Analysis
-
max time kernel
166s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-03-2024 13:39
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777
Extracted
asyncrat
1.0.7
def
37.18.62.18:8060
era2312swe12-1213rsgdkms23
-
delay
1
-
install
true
-
install_file
CCXProcess.exe
-
install_folder
%Temp%
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation win-xworm-builder.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation wsappx.exe -
Executes dropped EXE 2 IoCs
pid Process 4064 win-xworm-builder.exe 4652 wsappx.exe -
Loads dropped DLL 2 IoCs
pid Process 3000 XHVNC.exe 4932 XHVNC.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/3000-274-0x00000000068B0000-0x0000000006AD4000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2932 schtasks.exe 1964 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1504 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1708 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 4428 msedge.exe 4428 msedge.exe 3024 msedge.exe 3024 msedge.exe 2156 identity_helper.exe 2156 identity_helper.exe 3324 msedge.exe 3324 msedge.exe 4652 wsappx.exe 4652 wsappx.exe 4652 wsappx.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3000 XHVNC.exe 4932 XHVNC.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2704 XWorm-RAT-V2.1-builder.exe Token: SeDebugPrivilege 4064 win-xworm-builder.exe Token: SeDebugPrivilege 1708 tasklist.exe Token: SeDebugPrivilege 4652 wsappx.exe Token: SeDebugPrivilege 3144 XWorm-RAT-V2.1-builder.exe Token: SeDebugPrivilege 2644 XWorm-RAT-V2.1-builder.exe Token: SeDebugPrivilege 4564 XWorm-RAT-V2.1-builder.exe Token: SeDebugPrivilege 3592 XWorm-RAT-V2.1-builder.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3000 XHVNC.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3000 XHVNC.exe 3000 XHVNC.exe 4652 wsappx.exe 4932 XHVNC.exe 4932 XHVNC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 208 3024 msedge.exe 85 PID 3024 wrote to memory of 208 3024 msedge.exe 85 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 2924 3024 msedge.exe 87 PID 3024 wrote to memory of 4428 3024 msedge.exe 88 PID 3024 wrote to memory of 4428 3024 msedge.exe 88 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 PID 3024 wrote to memory of 2184 3024 msedge.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd40d46f8,0x7fffd40d4708,0x7fffd40d47182⤵PID:208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:22⤵PID:2924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:82⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:82⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:12⤵PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5628 /prefetch:82⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵PID:2740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5088 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3516
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3692
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1680
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4924
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3000
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"3⤵
- Creates scheduled task(s)
PID:2932
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA9C8.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA9C8.tmp.bat3⤵PID:3712
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 4064"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\system32\find.exefind ":"4⤵PID:3596
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
PID:1504
-
-
C:\Users\Static\wsappx.exe"wsappx.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4652 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"5⤵
- Creates scheduled task(s)
PID:1964
-
-
-
-
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"1⤵PID:4200
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD504c8f9d12b040efc35784774b6a9a528
SHA12dbd9f2a34356cefadd93cd1d2edb243b957b39c
SHA256b5d63a221df6a3a1019e07da6715d0665eb363c583275eed803ac474617c2cc5
SHA5129fa848a1e511f36b5b1c7467608b5f48169c15c64a33b2e95ba598a08086b88663dfd12cb4a238028d42d5727cfbfad9190f93a60b9f5306ccd1383595b1340d
-
Filesize
152B
MD5e494d16e4b331d7fc483b3ae3b2e0973
SHA1d13ca61b6404902b716f7b02f0070dec7f36edbf
SHA256a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165
SHA512016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737
-
Filesize
152B
MD50764f5481d3c05f5d391a36463484b49
SHA12c96194f04e768ac9d7134bc242808e4d8aeb149
