xworm | hxxps://gofile[.]io/d/aVrwVf

Analysis

max time kernel
892s
max time network
893s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06/03/2025, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/aVrwVf

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

KdxM82RkI3c3qnyy

Attributes

Install_directory
%AppData%
install_file
Generato_64r.exe
pastebin_url
https://pastebin.com/raw/H3wFXmEi

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000027d6c-69.dat	family_xworm
behavioral1/memory/4448-125-0x00000000004D0000-0x00000000004E0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
38	5080	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Generato_64r.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Generato_64r.lnk	XClient.exe

Executes dropped EXE 22 IoCs

pid	Process
4448	XClient.exe
1548	XClient.exe
1876	XClient.exe
772	XClient.exe
820	Generato_64r.exe
4896	XClient.exe
4188	Generato_64r.exe
1172	Generato_64r.exe
4408	XClient.exe
4616	Generato_64r.exe
4424	Generato_64r.exe
188	Generato_64r.exe
4288	Generato_64r.exe
4256	Generato_64r.exe
620	Generato_64r.exe
4492	Generato_64r.exe
2788	Generato_64r.exe
4000	Generato_64r.exe
1136	Generato_64r.exe
648	Generato_64r.exe
3368	DARKVISION.exe
2436	Generato_64r.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Generato_64r = "C:\\Users\\Admin\\AppData\\Roaming\\Generato_64r.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
199	pastebin.com
267	pastebin.com
298	pastebin.com
82	pastebin.com
97	pastebin.com
157	pastebin.com
183	pastebin.com
275	pastebin.com
306	pastebin.com
69	pastebin.com
153	pastebin.com
355	pastebin.com
131	pastebin.com
108	pastebin.com
235	pastebin.com
249	pastebin.com
284	pastebin.com
286	pastebin.com
312	pastebin.com
147	pastebin.com
149	pastebin.com
263	pastebin.com
300	pastebin.com
205	pastebin.com
261	pastebin.com
278	pastebin.com
329	pastebin.com
99	pastebin.com
122	pastebin.com
127	pastebin.com
254	pastebin.com
259	pastebin.com
288	pastebin.com
154	pastebin.com
132	pastebin.com
186	pastebin.com
209	pastebin.com
296	pastebin.com
90	pastebin.com
96	pastebin.com
156	pastebin.com
318	pastebin.com
320	pastebin.com
324	pastebin.com
109	pastebin.com
137	pastebin.com
189	pastebin.com
317	pastebin.com
253	pastebin.com
289	pastebin.com
95	pastebin.com
119	pastebin.com
191	pastebin.com
206	pastebin.com
255	pastebin.com
309	pastebin.com
356	pastebin.com
123	pastebin.com
240	pastebin.com
257	pastebin.com
276	pastebin.com
378	pastebin.com
66	pastebin.com
269	pastebin.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DARKVISION.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 15299.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
4468	msedge.exe
4468	msedge.exe
2964	identity_helper.exe
2964	identity_helper.exe
1480	msedge.exe
1480	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
5052	msedge.exe
5052	msedge.exe
3700	msedge.exe
3700	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	XClient.exe
Token: SeDebugPrivilege	1548	XClient.exe
Token: SeDebugPrivilege	1876	XClient.exe
Token: SeDebugPrivilege	772	XClient.exe
Token: SeDebugPrivilege	820	Generato_64r.exe
Token: SeDebugPrivilege	4896	XClient.exe
Token: SeDebugPrivilege	4188	Generato_64r.exe
Token: SeDebugPrivilege	1172	Generato_64r.exe
Token: SeDebugPrivilege	4408	XClient.exe
Token: SeDebugPrivilege	4616	Generato_64r.exe
Token: SeDebugPrivilege	4424	Generato_64r.exe
Token: SeDebugPrivilege	188	Generato_64r.exe
Token: SeDebugPrivilege	4288	Generato_64r.exe
Token: SeDebugPrivilege	4256	Generato_64r.exe
Token: SeDebugPrivilege	620	Generato_64r.exe
Token: SeDebugPrivilege	4492	Generato_64r.exe
Token: SeDebugPrivilege	2788	Generato_64r.exe
Token: SeDebugPrivilege	4000	Generato_64r.exe
Token: SeDebugPrivilege	1136	Generato_64r.exe
Token: SeRestorePrivilege	712	7zG.exe
Token: 35	712	7zG.exe
Token: SeSecurityPrivilege	712	7zG.exe
Token: SeSecurityPrivilege	712	7zG.exe
Token: SeDebugPrivilege	648	Generato_64r.exe
Token: SeRestorePrivilege	3488	7zG.exe
Token: 35	3488	7zG.exe
Token: SeSecurityPrivilege	3488	7zG.exe
Token: SeSecurityPrivilege	3488	7zG.exe
Token: SeDebugPrivilege	2436	Generato_64r.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
712	7zG.exe
3488	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 1264	4468	msedge.exe	84
PID 4468 wrote to memory of 1264	4468	msedge.exe	84
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 3776	4468	msedge.exe	85
PID 4468 wrote to memory of 5080	4468	msedge.exe	86
PID 4468 wrote to memory of 5080	4468	msedge.exe	86
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87
PID 4468 wrote to memory of 3688	4468	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/aVrwVf
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffcd81846f8,0x7ffcd8184708,0x7ffcd8184718
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  PID:2576
- C:\Users\Admin\Downloads\XClient.exe
  "C:\Users\Admin\Downloads\XClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Generato_64r" /tr "C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2412
- C:\Users\Admin\Downloads\XClient.exe
  "C:\Users\Admin\Downloads\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Users\Admin\Downloads\XClient.exe
  "C:\Users\Admin\Downloads\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Users\Admin\Downloads\XClient.exe
  "C:\Users\Admin\Downloads\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,10357321852892374292,8753604956911503564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1524

