asyncrat | hxxps://github[.]com/errias/XWorm-Rat-Remote-Administration-Tool-

Analysis

max time kernel
60s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-

Score

10^/10

asyncrat toxiceye def rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777

Extracted

Family

asyncrat

Version

1.0.7

Botnet

def

37.18.62.18:8060

Mutex

era2312swe12-1213rsgdkms23

Attributes

delay
1
install
true
install_file
CCXProcess.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

win-xworm-builder.exewsappx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	win-xworm-builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	wsappx.exe

Executes dropped EXE 2 IoCs

Processes:

win-xworm-builder.exewsappx.exe

pid process

1688 win-xworm-builder.exe
5328 wsappx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5156 schtasks.exe
5548 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5308 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

5264 tasklist.exe

pid	process
1688	win-xworm-builder.exe
5328	wsappx.exe

pid	process
5156	schtasks.exe
5548	schtasks.exe

pid	process
5308	timeout.exe

pid	process
5264	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exewsappx.exe

pid	process
1984	msedge.exe
1984	msedge.exe
4672	msedge.exe
4672	msedge.exe
4104	identity_helper.exe
4104	identity_helper.exe
2716	msedge.exe
2716	msedge.exe
2020	msedge.exe
2020	msedge.exe
5328	wsappx.exe
5328	wsappx.exe
5328	wsappx.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

AUDIODG.EXEXWorm-RAT-V2.1-builder.exewin-xworm-builder.exetasklist.exewsappx.exeXWorm-RAT-V2.1-builder.exe

description	pid	process
Token: 33	4424	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4424	AUDIODG.EXE
Token: SeDebugPrivilege	1596	XWorm-RAT-V2.1-builder.exe
Token: SeDebugPrivilege	1688	win-xworm-builder.exe
Token: SeDebugPrivilege	5264	tasklist.exe
Token: SeDebugPrivilege	5328	wsappx.exe
Token: SeDebugPrivilege	5424	XWorm-RAT-V2.1-builder.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

msedge.exe

pid	process
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

msedge.exe

pid	process
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wsappx.exe

pid process

5328 wsappx.exe

pid	process
5328	wsappx.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4672 wrote to memory of 3404	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3404	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1072	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1984	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1984	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 1944	4672	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca67746f8,0x7ffca6774708,0x7ffca6774718
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,1672493463200359609,16140469037006904995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:788

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596
- C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
  "C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5156
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpDE69.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpDE69.tmp.bat
    3⤵
    PID:5204
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 1688"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5264
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:5272
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5308
  - - C:\Users\Static\wsappx.exe
      "wsappx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5328
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:5548

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5424

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
1⤵
PID:5736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
343e73b39eb89ceab25618efc0cd8c8c

SHA1
6a5c7dcfd4cd4088793de6a3966aa914a07faf4c

SHA256
6ea83db86f592a3416738a1f1de5db00cd0408b0de820256d09d9bee9e291223

SHA512
54f321405b91fe397b50597b80564cff3a4b7ccb9aaf47cdf832a0932f30a82ed034ca75a422506c7b609a95b2ed97db58d517089cd85e38187112525ca499cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d4c957a0a66b47d997435ead0940becf

SHA1
1aed2765dd971764b96455003851f8965e3ae07d

SHA256
53fa86fbddf4cdddab1f884c7937ba334fce81ddc59e9b2522fec2d19c7fc163

SHA512
19cd43e9756829911685916ce9ac8f0375f2f686bfffdf95a6259d8ee767d487151fc938e88b8aada5777364a313ad6b2af8bc1aa601c59f0163cbca7c108fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
39bbf69a11f132a84e85780bf8f5dfb0

SHA1
cb9f85beca6c60cdd44da068e39d8d955dfabce4

SHA256
b6fd320e546ec587ad702d0b792c9323eff934c855700e51539b128c7e44f3e5

SHA512
a4cd6785a25fcebc20d312d5272a6bf5374c322aa7eec0365cdefea9a375f239fac3a62e8da95a48b0c74f95c96260c9e835a74f5968e7b52093685947e6af2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ee9e0a93237435b0b1bc6893ca5711b7

