gurcu | hxxps://github[.]com/Intestio/XWorm-RAT/releases/tag/xworm

Resubmissions

03-01-2025 17:08

250103-vntw3atqdt 10

03-01-2025 15:27

250103-svv2latmgr 10

03-01-2025 15:23

250103-sslp5stlhk 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Intestio/XWorm-RAT/releases/tag/xworm

Score

10^/10

gurcu discovery persistence spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.22%20kb

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendMessage?chat_id=-1002258988684

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/getUpdates?offset=-

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%B8Screenshot%20take

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Command Reciever.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 2 IoCs

pid	Process
3452	Command Reciever.exe
2532	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
3452	Command Reciever.exe
2532	conhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate\\conhost.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
83	raw.githubusercontent.com
84	raw.githubusercontent.com
87	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
80	ip-api.com
115	whatismyipaddress.com
116	whatismyipaddress.com
117	whatismyipaddress.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3008	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm RAT V2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Command Reciever.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	conhost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Command Reciever.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Command Reciever.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4620	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2376	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4844	msedge.exe
4844	msedge.exe
3996	msedge.exe
3996	msedge.exe
4608	identity_helper.exe
4608	identity_helper.exe
400	msedge.exe
400	msedge.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
3452	Command Reciever.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
2532	conhost.exe
220	Command Reciever.exe
220	Command Reciever.exe
220	Command Reciever.exe
220	Command Reciever.exe
220	Command Reciever.exe
220	Command Reciever.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
2532	conhost.exe
2532	conhost.exe
220	Command Reciever.exe
220	Command Reciever.exe
220	Command Reciever.exe
220	Command Reciever.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3452	Command Reciever.exe
Token: SeDebugPrivilege	3008	tasklist.exe
Token: SeDebugPrivilege	2532	conhost.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
220	Command Reciever.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
220	Command Reciever.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2532	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 924	3996	msedge.exe	82
PID 3996 wrote to memory of 924	3996	msedge.exe	82
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4760	3996	msedge.exe	83
PID 3996 wrote to memory of 4844	3996	msedge.exe	84
PID 3996 wrote to memory of 4844	3996	msedge.exe	84
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85
PID 3996 wrote to memory of 880	3996	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Intestio/XWorm-RAT/releases/tag/xworm
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfcd946f8,0x7ffcfcd94708,0x7ffcfcd94718
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3016 /prefetch:8
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1700 /prefetch:8
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1784 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2788 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8986403325054506344,16092840478589811004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:1128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1964

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4384

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1440
- C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe
  "C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:220
- C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe
  "C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7759.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7759.tmp.bat
    3⤵
    PID:2940
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4508
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 3452"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3008
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:3712
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4620
  - - C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe
      "C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2532
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe /f
        5⤵
        
        PID:2652
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2376

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
20KB

MD5
b9cc0ef4a29635e419fcb41bb1d2167b

SHA1
541b72c6f924baacea552536391d0f16f76e06c4

SHA256
6fded6ba2dd0fc337db3615f6c19065af5c62fcd092e19ca2c398d9b71cd84bf

SHA512
f0f1a0f4f8df4268732946d4d720da1f5567660d31757d0fc5e44bf1264dfa746092a557417d56c8a167e30b461b8d376b92fbe0931012121fac2558d52c662e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
179KB

MD5
f69a450902ae6bc96d3f5876f0484290

SHA1
ba352bed8ac9b29bccc1aef038886ce4c19b0a1a

SHA256
e530aad91db15339f6be69696c78e82cb01bb86f5ba4a98c7a76a57d66819171

SHA512
59b4baf45c6bcbab2cbcbb470f7a24b53ca8a55210f646d706fce8ede05c4e7bbd836307064623e4a441a24092069b9816968bec00bbfd98d2edd3901b1f0488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6eaef0cec4aae0e2ecd9d7756ca20f3d

SHA1
d1a5f2fca0a50b137a3914b8b4443010b7060ec5

SHA256
a9533b6d12309ba57e71f76daad70402acf059b7da1dc8865f2badda46551989

SHA512
9f141d67fa7627233ddbb02403dfe5556f708fa4acfa1908a16f3ec440213a58e3a1acb72d3aed98f332cf834de3facb4f939b3ce541861821d2a99e6bea333e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3c9b3526038e5f8e24364fa8574156e9

SHA1
60b548386913364d261cf15e2d3cf8d4087ae36a

SHA256
be893430a25070ffc41f97a4cfed1bc7334c5c73d20082b1278eb64220c01f02

SHA512
891a3b9cdbba4fb39a1edf9b0373d1fe7c0ef37051418febf716ac5ad77378106914fe2ada582f6d05e3d912744717bc16ab472969237af5345f7d72e8a1ea81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
e2e172cb355c296e8a64ee4d307bd8e5