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4960

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:188

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\DarkVision Rat\" -ad -an -ai#7zMap18412:88:7zEvent31872
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:712

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\DarkVision Rat\" -ad -an -ai#7zMap13994:88:7zEvent13547
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3488

C:\Users\Admin\Downloads\DarkVision Rat\DarkVision Rat\DARKVISION.exe
"C:\Users\Admin\Downloads\DarkVision Rat\DarkVision Rat\DARKVISION.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3368

C:\Users\Admin\AppData\Roaming\Generato_64r.exe
"C:\Users\Admin\AppData\Roaming\Generato_64r.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7fb0955b2f0e94f2388484f98deb88f4

SHA1
ab2363d95af3445a00981e78e6b6f0b860aade14

SHA256
a7c4cb739d577bfc41583a2dbf6e94ae41741c4529fe2d0443cd1dabefef8d15

SHA512
c9b6b6de78fb78c11b88860cd6c922d11717f5cf7477f602f197531aea114270c2b7111f66d96f60c3a9317fbf203fd26222e81d2d0eb70ad6515f5af1277edf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\635ceca3-7a60-4c4b-80c0-6d3ec606d64a.tmp

Filesize
5KB

MD5
19f428c422b13df02fe73574520d1e9c

SHA1
1798352a159cd4c3185f010695d6219feb86e45f

SHA256
cb9eeccab2623c8bfc7d9362bc89cf6aa38947c46e4390ff169b3c62908cb2f5

SHA512
c9c593c22bbc186b5ac1c87e3c9510619b774054c03e86927173c9c20747d07ab8f06d4f9f1a49a33b13bb0e5114c1c9f51d8a7a1bb797117b3de9552b4ab986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
2b42d0a18ceac05f5275ea6e62d6c502

SHA1
7102888e6c672c3ccb3774b2ca37a63eeedeeb03

SHA256
28b9346283cd2c780f4fb5c00974862168af502aa1ba969188b6634995cdb155

SHA512
9c60e30e6ed54dd9b06f5bb33b07a70e9f2d833f50386c202d61fb1bc297981d90887f33837478352dd3d91403759025def4e3a1a754304a229328b227cf7774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
f5022f0446ce5b92e61e0c9de69d3b0e

SHA1
1a3a5b2eac26d229419c6d8c0bf3e3d8b08b2e06

SHA256
108f167258d2e2661ce9034fc5376200aad1c43c9e6bce1bf8af29f7c4e6f0db

SHA512
6fee9066727d738fb6e0bfd53f6ce62a7a0bdc493b9340e58ea700394a6199c474882fb8381613823b9d4a0432145c3e872e98aeaaa576a65931e294bdc0f44c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
0f6d48d28f3398c4f70388657884288f

