asyncrat | hxxps://github[.]com/errias/XWorm-Rat-Remote-Administration-Tool-

Analysis

max time kernel
104s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-

Score

10^/10

asyncrat toxiceye def rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777

Extracted

Family

asyncrat

Version

1.0.7

Botnet

def

37.18.62.18:8060

Mutex

era2312swe12-1213rsgdkms23

Attributes

delay
1
install
true
install_file
CCXProcess.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

win-xworm-builder.exewsappx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	win-xworm-builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	wsappx.exe

Executes dropped EXE 2 IoCs

Processes:

win-xworm-builder.exewsappx.exe

pid process

2212 win-xworm-builder.exe
3724 wsappx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4288 schtasks.exe
4536 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1668 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3116 tasklist.exe

pid	process
2212	win-xworm-builder.exe
3724	wsappx.exe

pid	process
4288	schtasks.exe
4536	schtasks.exe

pid	process
1668	timeout.exe

pid	process
3116	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe
Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exewsappx.exe

pid process

4472 chrome.exe
4472 chrome.exe
3724 wsappx.exe
3724 wsappx.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exe

pid	process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: 33	3892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3892	AUDIODG.EXE
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

chrome.exe

pid	process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wsappx.exe

pid process

3724 wsappx.exe

pid	process
3724	wsappx.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4472 wrote to memory of 1064	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 1064	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 3908	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4576	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4576	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe
PID 4472 wrote to memory of 4492	4472	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb074d9758,0x7ffb074d9768,0x7ffb074d9778
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:2
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5104 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4576 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5388 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4564 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:1
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5368 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5716 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5836 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=6132 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:1
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6000 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6216 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6208 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 --field-trial-handle=1744,i,6557205601216198973,14589788564639760167,131072 /prefetch:8
  2⤵
  PID:5020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3732

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x35c 0x494
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2980

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
PID:4760
- C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
  "C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2212
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8940.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8940.tmp.bat
    3⤵
    PID:3888
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 2212"
      4⤵
      Enumerates processes with tasklist
      PID:3116
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:4512
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1668
  - - C:\Users\Static\wsappx.exe
      "wsappx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3724
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4536

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
1⤵
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e8cef7d9343c5fc7086ecdeb05e80570

SHA1
82f32de83d941b1cd8c65e3423f6f67d6c912624

SHA256
e1b035d285100b6df1c2edca9c1872289b4f8cea228b509f08146470c19ea59a

SHA512
0778d39be97a2f2c8666162114128418c7429a4b97ee340b640ec65a2cee7cad9e6036af6b37b379d25c738a10553d7556bf526f77eb61bbb3e6992018a1f82d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
d009aca486df35a5e09f96c6ea881e38

SHA1
6afabe25c689c5655fa300a0498156ee4000bfc5

SHA256
e837dc17e8fc531f856f4c55447bcbb8751e8f6c96a70feab4cd832f9e9ce62e

SHA512
e8d77b0bd21e0403c2c315bfdfa1194dab5a9f694602330061dd3ba8b372c8dbca97e8d64599ee0646e398a4203012a25698fb6f24d57a790f5647f53b6b0c78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
0c2c1ba72241c78df6fe23e888cf413a

SHA1
6821634a3ce31fd2f8ac739c57c5cbad83bf1107

SHA256
b726f939428218edcd8fc517cd8051b3250b944002cd153bb8be2edf1a8fd3f1

SHA512
6d85f077e99c5ce754bc6562db9f0e405c868b04e780afdba4c179cabb1cd20f8bb70aea112d358e1bae2e62df9517e9a7ef88ee94c3c5f17040384cf7ee0a67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
8142dccf115a8412c65337c848798b4a

SHA1
56bffeceb33f068d913eb9f7e7144f70b5cf76be

SHA256
702d5687a3d32a1f14c937845306928280ff36381ddd81a1e7311c2365ccba0a

SHA512
35277ea7f48f08c7df93e7a162973c341793ab96948ea971d949ef71356b280ab5d7f1bf00aa1285fe754fb763727463f2e87bd76f45a345d2ada4ff484aef85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
caa07259a0bbc513eaa9a858501538e4

SHA1
1deb02a98d33783fdef46a4d1d6a36b4f61857e7

SHA256
c710981e7132e9642768aa54d0f54cd90d1a9613a592c05ceddb1dd4e8e7b86d

SHA512
581ca007491e8a3f8170d666c560b996f2d44f74ac0f283fc77bf0fe785957136114cf359c56306176d3d76c4e2a6df1214e997794957875b218ade65b413153

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ab9a4154c16af8b84d9dcaf9e6c65658

