.githubusercontent.com

Drops file in System32 directory 26 IoCs

Processes:

lodctr.exelodctr.exechrome.exe

description	ioc	process
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4992 3452 WerFault.exe XHVNC.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3924 schtasks.exe
4216 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4240 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2436 tasklist.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

pid	pid_target	process	target process
4992	3452	WerFault.exe	XHVNC.exe

pid	process
3924	schtasks.exe
4216	schtasks.exe

pid	process
4240	timeout.exe

pid	process
2436	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133592438441273325"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeMiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main.zip:Zone.Identifier chrome.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chrome.exewsappx.exechrome.exe

pid process

3552 chrome.exe
3552 chrome.exe
2204 wsappx.exe
2204 wsappx.exe
2688 chrome.exe
2688 chrome.exe
2688 chrome.exe
2688 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

3552 chrome.exe
3552 chrome.exe
3552 chrome.exe
3552 chrome.exe
3552 chrome.exe
3552 chrome.exe
3552 chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main.zip:Zone.Identifier	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

MiniSearchHost.exewsappx.exeXHVNC.exeXHVNC.exe

pid process

1736 MiniSearchHost.exe
2204 wsappx.exe
2768 XHVNC.exe
2768 XHVNC.exe
1708 XHVNC.exe
1708 XHVNC.exe

pid	process
1736	MiniSearchHost.exe
2204	wsappx.exe
2768	XHVNC.exe
2768	XHVNC.exe
1708	XHVNC.exe
1708	XHVNC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3552 wrote to memory of 3936	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3936	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 4112	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 1264	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 1264	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe
PID 3552 wrote to memory of 3904	3552	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
1⤵
PID:1344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85864cc40,0x7ff85864cc4c,0x7ff85864cc58
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1756,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1752 /prefetch:2
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3076,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4292,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4280 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4652,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4364 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4712,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4720,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4728,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4876,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3356,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5104,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3764 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1364,i,12781194041721498206,14408959500029350575,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2688

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm-Rat-Remote-Administration-Tool--main.zip\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm-Rat-Remote-Administration-Tool--main.zip\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
PID:4596
- C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
  "C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"
  2⤵
  - Executes dropped EXE
  PID:3828
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3924
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB0BD.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpB0BD.tmp.bat
    3⤵
    PID:2028
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 3828"
      4⤵
      Enumerates processes with tasklist
      PID:2436
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:4884
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4240
  - - C:\Users\Static\wsappx.exe
      "wsappx.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2204
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4216

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm-Rat-Remote-Administration-Tool--main.zip\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm-Rat-Remote-Administration-Tool--main.zip\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"
1⤵
PID:3452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1544
  2⤵
  - Program crash
  PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3452 -ip 3452
1⤵
PID:4272

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2768

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
PID:1856

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
1⤵
PID:2424

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
PID:5092

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
1⤵
PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\Fixer.bat" "
1⤵
PID:4632
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:2060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\Fixer.bat"
1⤵
PID:2804
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:3820

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
PID:348

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
935f17d8a5d64f9d0bcbf99ed0b856a9

SHA1
007f7b7fb553617de95dce0b427166cd8f01a4a7

SHA256
15a3b68c2ab79668c6b3310596027a8a46a6313fef577d39552f59e1c23406a5

SHA512
25bbb9aef1d76c9ea8dcff4070bcbbce3ed3f65190d374164ae523fda04a0ad021413a75793accb1c2a4f72bfa90a0b3f41182b8647d3eb3ff241c8d25cc34b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
48KB

MD5
0c2234caae44ab13c90c9d322d937077

SHA1
94b497520fcfb38d9fc900cad88cd636e9476f87

SHA256
d8e6f62282e12c18c930a147325de25aef1633a034eaf7a3ce8de1fb8de09912

SHA512
66709f74b19499df1e06700e1c257e14a82ca4287194e4b177b3f333748d927f413c8c459a35e7e5a2f92d28410b0129f106d94e3dd85bc0dd0b986add83b18f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
44KB

MD5
a4b04ba2b9a56f5911fee0c29629e53e

SHA1
939e8e65e22ae978a6b63dd1400fc6f58c5015eb

SHA256
523d8983d24e050e6e7e1f43d0caca6bd77bef38ec046d181b13bf32702fc025

SHA512
1c3357e9ecd3ac0de53d14f5d4c8d8d0aeafd30cb2e0dd6cfd1be68cca4fd4e178e79938a5ffe9a17b43e4f60f6e8e08c1054fa44160377fea740da70761c80f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
24KB