SHA1
200832de1fe0e9e773529e9766a28101ef1625bf

SHA256
6bcb5c619337a7f3dba50148369b8c49dc348120e35c167e55d54a814f10c92f

SHA512
d21caf54ec22f79508152d598a3db68633f6e58c4dc76838a3bf173ae5d45f0d542fbbe85c462b9298a45db4d45b02c39de3c97d7b4de560746e4b673f1d393f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
37baf21f6884d62dd3fae3bcac0e3f54

SHA1
86387f81e0e639f4b89ac148a2611dbe17c692e5

SHA256
fd6b196dedb818f06d7e045bc0ca39921765ba16deeb416261c8605de41aa1be

SHA512
13d36ff793b191e5036fad9a998d653eba70f27900f205c8eb1e2b336837f6a6b9977e0129b0645844b6d40a08883ccbc71b132e22f5577c5db8b44ad4f74461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1f5484596bb7e655576c60176d31f860

SHA1
90cedc5f59fbd985cebf4f5dc6a6395341f1c174

SHA256
2223ec3e98f338e9d18897b438d70b5fe86d24181fb28ceb3e2ebbf2d5b5bf81

SHA512
00d9b66969f6a39daef03f5af330fcead24a89969e26673be443520c2f6c605840e187a9ab3b6a00ab7225633ba3eca9299176fe03e144176b43950d77a84b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
24d599ac3701046164c1b01854cf0bac

SHA1
6c1b5ba2c4179cb00be785b085415e6c2ca1ca98

SHA256
e8ff70dfccc2b338eaa07758ddbff75b82a6d444fa0c62d28d119deaf1e7fb3a

SHA512
0e4b3bfeb5a663cc826cea8e67978d382095c27d69e44e7ec54740df0f8f91fbb720c3191abe94e331e5e3f0841f540beff1f7915a7377362f5cc69c2371d373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d3318d2a8f1622c3964f570be186e90

SHA1
a1ee31991fa9f5ec06444579436e3752228e5088

SHA256
e1ad96e90d387c4635e8c7ae0a59577026a821aca043e27f636a454c01374dda

SHA512
9aa3cf87b5745854531a5de98f977796f483deadb7624ffcb0e3fcb70f374778de46a3d9bad38dfad5941f832793556f81d4db47de016246be575639fd9d4925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3881a3b2254a2b5813a70e4d115602f2

SHA1
ba70ef8290900a2be2afe40a216c3b6481029a7c

SHA256
75c33aae576a8ab006b8da83dd02b6e780c437bfefab9bc022fcde10cec7ca93

SHA512
65289f526ebaf618c922a13e89b37991b75ad559c150bd0f4cb86f2950ba5d61cb018d29ef4293841c73ec0e03a3bceecb0b8b3b42d4811bca6369d815002634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c890b69f7a18ae6794b277d99313076c

SHA1
80a0778c1ccc3afb6cd701c91dcccf012c5a8b8c

SHA256
821935925b3299d4ddc193e5241608fc9a67e5838959667e7525ecc2c79d1d15

SHA512
7b8c914fe5c11a55742810d224924d43785126c680152e057f6033fbfcd77608cf7ba257b76320523a2ff4120d0405ebe2f3da4f46077b8df41a0c4adba4c2bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ce99977aa9c391eae4df9d5b09f52df7

SHA1
09141a2809ea43439bfd0e07ae4f7300ba03ed35

SHA256
39bc3850e82bcb94ce8c0e726dd3f3b2f0bbf23a468fd09217049eadb4d0f549

SHA512
c71fc7207525ada2c48e735b0cf9bfeae37ef65962601a342a2b69809b146e0149bce0845998611de7cbad62703fb79d4d51266303dcb5b97147574973426d7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ffced4c11e9c0d864eab561b82c0787e

SHA1
cf60707907ec6dabf1cbf5a93ecaaaecd2434e7a

SHA256
5a56b8b57af5334fbdd98e1dd5ed632cda1724ffa50b7048049bd2f96f3f57a9

SHA512
506816083481c82f2dde84a25b0e7e01d13f206e3286ee718598f891adcc2884391922da8fd4aae40d41de481707454dec89117b7a95b405948db5c158dc8e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1f071b270f7485ff7939ccfe2632e3aa

SHA1
32ac86dd03c75ddf795bde5f05cab83c6058e315

SHA256
c5745f2f5fcc93330f82c95a65b079b13bad7ae45884d2c46ba749ec7edf7c61

SHA512
ad7d427a66df0fce9685eedbe0d9c0050c03cf8096eabde7e007a67ebcf76015fa2142c04e2aa4fcdf842e560c336a0cb5970a70096137c2ecc39c5493d1f128