SHA1
6ddf0211dcd4ed559e12d1db8d353b2edf15e5e2

SHA256
da4ed54fec8dbd6103ac0e31f7906332d73c1c58fe3bc2c1fd4e0a99608826de

SHA512
cd3839ab2f8d0dafc2edfb11eab7ecb8ccac420c431d923459b73edd86a1e1cf3b5309f4635f0ba22272a78f53660f6a9cf1ed08c95fd3f9142b99f620a7a747

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
786599e9983aeb64e7001ae7e856ce4d

SHA1
f595082e090ce8559348361acc0781ac8f81aae2

SHA256
4e92aa5090df8c3d0c11a23dffd8aa547c6dc5df73e73a9ea4e16096fc2d438a

SHA512
33404b54fff158c01c0c69a0fefc431a4fb65a3877645b0d01ea7c8c6a778caad63ea01509052d595f28847457fb09b415ec87b9e0023dd47f7853da4859e5b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
37607b33e8c02194b33977fad842c3b6

SHA1
06b18fdf88fdb30f29081d049eff38abed623054

SHA256
61f4350162112477e2d561c227cbd264f951b4d014e87301bf89cf544a212261

SHA512
9ad35a6db8e930f37283f85b6806c2775aa4a68da760744122ce3dafecf4abc0f38f96c195dfb4d08a0b4bf664fa8e6f6aa3eff780cb3db6b46142d48879d69e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2019cbf7ec62a775b282582d4fe620cd

SHA1
4e9dfaec76e7207b58c66e53125f4b7dc2d7fd95

SHA256
2cd7117cc5c85f1bf93ddd9dd0c7a87de9e7ef5bbdad01d253eb84de023a7e92

SHA512
e6aec8c74f4808ea63c6eabbe265234a67eb25e1562dde9c6d3c54a7215aa6f52edd516301fdc35eae5f556594f484f7923b2171aa190eed9f9c9161625890ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bf417c2c0b4753313feae11ad3785534

SHA1
91ff38160f450304f1a261891c030666920ebde7

SHA256
8b768179707ff0772aec52ec9a4e23fac4493dec3e64b391ec7d7582f18e07bb

SHA512
097b87be9f8cd19dee4a5c6f3ba7db022f9ce8c3d929968216b83cf90efc42db885f21ad08a658920df84a1ed463abb78c9cca7ff740b9e2018ef901aa1b7d94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bf8c1a57d1a35e4574e46c10e17bf23e

SHA1
fd7e80237fec60d68dedcbfc7982a7ad30a0db23

SHA256
c2908d54bc67a9cffacd57971743473583f0ecc14e4d4bc31fe3d8b1acfc4f4d

SHA512
c8dea42a43b5300e48bf81dbf04f0bb9f818c3c2b5bfcc298bcbc049599ba67b17b22ec0532a6e00f19497d06cf81378af191fde7c81cb7ac5f1e54289d67005

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c809ed7415d5b9cd4c02d2e7949331d4

SHA1
95322182e5a9d499ca89fea05aa91b1c0be24839

SHA256
a0ee3282497d1fc36d7021b527815309da75b26bd2370c5de4bdb9c73c6949fa

SHA512
bf8b43f6bff951cc92f7cba9a27a0fa4578b106c063e380e0f05226393da7c30b098820f6a0655df648f3137d3cfac00b572b4460d420b81947309a7dbbbcd92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
acac60b5d1dc1460fd295c4ea8160767

SHA1
34f8280df155b5a54f2fe8920c76d94c568ddff9

SHA256
5da814708fd2cb74e218849d1102466629a4199e2d9de94bf8c195c3cf3e5947

SHA512
170a9a9989fbeb262adc73e488cda4d4b9ce18b0f3e0db19a9ba8cf9cf17d658fe77cd4491cd8ce1c480c9fd6f59c33af7098578be1b2c48370790764225b883

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
bf00b3e16f762b56642ec781e6070046

SHA1
ae693e62236ed8c88eab1f2c12b1e2c8ad573c22

SHA256
73e6769e295767c643192a96d4fe0e31b969a08164eb158d1a31c67222fc9e71

SHA512
d2159e2c94f053844269616aa236ea7149e52034beca3966897ffcef2a2b530ae05af0e9550e682a5c301ae6349edabceda3de801f5034a8a85e23f5381956fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
7d61cb7d99a02ed6c4d42ed6b45bb5b1

SHA1
b8cae4e7785526f6821a7e3b82773624c059cd4b

SHA256
1bb6ea307e60f1cfa16dbba406c023b78f9a967ebe2a9b7f96de79e793da3cdd

SHA512
d540efe79ae8ee0eedbd9d2116341bdfaf57eef2dedad0be64cacd365dc4992139480f532248b9b276c1428ba1614940f6bbcfa40a2364b5bc2603c29b3daa78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
aa7166ba0153dc6123c9eb4462a60f2c