MD5
e1831f8fadccd3ffa076214089522cea

SHA1
10acd26c218ff1bbbe6ac785eab5485045f61881

SHA256
9b9a4a9191b023df1aa66258eb19fc64ae5356cfc97a9dda258c6cc8ba1059ac

SHA512
372c486ac381358cc301f32cd89b7a05da7380c03fa524147c2ddf3f5e23f9b57c17485aaedc85b413461a879afc42e729547b0c96c26c49bbdb7301cd064298

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
24KB

MD5
8278023fac368f67d8b83512b48cf0f9

SHA1
cfbb90dea9e8a9df721806c7d49eff44166b2197

SHA256
1e62f0399a3c5a499b3c93622608d15d3948c3c335359bc695bf3522b03fd48d

SHA512
e04ba7a9402379c064bf5707a5fbe3e5ea6de978b1ad50d38f9b30bef47dbb761f0f8461de8cfaf7c33779dbb47fcf4df7fe387d12fbbf899f7530f6f63a340d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
20KB

MD5
8b2813296f6e3577e9ac2eb518ac437e

SHA1
6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86

SHA256
befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d

SHA512
a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
59KB

MD5
063fe934b18300c766e7279114db4b67

SHA1
d7e71855cf6e8d1e7fbaa763223857f50cd1d4bd

SHA256
8745914e0214bcd9d2e6a841f0679a81084ef3fc3d99125876bee26653f4253e

SHA512
9d0dfc21306b3a56c2ecdf1265392271969e3765e161e117c8765125b34793e24458217cf6514b364f351f47e65baaaf5856be0d13406a789f844d6ba8c7075f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
65KB

MD5
c82fbaa7e5113d3ed2902a3500ec8631

SHA1
c9b4889980899c0f2aea9ac8d0bae28b59e6add3

SHA256
4f4e25ef0961b656039ed8628951b5ff6c0a197f8866374b5937e182b12ff278

SHA512
fc3227c51b9bdcf0917b040aeaa925795e153c7a78469b7e1c87717c1664f46208e5fc3e413f93724ef0fa94aea655db55f04c5a61dda0df737c25b75393136d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
151KB

MD5
7739350f11f36ec3a07b82584b42ab38

SHA1
d97e0e76a362e5fce9c47b7b01dab53db50963d8

SHA256
d84e9971e8c344b9ff5a5968e7252270757f211f0d408e26c12693729068ed75

SHA512
2cb436985e382ec17390a1f8a7c112bdf18206c66d845934a14f9c84781200828e05c57cef5d4128a9d9b96778042ecb7ba2c031563c78ee9b8ec41accf8a537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
21KB

MD5
9ccb3e387ecf1d1c32d33a33b61db8f3

SHA1
9d6625afcaa4d6bfe223268ccf82ff32ea9532a3

SHA256
3d34b64d0099f608de0e555d46338252a99d36f2a25af7180702c9966621fa0b

SHA512
05c3d41fd4115bd66c1a938ad644424f8df93f96ae27004c800e43acbc4b23568456574ceba605ea696fb594585811fedd0f9ec547a697344479e4d7516f65f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1a164f0add0cf2f38982b4446cb4f622

SHA1
e5158408ad607e89edeae1963fbfc6e92af6263f

SHA256
74127f0c5b8c530f6ed90c9b550e979e33001ee7a8306f8962cd1d8f47b675bf

SHA512
45746bb2a5fa589549777faed85bef3372f3ce678a3952675c2f899331c16f558d528a4fb0ad8366997d1f6cee43de214fbeba5beeaf09ba7ed92714c400125c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1686df9271abe2ecdb92c23c3034b6c1

SHA1
2cb6d0071ff858598ddf824f983841c34a3ffaf8

SHA256
0d2747c008d8d57d0029719a86ccd684bf8adc3f6f7acbc686b79817d32a0641

SHA512
10253c2ba61656ea317b706499eb5a1d26e225d5d4d78740050657da20a23ee75902028a4168ea09f747d1b2f19975f45f48a0d85b3bf14cd03e7b6827e60f99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
93cb4aad74500433aee40aae8f98c506

SHA1
48805d04dc4bc02e8b7ec642f87b8ce1588e7712

SHA256
2d81c8880ba95cb80362b7e4c7f15c6dc8a64d90c8d99992b0ed307dd330d8f5

SHA512
51c27ee3906a2c8a71e2353fbeac8b3a1ed939860c4b7ea33c54ddd8205d1a03b8d5dc01119d5abf830baf1ce34a415f8ca302e52c2bb335a0f1fb23ee397ec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
9f26ee7e2041039e558d80a946a635bd