SHA1
8d3f293f25a684c63f8c8c73abec411fd5719509

SHA256
8cf6deee780b66e0debd74d4a13cde9249e037ef98b31b226f0671655da6d909

SHA512
0622be9eba4fab0c9263c7b9f13089282fd3b9fe813109ea921c5ef54fe49d6b4489aaf8fce22385c699a09426836826aeb7c9e291c7f0e37e734843142eb265

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
097ffb106379f801df061533a213afc6

SHA1
e296263674dace93d94450b9fd25ef468a1d688a

SHA256
ca37dcd8590aa61e31c0dd716cab0880eac50abcdd2b587c971f1f6d48becc6b

SHA512
03134cebd0fb64aa09f8d6d5167a07a0554a6436292aa1adf201053839883c9f5f9fad14062f921c22e255fb3579febae17e2cfca6389296d6d5578504ad80df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b4fd757d4ef6afc4927cce6114ab59d3

SHA1
585444e0ae4c067606d8ad4c023adffd455488c6

SHA256
63cc0c060116a510da204842770e3469b7db8e6a295cf30029569ca6d4f57fed

SHA512
73e24da38eb90ea8ab953fa9e1c21ded65f4d79025d12e07e26a6c2d617593cbab4123152d22f9774ff3191d6726d2ec1d9670dd0aa3f48faf4f1a14b82f130d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
070a11c94981c11816f4a66c910ab606

SHA1
8b24fcc2ed6be15f3ef766a2e6894a5c6ef702d4

SHA256
12d47d6206ab158d42d24511d79ceca9df6d01c037135634849e472723681853

SHA512
b44c339549c4e7c169cae77f25c85a2700f9e2e0700d54afc161230fc33f767a96f2817dc87832b54b3020de41ebba335c5672ae42c7a1d3f07858bb5a6b8515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cd35244caec1a03845d1ece91b49c452

SHA1
707f568a09a1ce81db24bd0916f73d12e0c963e9

SHA256
9e265dddc670811fa0b7520f19acce3dce657f310bcb0fbf4d9b1118612c634b

SHA512
54011205696fabb4fd0ff3da28cd3b37f4e3a6a3bab0c66fd1403f8e7fe725073a766a125ba8bfb01960a32cec156df843ad5c409dbf7466226916dad6f50711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57832a.TMP

Filesize
864B

MD5
da5c85d54ce0755d86a949f9886dd435

SHA1
cd557de3ae53db44bcb1da3e816f8c6187595ab4

SHA256
9c6e01489b66b7d3fd1e187bd5e0b9b8c667591318b1ece3dd66de520e55ab26

SHA512
bb43981ae549c9654f0f0351ebae5e38b04baaf8a21fa9d45d081a4e0583cdc14c1d259559f628469c97882126fa7697facd9deb195172b759f83346d0719c95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6c535b85854e98e7b0227d736f535d02

SHA1
9337ad87829dd163aa3230b22e692b7e0e87de21

SHA256
cb9a92d07bee1f8288fe7f849ad1d6bac338adef6e9ed83169ce2ad0ed3ede47

SHA512
7ceb9d41570d29e234efa6d0d244d2241eceb085610d64a01343f5b69ac8c7e109e9814e56d973596517e7364217f2953be446bda5b1dfa3cbcf2d2b7da74d46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
060af86fc5719ba7662a7dd59210ba8c

SHA1
9805a4086e0800dfbe2284867914b64e3c7591a1

SHA256
5df26882101f534826b231e597bf323508f1545caf69fb96e68c3a92b5e5ed88

SHA512
f7aee59c0c9a68dd7756be6935d177df9b22fda3f049864da103aa1ba85ef6a39b756b117353392a56d2e4598f5dc6ca3999df7ef1e3f1614365ad4867da62dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE69.tmp.bat

