asyncrat | fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d

Analysis

max time kernel
860s
max time network
862s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-07-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm v5.1-5.2.7z
Size

54.5MB
MD5

76219b3556e25086fc52f8e2b93fbd0c
SHA1

066a0f875820e51a60c3552a06b7b97f8bab6bbc
SHA256

fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d
SHA512

ccc974b8e446409c7940ef8314b2a912a2f8c0272721148d4dca5b739702106e69c9c7d106137a576b7a7a846d4f9ac770685a07d7a588ba34d0167acb07f104
SSDEEP

786432:8IagoCEXKlCpMqIEJkseGG+5ELbzcFdcyt5/ks3FkAPYxpL+q7RRHEm+0NyvZZGl:8JgXCzIsGrPzcFrt1F3Yxxrr+4yvZE

Score

10^/10

asyncrat toxiceye def agilenet discovery rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777

Extracted

Family

asyncrat

Version

1.0.7

Botnet

def

37.18.62.18:8060

Mutex

era2312swe12-1213rsgdkms23

Attributes

delay
1
install
true
install_file
CCXProcess.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Executes dropped EXE 2 IoCs

Processes:

win-xworm-builder.exewsappx.exe

pid process

1700 win-xworm-builder.exe
4556 wsappx.exe
Loads dropped DLL 1 IoCs

Processes:

XHVNC.exe

pid process

1360 XHVNC.exe

pid	process
1700	win-xworm-builder.exe
4556	wsappx.exe

pid	process
1360	XHVNC.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1360-471-0x00000000069F0000-0x0000000006C14000-memory.dmp	agile_net

Enumerates processes with tasklist 1 TTPs 1 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2240 tasklist.exe

pid	process
2240	tasklist.exe

Drops file in Windows directory 4 IoCs

Processes:

SecHealthUI.exeSecHealthUI.exetaskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4272278488\2581520266.pri	SecHealthUI.exe
File created	C:\Windows\rescache\_merged\4272278488\2581520266.pri	SecHealthUI.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

XHVNC.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XHVNC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XHVNC.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5088 timeout.exe

pid	process
5088	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133668348547078739"	chrome.exe

Modifies registry class 3 IoCs

Processes:

chrome.execmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	OpenWith.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1428 schtasks.exe
3252 schtasks.exe

pid	process
1428	schtasks.exe
3252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

chrome.exewsappx.exechrome.exetaskmgr.exe

pid	process
2276	chrome.exe
2276	chrome.exe
4556	wsappx.exe
4556	wsappx.exe
4556	wsappx.exe
4556	wsappx.exe
4780	chrome.exe
4780	chrome.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

XHVNC.exe

pid process

1360 XHVNC.exe

pid	process
1360	XHVNC.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
4000
4628
5060
304
4476
4108
820
4936
2300
2188
68
1080
4344
2532
3884
3840
2916
852
4700
4452
4960
3572
3480
220
2720
5112
3284
1532
5084
2260
2092
1592
516
2956
2060
4968
5036
3056
5004
2968
3164
1864
208
704
3412
3040
2136
3048
2192
396
344
4696
3788
4400
216
672
1388
620
3052
4388
2572
1004
3436
3712

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2276 chrome.exe
2276 chrome.exe
2276 chrome.exe
2276 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	3848	7zFM.exe
Token: 35	3848	7zFM.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe

Suspicious use of FindShellTrayWindow 60 IoCs

Processes:

chrome.exeXHVNC.exetaskmgr.exe

pid	process
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
1360	XHVNC.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe

Suspicious use of SendNotifyMessage 47 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

OpenWith.exewsappx.exeXHVNC.exeSecHealthUI.exeSecHealthUI.exe

pid process

4348 OpenWith.exe
4556 wsappx.exe
1360 XHVNC.exe
1360 XHVNC.exe
1436 SecHealthUI.exe
360 SecHealthUI.exe

pid	process
4348	OpenWith.exe
4556	wsappx.exe
1360	XHVNC.exe
1360	XHVNC.exe
1436	SecHealthUI.exe
360	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2276 wrote to memory of 5008	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 5008	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 644	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 1676	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 1676	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 916	2276	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2.7z"
1⤵
- Modifies registry class
PID:4404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1528