SHA1
5557b77933a5ee2170bf77145b468760d9e3b393

SHA256
89fd97405b4d1233437cb74338ad744e1d985158a778fca2b9d5b53dd09a9a1e

SHA512
8564d2a6f260b16544ec9fe615367e17f4a2301799f029e380c3beca262169cbdae70e23dc829cb0f8ae47603c8db2f24f7d790a3e3ae94ff0abb5a7d6ef590a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0ab79259db60f887cd2dc6af3ef7c658

SHA1
3cb6f40d6d65cf8bdb8e61f043d81547561f8724

SHA256
59d3ab417ecd99b5e5d5ea9b63a22deaa92fac3c3360adfefa66e0287046ffa2

SHA512
acf7eef53208c249e5977136539e2ce6d1e368ec72cc725ac882c15d399cfc2d5c77135aa8c79f3a702681431e738eb5c043aa84ae77505f9c0c7bd4df1d89fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b53305f8531758a7f3cd017a6b4c3a14

SHA1
135c0149e2d254098bf74e5a90b831c19dda2526

SHA256
1de377e6f6de40ddd3292e00e36a8df52e345cfe84f30f8318a218de501491e1

SHA512
ece1658ae5527172a1feaf6d5e0ed4c35e7a211b22bc59539cd9200ebb2390982eb28de5bdac2db9fa632792c1fe5e8373b4138597ab7fb6eb7ee3f8f0675a2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1d24aa4cf34f417d5e285260e30d9c13

SHA1
509f622d98114cacc18b1afe1211cc98bc7b4459

SHA256
cc946edaa2ecca9bd9f19e58facc62d0b94a4b583294e9b529c8530a8eaebe6f

SHA512
aa4d48b7502d6b6f52e95cb7b02fd6f5f44c430fb589523bb7a65830ae9da11779a711c878539c988b222d196a60e108986b6167b24ee50b3de1dfece8714e09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5c295bb0c655543a191d4061e6cb0cca

SHA1
393212c333a840cfb66f9b2fe1648b2b1d7cf519

SHA256
43947835d014588c3c8f1dff39d3204990d29424d91d9bd540165be1c270ef04

SHA512
bb93e3f45e5bb3551e057688cbde4dff711f808befcafd95cc378fd084e25c3c49790761e82c20dbe2e602c229705a794fafcfb020b90389004455e32cea281a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3f3dc06227711d3f84f3a18806b09361

SHA1
575c40e5719b1a76a2803f5bd733c821528bf8df

SHA256
292f061d6fe75ddf58acd01d7986961098fdc7800de111177f1f9cf769e6d6e9

SHA512
041830e3e33c8ef9faa3d62331a478ced70e8a590720e06d9294057008b06a8e0cd931464394e54fbb4325e82ac1409d567de6e99126bae62a0a46fbaf34601e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2ab9d15f9263fd8f86226b1928db146a

SHA1
adf7dc6a710cd2253393bcfefff20e25d1143975

SHA256
ef7c93c982a04d62dc85910f663b9985fdf25ddf3cdae21e73e899ec37dff945

SHA512
12df132f8814160852cfa86b0d73cc4e0c7f6b01cabc97c3741d08336f855bab90a53a7d40b4b8eacf31fe9ea358b1f6d7452e825115552a8a98654bdcb5c0f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f2d11405ce7e2814b3f1c9e24fe98aea

SHA1
cb3736b3fe88a9f1221c5ff98c9231a52f37d00d

SHA256
231f6efe473ac0f88159b7db4449bb52d5208d7d445a6f78287a9777940ef11e

SHA512
c3af41f9a44b1f4425eedf9ac273a8e77c65ade2fd77485eb7ac80afce2a5629697712e3632af4b0b1d0a95f6787e290b50aa04ca1756c297517771421a5be91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f72bb439978411816a2a1a48033a3115

SHA1
6b84a6f347a298a021da49818f021602898bd4d5

SHA256
c15f339c797f56f1be43977b4af0a8f3b91d10d9e8fd55a1d10a688762c65bd9

SHA512
bb0c377e21d4dc46fec7ed2c81102ee436b77b03b6bc3d9391e9d170952c5072249b66bf6e9218928c19eb8efd30f7ef36f52ca1bf1f034f5eab26e34a61b282