SHA1
296a46a341d8fa303970053f713b27277ba0f139

SHA256
023d03a2f36fac62c6a15b3cbb3c419a1299f32446831e615eefd08303674cf6

SHA512
a26af5692fa87154e2e2cbb15b307eb1a9cf4f11ef0881d55a3bb36da4c19d85917887098c3b801d61f0fae9e5731aa56d339a44397a8a0299ec4811d8e94f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
465B

MD5
b77cc3ea261b69196ef5318124235c53

SHA1
b9610da37f4004517fa8744d3bb402a0d1df7b4e

SHA256
5e6eacae5bce3133af18130de13a68fb9cd34bb32e6bd2a8f89e96a9c9de2aa4

SHA512
d7b21f2d7361eb4599d36257d98479be274ede6b28c02cce242aaa8ccc7303685103a1013d81660eabe331038669c268524ff0cf463e71f77d16eac6ff8e93e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
15a2fe708cb2899bf583935b77a29003

SHA1
fd617116fab6f9cfbd4260b81fd4b70adb300730

SHA256
806fde8dde5598d33511cbffcb0e4d330486b799ab7f839af2f67cd520bd717e

SHA512
c590dc02eb249db6384a43aecee7c097896a704f81577ca9c6d9058823bd85b459aa0e16af580e93ae5fe0fdfb0e72ed59f1a22b41a69772ff70042d97d4b3dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
386f4aaa9d96e51ab005d14a670ba7bd

SHA1
595b1ac1a1c09491fdf6d7ad5535d7844355d58d

SHA256
9b832337137d43c57b69e164b38cfd7fc97031af8d9fbceb506c6d24b3addc5b

SHA512
da34fcb1d4706cdb32f3f5b083831c1f31810509db70a123cdc6e2b6d8cb7d94f8e7915c7d67e1920f0664820059cbbde300b271e97cbd5d3f7530c9c74f4317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3ef2bafc4d73372c54ce0a9dff7b5457

SHA1
372f88c50d54543b18aecb44a424b7354b46c01e

SHA256
c932fa4b98891eff36ccaefd3180d92318fdb3b258b1b443df2b713a29f71966

SHA512
6af48827cc7f0fde76d9c1583a2bdbc7bf7f63cd21de2d440ce5958fa7a359903e6e60bada426498f999850550465d3c91e6622d1a343f43ef1f7bac1c36ebbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2627e6345730a6a479da30c0883d24a5

SHA1
7442a41a25fcc5415e1609b647c6e414a32c7b99

SHA256
640a5e5b62d5e5ce53f120e2238d95d61f09b45d0d4035fcedc0f452c431b26d

SHA512
1cd1044e89ebd307c088b4ebe587d41dee3b6dfcb10fc4f70f95819fc9b1f98132b9715cf1bce76d5f15d97802e85776f2ae6bfb293c4d033e661e5d34354d28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
08cb187bdb47b4a15c6ab12925fece28

SHA1
8c95e6d2fd45014ffa72dda176c1b0fad54fed27

SHA256
3ca6ae5f9e36eb84214de1b53651beed164754d9e4721f93c2bb00322430954e

SHA512
cd07c0cb2675aa823131deeea4c4e8c872afd34235473fcc3743f761c3555c0c77b4d3dcda326d33ea6a5eab373c8edef16122a0b44107c13ac159f8e64218c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe6372f3.TMP

Filesize
364B

MD5
ce2631ec5a6ea5523ae101aa40fda7cd

SHA1
85dacafcbc61fcafe5dacfae696ec06fe8a280c7

SHA256
8b85c3e84e133888253136da4305068dff99bc56fbff2d7b091fc943fd41d777

SHA512
1adc6ed579be277ca721239dcd63ea07a91495a8b1dc9703178e716631851824ee1a6f2de9b28b1d348199212dfe1ff2fc7a4bf3c4a79861cd06526c465e4591

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a196fa0cdfb5e8d0074cccb250ff246b

SHA1
125051476a8f78b843f7b7e3c9a178ed9f219f1a

SHA256
8b3c74564dff915033e432fd27f94a7bafda2c179ba517e253acb00b45871114

SHA512
c333070c78f6115e27c13fd867c244791271cae2c8ca197808a196a9778babc81ab109edba321dae097d5105328850ff89140280427dcf4baa9e07229ec2aa56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
70f453dd2292f045829ecaca1fee76a9