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc1da39758,0x7ffc1da39768,0x7ffc1da39778
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:2
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2128 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:8
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2920 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:1
  2⤵
  PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4484 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4992 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5068 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3132 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3280 --field-trial-handle=1876,i,18268295702546337399,14497597088209480237,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4780

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2744

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
PID:1120
- C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
  "C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"
  2⤵
  - Executes dropped EXE
  PID:1700
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1428
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7C7D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7C7D.tmp.bat
    3⤵
    PID:396
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 1700"
      4⤵
      Enumerates processes with tasklist
      PID:2240
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:3964
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5088
  - - C:\Users\Static\wsappx.exe
      "wsappx.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4556
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3252

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
1⤵
PID:304

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1360

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:360

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
4e8b63ca14ed803ca51b43cf7679283a

SHA1
9ff1d22c51c52045c9ff179b89a0b2912303dc6f

SHA256
1fce55970fc3c3e7a001a9750c8c7e90e9ae40141075bf854d90a3a55f2fb06b

SHA512
203e21ae3533d29985f3782b39ae6cd5e7a8d736f7d41bdbad9ae1b1a45ca3aa7babe1c688d001f9bf5c27483921c8693155ce72025d66aab459276899b945cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a34a653cffd165224b1d1ea5b6a0c819

SHA1
74af0c5a26c53a95e120e9356cca639c8e351e10

SHA256
ec6a58735f12a7c27483b0ef451a4c5bb2467c2a2564df659296193b2ac642cb

SHA512
160c3b55bebdb061472b4ab287b108897d53e9273c9d3d1f186f908cc9f56ab347bd925c3246fe723898e7d178dfdda9ae182fc61307e471048576c211b470b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f4e56c6a0fcb3fd57d322bf14bde2e89

SHA1
59d9ef5782d97dfa8eecbbbf1da314e80f3b84b4

SHA256
2fe14e80af7f2fb255260ae4e45bcc921a690e6304d2e3e15f2fea6fd1252674

SHA512
a6416144b9dbfb1b462d8a1105887e5a40c7c0cbfa26a1e778bbb48ccb19397722cc88b0551d4942f2a70dcd73a6dcb4363ac91d4eb5e45f153e0b28a7f69d6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
53383952fdf1149184fbad2bd0b9fac1

SHA1
3b431f746b4521308b0567e684a1dccbd4d5a994

SHA256
4403edd2cdcda9d8d974f2704f3e6b1f35d85bbc937f62f413bc12e1be7b552a

SHA512
a38bd91389a7fe4b1acacdedcead6b5e6322c4a22cbe9f8f4af8d96aac9308accac7a0b3789feb43c99f012a1051d8b1ddef4cf4999c81b58be1130618e92300

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5cead3874cdd4fcac62c0af94f4257df

SHA1
2778a8102ca9d3e3d17e7eb476cf12a5be64ff1d

SHA256
370ebf14e90e029e1d4b0c1f7523ff97acb24e02589c3c47b2da800da6486663

SHA512
4328e02e9891cdc57d572572d07c3aaefeecb10be8c4a40eeaaa26acb60ad563cc949782a49b06c4b45c44bc10ffa4867312c23dfda7d3a638426b5fce880e16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c352ba761f1d06ac6e710acff2eb0304

SHA1
01a2df1fc8d75edbde089f5c63108099f63d12c6

SHA256
bcf33d197b55ef33ac2b7fd325236c19759a186ea110168f3ba2d4ab208f72c8

SHA512
10932bc435a6441b56f7d79456e5cec43b7317c1371db120cdc752ea7dbcb653fa46c326583db4793076fff565c4556d99f71867831dc2a495908a38d1c24c4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
6e47f09bb1b3f69c874882c3f9144042

SHA1
841ffa93e1808e9c5ee3b8f723580214100c4d5d

SHA256
09507bece33f2eb8635454c94bfbf430fdc2d87215b96dd0cf744bbdd37bc6c4

SHA512
c7bb2053397a88ba79102f3ab0d9f6039d742cbeb06b1f55d7059414050d7032cb207bf50d933bb6e8d0814e634425136cd7c55d403747f5052cb06f386fe5ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
83fdf91b94bf3882d7c1ee2609096d98