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
26843b4a82e12e9ba1992cac49edaafa

SHA1
216f7ae413647ab9dd49f99ccfbb5e3d20d413bb

SHA256
a0b590ce8f3bbcfc808b5d4194dc7574b7393d128e15e665521f850d1915678f

SHA512
56c9e9cb5b3dab8071eaa2e6461e33392fda87048a76d8307bdca4faabdd3fdf9b7200c8eb95f72cb7edb8c0e535f698a71303b201aaccf0becc0ede93bb02bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
363f35859dc6cd1da4d049680641d00c

SHA1
999ae7c94dbad101865c66f41267230af4892e16

SHA256
f64f79ce17e5a92da113bdca5d133307cca497ede2e87a18237f1a12021baf33

SHA512
366e6b690890036cf51b905c4598d4b96356b93a492ece0190ddcc41f98ef2e21c1d939d861a17359a67c9dbf5bdd686e3766d8fa053726ee4c317f1330f32bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7ae88353627698ce7cef5df368437d28

SHA1
4f2519487fd6336b1466f2d98b6194c68541a8ae

SHA256
47b50de1e8d7b367860109728a333b084fe81a6d0a9dc5559cdc581018ed23ef

SHA512
7b5108a850a3ea5e8736aa4791b97ffd8e0822212ee9068d4717720a359b89b86aaba7f4874c7d2a04b6a78d5b2d9e7f057774f46a01121c2cca6aaed979c6fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
de51cbc6831570ce056bdb376b2dda4a

SHA1
6dd74f76bf336b980a90682cd5347872fc0fb810

SHA256
bf8528ea4a4f2840d8a6ad839d34e7f00cb2ccbed1a0eb25552f444ab96406e2

SHA512
99b20b4998ffd92bd91c73e9c16332fbccd4c21a2c90bfb16d923666a3ff2e795e0153c3a25791ad0cfb35a8510b9f6edba6e8c3a5afdf4156a25eb5742a2064

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f28a2ebd264b7d72dc2c8598d1d5960b

SHA1
d9a9b8e5f158abe4e5e7af048fb30cb5be457d5f

SHA256
3f3e8ac85b74ae0972874c9a1fcd1f15a6474d537939a4e7075f9dd0edad5540

SHA512
d22db8cf548c0810626bd514b0cecdf51b91190fd47607989534077a2349d71fa1c2bfa942d2310ff9216314f03c3a4f19ca816931448ac7604b1bbaba5f05c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c18383b5f031dd969a140713e6b36646

SHA1
d280d4b04a3c545bbe6ef51a9b23ed8ab854f8c6

SHA256
3b6a59553bde65567e0f7f7547944ea036273868476032cdb8dffb1c60625951

SHA512
208b18fff4916b28f7d7ab50a62dcc21c1303c517b337524eaa87eb71585b6875b59d105bb7a36e5711fbbe09d093f0d8726ada87f2d390dbf760399e29d9a9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0818f99603b599b4c16351b2a8138bc6

SHA1
ce791e91946b000479e5124c86c90a2f6062dd98

SHA256
7b05713220cbfe69931c467a23f534f88ae4b8b147ec2750ff7cf57c11882636

SHA512
e59e185cb404454cc755fd145d34d4767ea2444725b1bcb098cd9f86dd7b7a3869bc52f7677cce7ccbc375997498b6cf54598fcb3c163376d1490198fee45f8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
db215143da01566e5feab696eb55f24f

SHA1
7b84b8269a20e9f3c791e151fc80850318c9b1bb

SHA256
e22bbc4756f0e2410c12414e50cfe9f7b7ac2d6bf63c11d72fee5c9f8eb53ab0

SHA512
d0bb2ff513b17300cf754b6b209e53ca6f2d0773d49e4d3b9fec1946e76fe00fa79dabe6fdc7de74e4446025055ff81e3f3577b483464d1010fb62538ccc52fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
e0056aaf76d885a2a4a3185895b47a79

SHA1
73533e29ed5dc19b31cf1fca1c1a00486d3d6c52

SHA256
3d8c2ad21ff5e5a47d3e408ec8d803d31d2d32c649cfaf61c1a91d6219ee7697

SHA512
99754f0f95b2f27369ca073c32ab448ca52978295ce766aa64595b9f9b6bca433e57e9ccf52072b73d20b9c7f6f3d05c20557e92d9e5f64f44b79ef4468a150f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
b4c4f568ee95145c0999cf6ca334c8cb