SHA256cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3
SHA512a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD53d9a9e152446f53b3f43263b08580c6e
SHA1e6959e3dd11aee582ffcf14c08a4af86014d9353
SHA256fdb50f8731cf9b824a0e00bc9805f5a1d2a9e415558da9005c1721a281992393
SHA51210329bb7104094457840771f49bde5c5a9fbf427d4d3e9409002e00d37299d5edb9019c5b410519fdd1f3db33c273c4a6a988a247f13fa47e9da93e7d77ffaa6
-
Filesize
573B
MD50028a1a5c441a3cd5a60c34da771564f
SHA1e15d27a8322b435564ebcd36467b997d0fa8ef32
SHA2568dc36283781a25af9e2ae76d255ae311b2715396f710ff0e9850b0e64525759d
SHA512e26efd2be3114e733acdc00fb54150790872b10c88a7c4d3a19a16383bf58897ad89f14b3255a984f836666b98bafc099d8988532d03acda0dee7a7a7da3f40e
-
Filesize
6KB
MD515e9d2cba2b927283e61d0c1c0a18656
SHA13a5e80585e4cddaf641aa018b7bfe61a1a2ffbe5
SHA256497a361ef4e7a694fa2b543b7781d45a23d03269aeb14e466cdcb714a00216ed
SHA512a387b3297f9a775493cac4292c497957f9955143f16bdc6e89d99545acaca95a296b40ccd69a35b9c7e555e3e06137b97b35c652b31a3b36b8a9f6af5740c0dd
-
Filesize
6KB
MD5fd0cf6061538426043f5548d696570ac
SHA12a9e1b6058c1d145c5b8ddb689cd0ba2854f5749
SHA2564d7e4c7b92345a4ed5ce7b7e70b232f1b4f8fd7e1b121a89125ac7fa1ba0a5c5
SHA5122f92b46506f956d257b544541281c4c2280976303185b2ce9a9f64fbe3ed285b664fec6ab0b900ea0e7dc1a6919a15434d8eda52e7d4d9408f30ddaa56dccfc9
-
Filesize
6KB
MD555c4da933007dc3e81c4c315dc8cf266
SHA1cc7b7af23eefb98611abec8fe074e074e222d99a
SHA25631e649f933b2680f3a38346cb2513a312d2bc598d39c13dd171a53487951cf48
SHA512d3fbbdd4e65d7f0bc613176f3c771bd54ad5a988e7fe0d803375ff710edc63748682b01f0e2799389a97baba8c251516298264d0b7f17b06779ee547bb13c15e
-
Filesize
1KB
MD55deb8b5be20dfe4481a03e24809b3270
SHA1c7ea5c7cf1528961cdfaaed8949ec2c60e4a2a89
SHA2567852de20a60adc0d3a32e88014e0135050a2e1d3dd9f43dc17160e166a6b2ece
SHA5125bc14ede39b2a058ce7161216d5396ac254502e4680ee5f03ed0785876c13699e3b4ea12b44b45d454b057f1bc26a0cf6566333705315a307fcedb8ff8590037
-
Filesize
1KB
MD5f696981c87089b3898c10ae5717fba5c
SHA1568784427b56b2adeecbb8cf08b6ea97a4574286
SHA2569ea87e450fd7b230c417f94a661f0ea5a3c023d3bd6a623e7d711715eb62b2da
SHA512e157308132f184e324f60313c94a3fcc52b44638a5ac4e3e82f3fddd8c935580320ba04da63fa84575064448a70503b2e7aa7c2b1ec0c534c46874cd61267360
-
Filesize
874B
MD5ec1de69c6cc6f75419eb090e33e08d6f
SHA10784b39980803bea826dc693f2fdf7a5b2a1027c
SHA2563fb80cd938a0808625ed15b6d1358a688934420a934d28121645f446b6652fc0
SHA512ad5e120b93493d827a237d0ea2d3c36f25ecd60e7faf0b8efc2d44027bbb9ca1e14c09d6af97fd294fb373a561287d57cb981ce3ae9de231ced91b0cad058af0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c1166d30-3bb7-4ac2-b946-bbe21a1efe40.tmp
Filesize6KB
MD598fa66212f006f705788fd6da9e3f973
SHA19b3f7d21b668f226a2bef82e66a633e0a1dae2a2
SHA2561eb41b4bd72bca6f4b636aa97eff21fc5b6bcd8206bdc7673f56caeb48af2e1e
SHA5125a45b8b974cc66eb0bf446f21f6f1d5df172fa4b4cfa6a9a341c6574c46075f8db92f59386ce09e862bd4d8f12c28645271c93ddd9ac8f15ebae1d73b0371000
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD576a05a5b12a7a76f76e0d44e39352c4d
SHA13538b7909173ad811056f07415205727c8dff6c3
SHA2566d1a1ce61a38ee1ad01fe0331a77aef1fed357d4f408ca3041c01c454070661e
SHA5129e27e9f66baab3e4ef156aac4e02d7cc20408f489dd65529f321e26f4d70696eea2139f67ec8635fe61d4b511940404621d6d008a504d790832becaf9cdcc7d0
-
Filesize
11KB
MD590f2ead430e6152ae46aeedb31ba1cd1
SHA102417af3d59d48a02db89db20d149dc5bda920fe
SHA2568348016b0f9fdca9423e5c70f63a9da1402c374bde6e9011167a688a63c6afd0
SHA5121f245f310016a9b3bae04591a8dd7d4e2bcc508939dfe52cf6671a7fe91432b8544f680aa5aa9f64fbb1227b44693547f8468e3fd63bd214ff4fcd76c29c3674
-
Filesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
Filesize
195B
MD5d1d426938ae36e52ba163b1ae02a98c5
SHA10427ee21debcb2a7702d3c43176a61f5eb342c69
SHA25661daebf45c97d0560808c962b011c02da75c9d2e4a0ef1a38df6cea3f4c1defe
SHA512de5621abdd58cc1fe01b700215c2a8cb922b629d7ca1589fe6db39d4374aa24b95f7207dae4b2155aac24d093a608fbf9ef8eec5a96b711c1c8d51250a6c7ba1
-
Filesize
793KB
MD5835d21dc5baa96f1ce1bf6b66d92d637
SHA1e0fb2a01a9859f0d2c983b3850c76f8512817e2d
SHA256e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319
SHA512747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87
-
Filesize
5.0MB
MD5ed997c518b1affa39a5db6d5e1e38874
SHA1d0355de864604e0ba04d4d79753ee926b197f9cf
SHA2568a7d20fb5bc7ef8b02ab6e11ef78ebc0a31ba5376bd97d40fe5d1da521324556
SHA51250699cdd035c48e431102c703d7855dc85caa6feb7a7b34bdb23c7ccc298dbcc3ab261690c3dfb078451d3e299a0b037351edcbf54e79b6edaaacbf30ec68cb7