SHA1
fa89df6ce72951132d4686fda45e69b9df8bb200

SHA256
01c9552bc02d0449528f382a828373e2fb0ba76641f371cef890eed83dadb7c1

SHA512
36f8459b8a5932b3fb369f940ab89f00cdfb2f404a6fa8fa0e72db5a867b41979a65f50fe135a8191a4912ec913a91abb4f64ad5c0cf9b7032cd611d4ccac513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ffd841bb15ed6bfe461bdeaba13ed264

SHA1
7eab6f692b5f7efc6b3f51001408d1bea8228486

SHA256
2ea794c902651533df9683a6c9a1bb7e79a8a1ccced578b818b057cbbe5770b6

SHA512
df560f5801abd59a35ae532e7d790ea16a2e8718e97ad96d6f436d3b948e6c1239b4707f6f1bd84c29c30d32b39531003c897d0f11ceff6354b4947afa7180aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
186545a81858683a505ef624a24bc87c

SHA1
ec2bbb44d54931dd36b9bf508316f9bd0b942d41

SHA256
7df28131ac8531836dacf031bd2033681ebfa6872306a3810ba82859c3e8345d

SHA512
a3ef44aa64fc5a322243ee271142e56e011616683ab73a4eccf648406556d2b42bcfe7131661b317bbb8ad0754e5d9d762cfc79d86e159c09f7fb983c7166790

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3c353a72fab251d8de0c9872bbacaf81

SHA1
47ec75816b47c9a999607c8c5908b42399b763a2

SHA256
5e3069155a23453df5d93cc898cf2f0cc1c27c9a2b1d7a73ca3721ea2f6ca428

SHA512
274d76b310b64d18348a1bd8e413561dc5d3da5bdc10431e5072d514bc608b7fd82708d1b816c546d189263fa8d371d78263895f70eaeea059628d56486c6b57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6986b6133d7f8ab4e606df53dc232f97

SHA1
169165bf233e3b8dd00ec6eb6250520a8815f410

SHA256
5169188eefa406b8575ee313ae4996d91e82649e3b2b54b41cad4c533c799366

SHA512
da4cf76d3fb37acc9380fa2725e1fb7763272ab30f256e8eff3730466575e881118387b054055f9390170c9d59a6d5adeac47a89c2d01a96b10a47ac93f5436c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
fd033ca52876adc7528884d87228b19c

SHA1
72ca20bb3ec2814639f19f07eb92b970fc3feb6f

SHA256
0899eeee05ac0d89a84182abd8a22083be76425cfd240ec81291a4ecd9cecfb0

SHA512
5cd5b2eb59b15e3e44028831644b39de36e9e122330400f11d42f9125c67b41e1ed80a5eee6e252604975b2db5d4f619b99d927ba6f072a6dd45b14b95916bad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
293KB

MD5
9abfa16c054a8653a407d7f05d2fe0e4

SHA1
e1b5b5ae1548f4f1c930f476b62f22213d799a19

SHA256
c414b20c46e5fd7181d00a177dbe4e9d1b89a69a96c70c9fb9c5eae876dddd93

SHA512
4034725ce84aa44dc806243bdb6ee3b1d49fef3f215eb3dd554ccbceab8ca715e2e18901ee718ba7ee32b78bb2e18376ce3117cdba6ac3499577b3f48f0d0d75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
33b3d3a7afbee58b57a3c150603442f6

SHA1
fdd1b7b6f4ae2e63ee9de0b21b0ddd2731a4902e

SHA256
bcf8e3bcc4e26be9aca41066ffdff60e4f7d802a7763808f82755cd66f336d71

SHA512
ee9b965efeab7305aee15222304e428fd57966cadcf9cf512b181b6fe138ffcbc1c4376701c6f3f4be826ee166a1cd6bc7aace497880df77a5056ae0bb9d7dd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
0901d921487168ba4b69032e1f3af3af

SHA1
496d8101faf9f7e21d7452346b6c5385298e9a41

SHA256
d9c84df065b68213733e288b1e11eaea7bba4eba5a61da6928545a79014f702b

SHA512
b147b0e312ddc314991dd22eb71e5d0e4b3a010cde1d0d00d90cb14758955fa91e291529d596c8ce8eaf0dffc90f050d2c2e6140ab71a7ebafb82344d783cd18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe622248.TMP