SHA1
a6a6a51085d323212738a1e013a42ac17739a950

SHA256
2fe5fe719cc417fefbeb3ef95568ea2f1cb37738772765482948ba4e7d05fca2

SHA512
b6c4d052f1daec8882b78d6d13b4197dc01a5f87cf3d0fcb0658ed34e56d1807169574bfb071d7ec6d6845b30c6682e73b0a5d2ac0c62b50f787200443494a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XHVNC.exe.log

Filesize
1KB

MD5
83a6d67cad74bdf09fae0d831ae8c960

SHA1
6a784572026f0de970906f8969efa4347906eb5b

SHA256
110f043b9baa721e31452d1e110139db110e0305b2cc2692be2cf518ed2d102d

SHA512
848eb3e95aa8b26c46a04fc39b836ba04a4d84b3b79e8190d4dcfe613cab3975a9104d6ca58edbd4ab38593b758c34035c8162bd76fd25e9ad147aa53c1edeec

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
188e513ebbdb02e7447e280fcf7c004a

SHA1
5f355f09d4d47dd56eb1b661dd84acc22538597d

SHA256
191198b73d7476d1efb0c6b961de29a5c94f718542252a50677563495bddf82e

SHA512
b7a6544550ab316ad8e6aab7028a89fe8fd5fdfae3fed5862adc0a220a48794b00be28365d94fb5d11e914e6a27b14988ffe41411961bb54e9e35878109008e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB0BD.tmp.bat

Filesize
195B

MD5
f2742d833a24885382940579b5158e14

SHA1
c6892b3fcce0c6bfc6a3564e5f27fdacdeca673c

SHA256
bf94cdb9972fdf718a84f5b040dccc44192a5655423768fb3a047e7a7b09c217

SHA512
f35a0edb6af4e47d94c2b22381da186a7bd0188f1b3e35523d070ee2eb930dc2c95b0228d96553c5c64e53172c9a7d3a7b90044f46893d829aab0e9ba6e32cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe

Filesize
793KB

MD5
835d21dc5baa96f1ce1bf6b66d92d637

SHA1
e0fb2a01a9859f0d2c983b3850c76f8512817e2d

SHA256
e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319

SHA512
747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87

Download Submit
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main.zip.crdownload

Filesize
5.0MB

MD5
ed997c518b1affa39a5db6d5e1e38874

SHA1
d0355de864604e0ba04d4d79753ee926b197f9cf

SHA256
8a7d20fb5bc7ef8b02ab6e11ef78ebc0a31ba5376bd97d40fe5d1da521324556

SHA512
50699cdd035c48e431102c703d7855dc85caa6feb7a7b34bdb23c7ccc298dbcc3ab261690c3dfb078451d3e299a0b037351edcbf54e79b6edaaacbf30ec68cb7

Download Submit
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main.zip:Zone.Identifier

Filesize
103B

MD5
c1f0e6f57bee7bf6dda6701a3265e833

SHA1
2d6e316c4f31858844d70aa326eb16571f51a614

SHA256
f99a128172b0eca2c25d3f92ec1b202025647778017dcf1544b1e7cc8e455c82

SHA512
541b7f667bbc4de2c8341cbbfb546e9534201c1b313bb59c0eef243f9fc239c9dce8e08bd4526c191ebbf50aa9d408dfa9bc315d596ef99cab9c320f8c87484e

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
48KB

MD5
c5ab9298b0503f20e6f88fcc902563ca

SHA1
b8fb62b4e2ebad2222d882ba43d437ffec14e55c

SHA256
140abd66468171331b2fac4e032ba8ea0a762c72f25eb613616861674cdc8144

SHA512
1f13de06ec0bcc8a78faa7bd708b9563b07df620b246cf68e8d84ea797924cb4e71a1eab93bfcc55e25a6653cbc525a9dcb12dbafcc0af5a17fb0dc216d6a305

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
47KB

MD5
69c02ba10f3f430568e00bcb54ddf5a9

SHA1
8b95d298633e37c42ea5f96ac08d950973d6ee9d

SHA256
62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e

SHA512
16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
47KB

MD5
391168ff06e8d68c7a6f90c1ccb088be

SHA1
c3f8c12481c9d3559e8df93ade8f5bfefd271627

SHA256
7f2847cbf10a70dec0bfb78ca1bf2e548caa8de43deb290cc21d4d1a47bd7525

SHA512
71fe34a07a2107c03fc4735ca78814adc1c55ee3362ce01d6b9983b0ac52315485135b58edecbcd67252c1e27a451138a765bdf3f746e1241834cf35106520c6