Filesize
195B

MD5
b1f5b5d71a4ed223aa33d0b4f3a7efe4

SHA1
9d1b862617d9c9ee150990629d75148d23339c60

SHA256
28ab0061a1a216dbd19b0b884f77ded566079eb9f901ebddc7421aaecff17048

SHA512
0ef6c3b87793ed2e5a2467d814dba2a2029d1a739e13664226ba5da9574dc1f15441ce237a48f82a8fd461536e4960b5258d8ed0060852570f4f31d4ee3661e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe

Filesize
793KB

MD5
835d21dc5baa96f1ce1bf6b66d92d637

SHA1
e0fb2a01a9859f0d2c983b3850c76f8512817e2d

SHA256
e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319

SHA512
747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
12KB

MD5
3e76d0a510243d20f09512ce9fc54cd6

SHA1
801c8957c1092e5510b78a4bcaeec9088ed85a5b

SHA256
bec372167a6461790444ea1bd3ea72000961156123e3cdc55afa5e9cfb644899

SHA512
fca7f4a49339da24dde44c4e2796ee558e1665de63ea527d0b431a8b92ad86f80d6d3b2a064efb4f9f097812d38ddfb1a912eacba0449a3aa39e62788f463a65

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 454192.crdownload

Filesize
5.0MB

MD5
ed997c518b1affa39a5db6d5e1e38874

SHA1
d0355de864604e0ba04d4d79753ee926b197f9cf

SHA256
8a7d20fb5bc7ef8b02ab6e11ef78ebc0a31ba5376bd97d40fe5d1da521324556

SHA512
50699cdd035c48e431102c703d7855dc85caa6feb7a7b34bdb23c7ccc298dbcc3ab261690c3dfb078451d3e299a0b037351edcbf54e79b6edaaacbf30ec68cb7

Download Submit
\??\pipe\LOCAL\crashpad_4672_ALBWLDPZMVVKBDMO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1596-305-0x00007FFC93150000-0x00007FFC93C11000-memory.dmp

Filesize
10.8MB

Download
memory/1596-321-0x00000242A70E0000-0x00000242A70EA000-memory.dmp

Filesize
40KB

Download
memory/1596-317-0x00000242A7050000-0x00000242A7070000-memory.dmp

Filesize
128KB

Download
memory/1596-306-0x00000242A70C0000-0x00000242A70D0000-memory.dmp

Filesize
64KB

Download
memory/1596-303-0x000002428C720000-0x000002428CA5E000-memory.dmp

Filesize
3.2MB

Download
memory/1596-322-0x00007FFC93150000-0x00007FFC93C11000-memory.dmp

Filesize
10.8MB

Download
memory/1688-326-0x00007FFC93150000-0x00007FFC93C11000-memory.dmp

Filesize
10.8MB

Download
memory/1688-320-0x0000022D57C40000-0x0000022D57C50000-memory.dmp

Filesize
64KB

Download
memory/1688-319-0x00007FFC93150000-0x00007FFC93C11000-memory.dmp

Filesize
10.8MB

Download
memory/1688-318-0x0000022D3D6C0000-0x0000022D3D78C000-memory.dmp

Filesize
816KB

Download
memory/5328-331-0x00007FFC93150000-0x00007FFC93C11000-memory.dmp

Filesize
10.8MB

Download
memory/5328-343-0x00007FFC93150000-0x00007FFC93C11000-memory.dmp

Filesize
10.8MB

Download
memory/5424-341-0x00007FFC93150000-0x00007FFC93C11000-memory.dmp

Filesize
10.8MB

Download
memory/5424-342-0x00007FFC93150000-0x00007FFC93C11000-memory.dmp

Filesize
10.8MB

Download
memory/5736-346-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/5736-347-0x00007FFC93150000-0x00007FFC93C11000-memory.dmp

Filesize
10.8MB

Download
memory/5736-348-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/5736-349-0x00007FFC93150000-0x00007FFC93C11000-memory.dmp

Filesize
10.8MB

Download