SHA1
217c29f02c7b1c245ac4146e1192d0af201af026

SHA256
f3e913ba2b7cd41847f4e56eb63e2cd5c33a0694bf0ed2ffadf8975334962ebf

SHA512
73324f18603b1125259a2298e50aecd10c683afbc529485a79c1cec1e2a67e0f364e6b94ec2e27058d0111bc9b220afb618d90de850f7621664c96eace1c5eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
719b2195a4c5e350146cc25fff1e221e

SHA1
d1b2b18e960c7404bbcd17910670fd4e4934b80c

SHA256
64b7d5a6cbd0cc4c9d8983fba938a0ffdafbbac3994a8d672ce2e0608b48840e

SHA512
89e74d16db203d15f2bea7f8f052b3a38f98b7c8a65598c6a8cedff42a3c97b8d13901f46a2aaa674e27907b59da75a994c25850170db1d450da7360a0468827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8ee17352ae27fbcf62de3d17450a8fd2

SHA1
72f2578b29ad578981b09114bc12804a552ab2be

SHA256
b6d5ab02a27859c18ffeaf3da999d31d16dbd880b75088a0fceb003ba579bbfb

SHA512
acffc3dda9fb9fc68066578f7ad431a50425c4385daa29a88e214ab0e2bb26ac819ee7eff3950acf48598695a3a16a78838ee83fdcc6e53a0cb53c28d26c1748

Download Submit
C:\Users\Admin\Downloads\DarkVision Rat\DarkVision Rat\DARKVISION.exe

Filesize
4.4MB

MD5
d7411abd0a54122366700fd5394019d1

SHA1
4880fc29230a0909f70d49051397aef5caa43d52

SHA256
648e1c9fd7aacb58c4285cf6a54d9e58f5c2c1f6cc1f166b9e13e7d6a3c4a7fb

SHA512
5b8068c8831f6fb838fa040ff8682b4e1b11f76af8dc476a707a8515a96c56edda19c85f60aa3818c98ae64e36b5d6a1ac04c72a0d3baab17b41d4c7bf625070

Download Submit
C:\Users\Admin\Downloads\DarkVision Rat\DarkVision Rat\{9B0AF4E7-83D4-4AF8-83EC-9EFAF0769048}

Filesize
44B

MD5
1aa0dae9a57df464d6860f767529d7dc

SHA1
92dfa347aec2c9613b4b00ab78bb796f78cbb100

SHA256
5ca538bcb2b615c330205a565e0177e5031a838c0284ed1f4f02597157b864ef

SHA512
b7bdcd53d8878d4ec1a5aee711add980d2d69475d8ac4a5b88baca2740035bfd361702eddaa6a6a0a08de13fb24b5e06c134c05bb65410b666b8ea59e2d5e67d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 15299.crdownload

Filesize
38KB

MD5
48674553edd45e3f0cc8157c71599436

SHA1
03964d23192456cf78db3a77573af4de0bbe2b8b

SHA256
aa0f623eddad4a90edafee6a34a9fcc1e893aa19f1a4ba50cd2a4f6d82e89730

SHA512
48d2a3a8ef438f8e8cfabd17d6b7018fe3979383dbbde72d22d5b2e6f3154f9d7c5a040bcdeea36a6f824431a2f7aad65506519697c7634b06db412559645a23

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 895565.crdownload

Filesize
2.1MB

MD5
1ffcf6b0d86e605f4aba91bdfa54f681

SHA1
e38af918f7356e2aca56ba4bcdb9dd663ab603d4

SHA256
c3f0c6b2f541e782f922879994e10171f25d4d00a2e57b5cf86d910581ea8dd7

SHA512
9ec13e1c9153e69ca0bb63188cdcaf87009d70ca8d8aa01bfd456ba87b77d2ffabf53a44fb326a78f7312cf7f14e7896074e8660bba2872597123ac6580afb17

Download Submit
memory/3368-535-0x0000000000400000-0x00000000008B7000-memory.dmp

Filesize
4.7MB

Download
memory/4448-250-0x0000000002730000-0x0000000002759000-memory.dmp

Filesize
164KB

Download
memory/4448-158-0x0000000002730000-0x0000000002759000-memory.dmp

Filesize
164KB

Download
memory/4448-125-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download