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
46KB

MD5
9c127d90b405f6e4e98e60bb83285a93

SHA1
358b36827fb8dbfd9f268d7278961ae3309baaa1

SHA256
878a012b076c81d7b46068109d9b9e1a86aa8527d87d0baee47b59b07502c578

SHA512
bd80bb82e6f2375107153b7da67ce4a3ab3d457103a8371f93e130edece21791d8a716ab9793b74c6b5ab10166ccb52aee430bc4b63403b7e4749d7db9929e73

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
35KB

MD5
f0074f0830a8e5bbb5eb83aaf01aaaf8

SHA1
c7546c3b4a44c65ff6408b98cbef1dbeaad325ea

SHA256
20e43f2ca18d814592c92974081be138729e6e8a28219e01545671621459bef6

SHA512
4ffb5cf88693c3ae0f0b747eb770879cbdcbb9450d1911d0894fbdf16d8e2db0f1d1e59aaa2e22b88be341af94d99ab2089c1422d9bf3e427e86a9b30ef091cf

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
322KB

MD5
8e549f070ac8bb646d0c34569ad6d880

SHA1
2a9bd2f7378ef5e85831cf590d9d735e9645f49e

SHA256
b08ebaa7d8ba93702ba84a59f41c0faed94273203d353c4f3cad31530d1b3751

SHA512
10c3a012dc64fdcb5bb0d8fe03aa771b936e78092de33e029658ad18e8c4771cddb84e6057b79bf8e6e90a8f3972f4bb1cad16f3cc96c13527289f3477f5fbd5

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
312KB

MD5
78f403befbe16cd64854e55383a41c8b

SHA1
ab36bacfdfd4f8fb6d1c2ead8a1886816a47c670

SHA256
220aa10410924876965bedb27d953a5902eab5aeb1c5ca59022465e28cbfcc92

SHA512
c3df5e3feebd4d0c0ff126fbbdb4eefedb7e044ba59dc626df6eb1a1064c70b0ae145816c23d5fb651f2f209b62bd5c8e80faf89cbb6f5e93d73294fb47c8749

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
362KB

MD5
893d78f82b3994cf86b3c8c80cd7ad6a

SHA1
a68cfd50ebc35eee62c84f0fd74d20d1e0bb1476

SHA256
411b7581b0af88caa8c75409dc83ac8b521ba4d987d9347402438be16d31097c

SHA512
7f7cc32aca4f023f34e4ab7a51fbd0ca0b0ea51fde6d79b9a4322bee9b4d55800a981b2d97007ceadfa609767b7d84e9eebd8b3e92f9cb68855625a25767f42b

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
365KB

MD5
d5972cca5d434d4ca1742fe0a5ddd5d4

SHA1
a3cdc3ad50ff9ba19722f2e2cb76f95b60bd92b2

SHA256
f85cfffd1414d3e975f430a1e2f2a3b473ee8995a961dfb103fe18d5bf06e321

SHA512
2ce34cf9b868fda0852e6b0d805171fcfda00c0c6cf044bf8831e6fa2aef4933ae00a8eaf757c09d67c30ae7ab58136959351f7d04d8ba6921f51fc87378565c

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
356KB

MD5
4e277d7a9304103e3b68291044c7db6b

SHA1
b23864c76259c674ac2bc0210dab181bfc04dedf

SHA256
5dc2192236274fda886a0c0f396646f9292000ba33bd0e2061a65bc06639be16

SHA512
094477571cb17d7b19f6e81ef237c579f03c944745499b2e537d77972da89f8f4baa0825c3f79993d96116aa071bbc776a96f55cf8ab3f60698c2c4e03e36957

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
159KB

MD5
ab6f8e83a55fadfc107060ed8311e0a4

SHA1
55a39474b14b6600543080268d41e8732ba0edad

SHA256
8647f007d314a30ae0760a8b70c6c42b4cf0e7da321795dbf1d254377a70ff18

SHA512
f5be5c78e9d10dd69c8b21ab4d5702a3a24e2ff4cec19ae56a9d58e6ceb9edc40e17b548373b7db5ce58b6759ef3ce361e8514c774fda9a7d988d330a7944732