Filesize
93KB

MD5
b1b6a7e7251c082037424e35495fd734

SHA1
31d4c9f6925d3e9ae930bc2fdf794e19f9a2cc1c

SHA256
1dd3f10b6e7aef770c2e9faeb8a1455d33e483e91ec54dd00b83577511e1e934

SHA512
b83a26818523c578c61ba26d01ceac896999f2eda996c4ae3157d4010cfe6f6c9183894394ba55fcb00051dbb8c52e57f0eef73d042309fb3b71e6d0ad51ae3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.sechealthui_cw5n1h2txyewy\AC\Microsoft\Windows\4272278488\2581520266.pri

Filesize
70KB

MD5
dc37deff2947a4ec8bf9b40a3dc25c49

SHA1
422bdce2dc21c634760c8b06a60c4ebf131cc592

SHA256
00dee1b03565baf7c105f1484f27a2e04d900538c153372482fbedd8cde61d85

SHA512
bbe9730344e0f648c53d2d5c518791ce8d92c1f04e1b9646bb4feca24d5f41fae255eff57ad7c36ff1d26869ad25eede25bbd4e98a59267d41ee71f3885d9dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C7D.tmp.bat

Filesize
195B

MD5
adfcad1f884450469e148aa456e53e3b

SHA1
7da878af828c9ba4011a3178f0b49e1ef09f7364

SHA256
f860230d84d38a15390261a361a86582560131f876bacfc7bd3631b5905befa6

SHA512
6dfb7e93bb91c4f11662d00624f93e5c1b258ea742e2d248e97363128d82cd8d96c07058d5be704f1667615d13e2f77c01133ec83b6d880a4c2cad3da794cb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe

Filesize
793KB

MD5
835d21dc5baa96f1ce1bf6b66d92d637

SHA1
e0fb2a01a9859f0d2c983b3850c76f8512817e2d

SHA256
e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319

SHA512
747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87

Download Submit
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main.zip.crdownload

Filesize
5.0MB

MD5
258df0481a803a54bad8a6da681b059c

SHA1
7632d5f608bf8ee5bdba4a40b3a23dee91012fd4

SHA256
aa086a05b25739860bae302f719b1213e98549da2c82da2a397f9b1e42c0bb9a

SHA512
9dbcbca17ea948e4011d9aeb4bbe14cfc72a7c050548bb8ed0197ecda78362211dcb71f77e875d83b2b845f8662b12718df8d54cd696291760e8797f1b1b3441

Download Submit
\??\pipe\crashpad_2276_ZECCBZQVMUITXLYJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/304-450-0x00000000007C0000-0x00000000007D2000-memory.dmp

Filesize
72KB

Download
memory/1120-438-0x000001A786060000-0x000001A786080000-memory.dmp

Filesize
128KB

Download
memory/1120-442-0x000001A79EA80000-0x000001A79EA8A000-memory.dmp

Filesize
40KB

Download
memory/1120-433-0x000001A783F90000-0x000001A7842CE000-memory.dmp

Filesize
3.2MB

Download
memory/1360-466-0x0000000005E90000-0x000000000638E000-memory.dmp

Filesize
5.0MB

Download
memory/1360-467-0x0000000005990000-0x0000000005A22000-memory.dmp

Filesize
584KB

Download
memory/1360-468-0x0000000005AD0000-0x0000000005B6C000-memory.dmp

Filesize
624KB

Download
memory/1360-469-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/1360-470-0x00000000067B0000-0x00000000067BA000-memory.dmp

Filesize
40KB

Download
memory/1360-471-0x00000000069F0000-0x0000000006C14000-memory.dmp

Filesize
2.1MB

Download
memory/1360-465-0x0000000000F50000-0x000000000113A000-memory.dmp

Filesize
1.9MB

Download
memory/1360-479-0x0000000072A10000-0x0000000072A90000-memory.dmp

Filesize
512KB

Download
memory/1700-440-0x00000203FBBE0000-0x00000203FBCAC000-memory.dmp

Filesize
816KB

Download