SHA1
41817958608a098b46251aedb1699a1f9fc34bbb

SHA256
9cab7bd5696a3338467319c50a9142b570ab5a86f1fe08683d72738dbd4bc957

SHA512
9067a5d00853930a91c8a88315c55c6c3671b793a385433b8d4494367131a6f25c156eeab9782f9336ab6850b24f146eb741a92c834fa4566cd82e8bb31edb1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
116KB

MD5
ad9ed74be305642cb3e943f8fd5828bf

SHA1
003dc817e665d8a71972f81753fc936c147cd043

SHA256
e041fc09dfdaa67a31bb9fc7b186fe55ca17624f22164f4088ca13dabf036f76

SHA512
dbfeb4c80c0c7cf060312b11e33a1c6bad083a74f397e9d4a0f589a3209214b4b21eec32f311f08c6a5c851b6d0b2615018b3c528ccaaa92ce5d423c143978de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584570.TMP

Filesize
111KB

MD5
b933d0050cb95466194801e979e3bc51

SHA1
86edeebf9f47597eca5977ddf1553ca57c4e5bf5

SHA256
e854ffdec22763a4582d6dd2f72325c80037f8c9725dad3a6b34af743b15ae7d

SHA512
2c009ac62510bc4afa0f9c536f31b0f961d44f32d9e63c0ba0c92718ce471318d35bd164358c9ea890a9d61d565d02951fa0667de41b83f77a23dd73069ad9be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8940.tmp.bat

Filesize
195B

MD5
838a0387b7cd73f9a9ca4310ce202936

SHA1
c18aa40dba656caf0a81d9497fb54e640debb2ae

SHA256
9b6ddec7ad8ef058da8d805921332c0c96f5c46cdb711640608129237237358d

SHA512
4e7fe1dac6f630be684a86904aaf386eb5232ef1ac32ad8df2fa014883e89684a68b7563f603519bab686d367ead7a403e312835fc4f7fcbf6d3a5494d3a1d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe

Filesize
793KB

MD5
835d21dc5baa96f1ce1bf6b66d92d637

SHA1
e0fb2a01a9859f0d2c983b3850c76f8512817e2d

SHA256
e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319

SHA512
747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87

Download Submit
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main.zip.crdownload

Filesize
5.0MB

MD5
ed997c518b1affa39a5db6d5e1e38874

SHA1
d0355de864604e0ba04d4d79753ee926b197f9cf

SHA256
8a7d20fb5bc7ef8b02ab6e11ef78ebc0a31ba5376bd97d40fe5d1da521324556

SHA512
50699cdd035c48e431102c703d7855dc85caa6feb7a7b34bdb23c7ccc298dbcc3ab261690c3dfb078451d3e299a0b037351edcbf54e79b6edaaacbf30ec68cb7

Download Submit
\??\pipe\crashpad_4472_ATPCSDGSZKPDAQFY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2212-541-0x000001EFC5D50000-0x000001EFC5E1C000-memory.dmp

Filesize
816KB

Download
memory/2212-542-0x00007FFAEE520000-0x00007FFAEEFE1000-memory.dmp

Filesize
10.8MB

Download
memory/2212-543-0x000001EFE0470000-0x000001EFE0480000-memory.dmp

Filesize
64KB

Download
memory/2212-564-0x00007FFAEE520000-0x00007FFAEEFE1000-memory.dmp

Filesize
10.8MB

Download
memory/3724-569-0x000001D12B170000-0x000001D12B180000-memory.dmp

Filesize
64KB

Download
memory/3724-568-0x00007FFAEE520000-0x00007FFAEEFE1000-memory.dmp

Filesize
10.8MB

Download
memory/3724-680-0x00007FFAEE520000-0x00007FFAEEFE1000-memory.dmp

Filesize
10.8MB

Download
memory/3988-681-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/3988-682-0x00007FFAF29A0000-0x00007FFAF3461000-memory.dmp

Filesize
10.8MB

Download
memory/3988-683-0x000000001AED0000-0x000000001AEE0000-memory.dmp

Filesize
64KB

Download
memory/3988-684-0x00007FFAF29A0000-0x00007FFAF3461000-memory.dmp

Filesize
10.8MB

Download
memory/4760-559-0x00007FFAEE520000-0x00007FFAEEFE1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-544-0x000001F89A780000-0x000001F89A78A000-memory.dmp

Filesize
40KB

Download
memory/4760-540-0x000001F89A710000-0x000001F89A730000-memory.dmp

Filesize
128KB

Download
memory/4760-528-0x00007FFAEE520000-0x00007FFAEEFE1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-529-0x000001F89A700000-0x000001F89A710000-memory.dmp

Filesize
64KB

Download
memory/4760-526-0x000001F898590000-0x000001F8988CE000-memory.dmp

Filesize
3.2MB

Download