Download Submit
C:\Windows\system32\perfc007.dat

Filesize
148KB

MD5
9cf07585ad876c252034a9dbd2e7e650

SHA1
470ffe5334bdce8cb077d59972df8ff9fe6ad0aa

SHA256
32f8419aefba05b9e0aae9daeefc6e9ec1ef54caf02dffd3af71e7cf398a07d0

SHA512
2a59a36f71196656425a5e63740e4771e24b07196377087f51a58161c74f3db52aef390edb0fd00fe6a775bf140221e0b069eb4bdf7af65548a52af8e30682f0

Download Submit
C:\Windows\system32\perfc009.dat

Filesize
128KB

MD5
8a7c48fc1b15efe8b14c9ee4243925f3

SHA1
ddec17d114da81b0b5d5c85c82fa9bcd2ff0387c

SHA256
53e973b54d6fbefbfdc27cae5bba3db087163ed4d110964be527b288e9bea5e1

SHA512
b407fa4c8e2f4702cd34a4728cbda356950bb1e965532e40e07c130371fe78b7e5e098e4dd9ff04ec0926badfc8477062d0c0a3451bbd154e8868d798c640e65

Download Submit
C:\Windows\system32\perfc00A.dat

Filesize
153KB

MD5
273af02a6b6d77642b6d8c7187e881cf

SHA1
f4461cfbfa69f804ff391e0be12c9b76a58d91f5

SHA256
67f1d060fcb672c9f537bbb8a26c0b3d8bc252a0d117fba4b18b49ab4c06090d

SHA512
beac72c7486ba23d93901f92d02a12d8b1cda49496ef21b9634abfe268dc426cebd1ea22f3c15edb0f7833a2c21564f7c682ee4da94fc456bdf508d54e6d8db5

Download Submit
C:\Windows\system32\perfc00C.dat

Filesize
147KB

MD5
611063ec186975b3a5ea7596b8c2ed8b

SHA1
c4b9d7b040a7851e8f51951d1ceaeffa57568b8a

SHA256
64b3542840f58104d7a2981107fdc5f27ec5b8bb883527b0bc1596bbd46289da

SHA512
e7d4714b5df4624adc5c455d1468e35e263daeae41cf154c20ff4f425dceda8f4518e15d4868a22f21a81eec23a477774617539430e960dc47dc5e1e675c81b4

Download Submit
C:\Windows\system32\perfc010.dat

Filesize
141KB

MD5
851a937915afd7ccdc8df2a264ad46e4

SHA1
1c2dec73d102585fb728e9e3d144a868f65f52b9

SHA256
0f6568484b21d04a6d26c8ac91b02d71b95196294d600289a8e1de0914b757d8

SHA512
c9d1933701abde58d43e4aaab8a76e9d2a2e50f8a24eb1d3a39dc6970418edd8c52691160e988fa53d47daf3ab04adf6e2052f95b8784efd406b1a6691c30925

Download Submit
C:\Windows\system32\perfc011.dat

Filesize
126KB

MD5
b6226bd70b4f9492c5ed823d43ee539a

SHA1
50a2ce062b7d5cd595f45ea19f32abc4eb79bc18

SHA256
0095da980abf2476ee4fe960f2320de0a84815db52dd4cc37a99726ed7e39892

SHA512
8feb56386a55192281d041dcaef867544c90efb90dae70285e9a280b09fc2610c6b4cb2320ba763d372817ad60c4c88772a2974c7d274ab7c4fa7d91660d0959

Download Submit
C:\Windows\system32\perfh007.dat

Filesize
724KB

MD5
eb4f30e3d411dcbb7746347defda2968

SHA1
6921f1dedba9feaa0a16a70f7fed1a483c2a2c4c

SHA256
0bc669a7bb9362ac949579c8c5b41ed17a353d21c91e284533a04d965b705ebf

SHA512
b6a8a1d8d40137c28235994af777f4d2940e79a3d264acc6c33d51a75ef4b4f8c9c7af14ddd770a56a596b134689a6041b3912afb7ecb7255e13b74381832aeb

Download Submit
C:\Windows\system32\perfh009.dat

Filesize
688KB

MD5
56355de5635081ceccd59c3fc66aaeec

SHA1
f3c6842024675401f814f8cc48d4b809d2be468c

SHA256
0b3457116310def7a4ea3ecfaf09a40a02b1e555cd4ab2d1cff3926611e4fe09

SHA512
9fc746e9fa818fc2220dfac56e7c011ac815d3f1cf2788bd0b93574d73334bb3863275e91cb019b9bb8a8ff9742617ba5b8c8e5ec6f8c300fd545c9e8d50ba8e

Download Submit
C:\Windows\system32\perfh00A.dat

Filesize
771KB

MD5
b42b6ddd2879a9279253072113f241cc

SHA1
3692de39f07b709fb8f818683241c7264344b48e

SHA256
921f716952a74d94c6e5c6748fe08b545ed1a23f5e1cbc10dfa541e82b3165e4

SHA512
8fdb78f83a1062fbb61fe6444f3e796fecf80f56599726e4b57522470c79a6977e5d42e334bacc494c5aa07287f5a37f30fc6ad711a758cc42705d33498948f9

Download Submit
C:\Windows\system32\perfh00C.dat

Filesize
774KB

MD5
eef8b9aa9ce4fdebb5b66cd183d53d9d

SHA1
e74478c1325c373c52f5ee0ac4b4a071765b1508

SHA256
21252f9f02b305c8e1e2f0af5f0c15fbdea60a15752400d70e2addd3fbd06509

SHA512
f9010b3712fe14abe7972091f515b222e0dcc64a56d5e74cc7046321faba137b151acf56b4a39054eadcfc7cfcc99e5b79d4f54556ba3c9d645fd6cc6429f02b

Download Submit
C:\Windows\system32\perfh010.dat

Filesize
761KB

MD5
3489a78c5a5ae5cc04492e33aec6b342

SHA1
d73f4af1eb32333f777c5a6765b00bcc235b7dd1

SHA256
263922c9bc615174482f6dc1ee98b2491f919a2960e85dff347ebd97fe1da1e7

SHA512
cd8dc9ff0d1eade18b69b8b943b6df2cdf730192b0ae4f0ed3dc83d48d81983ee1c6c5d88d6f3dd8ab9b90b665d4965584295a8cb6b898c028696ef02b994ad0

Download Submit
C:\Windows\system32\perfh011.dat

Filesize
463KB

MD5
90f22029c5e26535f1c9e7e1884c9dec

SHA1
afef948a5e7a12e5370e8a90bfa54dc4b2c3e30f

SHA256
13371560911cce3fa43bbaa738fe9f10ad72a644885e710322d1a26a2ce1a2e7

SHA512
341f405297f4981de9ee5590893d451287872ffd80c0cde91096ec3e5dcc28c5288f9e5bef562212cb6f5d669b4a1b09c43d7f4266e5059cfc6e3769811e90c6

Download Submit
\??\pipe\crashpad_3552_EJMMGTGSDAVFDNPB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1344-0-0x00000000007C0000-0x00000000007D2000-memory.dmp

Filesize
72KB

Download
memory/1344-1-0x00007FF846EF3000-0x00007FF846EF5000-memory.dmp

Filesize
8KB

Download
memory/1344-2-0x00007FF846EF0000-0x00007FF8479B2000-memory.dmp

Filesize
10.8MB

Download
memory/1344-3-0x00007FF846EF0000-0x00007FF8479B2000-memory.dmp

Filesize
10.8MB

Download
memory/1708-3700-0x0000000072E90000-0x0000000072F1A000-memory.dmp

Filesize
552KB

Download
memory/2768-692-0x0000000006FC0000-0x00000000071E4000-memory.dmp

Filesize
2.1MB

Download
memory/2768-700-0x0000000072DF0000-0x0000000072E7A000-memory.dmp

Filesize
552KB

Download
memory/3452-682-0x0000000006AA0000-0x0000000006AAA000-memory.dmp

Filesize
40KB

Download
memory/3452-679-0x0000000005A60000-0x0000000005AF2000-memory.dmp

Filesize
584KB

Download
memory/3452-680-0x0000000005B00000-0x0000000005B9C000-memory.dmp

Filesize
624KB

Download
memory/3452-681-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/3452-678-0x0000000005F70000-0x0000000006516000-memory.dmp

Filesize
5.6MB

Download
memory/3452-677-0x0000000000DA0000-0x0000000000F8A000-memory.dmp

Filesize
1.9MB

Download
memory/3828-638-0x00000254DDAD0000-0x00000254DDB9C000-memory.dmp

Filesize
816KB

Download
memory/4596-625-0x0000023760A00000-0x0000023760D3E000-memory.dmp

Filesize
3.2MB

Download
memory/4596-639-0x000002377B330000-0x000002377B33A000-memory.dmp

Filesize
40KB

Download
memory/4596-635-0x000002377B2B0000-0x000002377B2D0000-memory.dmp

Filesize
128KB

Download