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9e5034d777a37653d36763813f0d2885

SHA1
11cc42a965c9e9ca759316a4d275679321225f8b

SHA256
1be9b1c9fe7c1699930045bf0c83198ef5109d4c84d68563746fa3b9d2397139

SHA512
75faa029f9ed8ed189fb6028224b6299f9cc9e33b68a4a0af25760a01047b3cb4d5ff1ac9573a29300bf9727d00fcaa08001e944bd5f39b1ca2d969d555acac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58219c.TMP

Filesize
874B

MD5
a95271758e16c8b0b2908fbdd096d95b

SHA1
b1c5ba46538355a281b3709438fff86341888f46

SHA256
0fae5abf5430f35ea8c84bcd082fbacb4c73b15045030121dbf5038ca647816e

SHA512
aa097032f7d1c106879e8f57fcfffcb4b8325565ad05d4d83157e00128ce393a30bac8a2cdfd87a3b3f1c64d5eeb0d5990aa5c3fc92a5a0121745b80b47189d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fb34fef06ebfd1368e67079339edd647

SHA1
7f7d66da161f0320e747821b94754ee4519a269d

SHA256
f465eed377b2e02a2b6cca81ffe5e198ec92ed8010abc5e19b883f5afde0ff23

SHA512
c6ac0de2c328b136a06a668e2036d780a75939140218acc8db0c0cf3e98c2d73002b685206bbff517ed7d69043066f622694bc95aa66c12e7b0ab4e1851db80d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dd2cd5f96a895b0932ba18d6e2862814

SHA1
18d770a5d4ce3b9ffc28013ee2e2437a60fa20bc

SHA256
d98db6aaa892ff9eeb211be543ca701d67a25cb3e6d8a07c58bcd08608cb4d89

SHA512
c4aafc94698b483c483a1a365f47ee50b6ab753721f3bf27c1988ce27f137632005739084e38dd03fbf60023515e7e145d7990b60cf937645243e8afc46093c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c35329a372fb05a9ed709cf4c136f62d

SHA1
0ac86bd34c5885079d728ca88cea827663ec264a

SHA256
206a70f0bfa4f4b9ab76c78595a061a8fefeda050e27b54eccceb501173dbb4c

SHA512
5ed7247514110c9bd9c8aa39f02db54a4f45977bcfcdf37dc4feb9ed9a94561ec307eaa3cbdada53e41075ac258cdc9a9f08c87265fb2f32b5fa1bf0d466a0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe

Filesize
5.6MB

MD5
eb01eece5f0887b24a1bd53183d801dc

SHA1
49e92aee8351e3a995d8ec95bc64d7f381dcee28

SHA256
a2b1012a39662b760415ee897388c862457f4f1672897db8dee67e125bf0ad5c

SHA512
83374fdc381d52b64682df5b96f02cb3d487ce12d9231ede8ee9a92ecf72fa4a0d6f91a04e5f6656cccd50f142dd44bbb08e7ecc94b647e0349064dc32a76839

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7759.tmp.bat

Filesize
295B

MD5
3094781d5ddd81bd68df30078ccb9a90

SHA1
887cbcc6217e65cf1f0fd13fa73212e20a596bd1

SHA256
7fab44b4057c2c4a0629451de870fe61af216353367aa7dc45b6ac261edb4614

SHA512
9d6b829dd45260358419c24f5a099c3bb72992cb97ea39c1654dd780aef2a179b1aac95561bf7d20d25ab02e1f63308f52495844822c961f60791111311589f4

Download Submit
C:\Users\Admin\Downloads\XWorm-RAT-main.zip

Filesize
34.0MB

MD5
3fe356d4809706bce1b0f3a56bf524ea

SHA1
a018691019bd5cb19520cfcb986d37ed8984eb23

SHA256
b770bc5040317a575b1d2778b3b90a08fcd067505189fd5fbd779763ae337fa5

SHA512
822d5732622b90296392ff1f2c5ebc292015542f2e3f6eb3c8be28930f036eed8dbaa84310e2749b2aaea88a996005e1f1e72b36a712a29cd26bd3012943c728

Download Submit
memory/220-409-0x0000000000B80000-0x0000000001212000-memory.dmp

Filesize
6.6MB

Download
memory/220-415-0x0000000005B40000-0x0000000005BD2000-memory.dmp

Filesize
584KB

Download
memory/220-417-0x0000000005D40000-0x0000000005D96000-memory.dmp

Filesize
344KB

Download
memory/220-425-0x00000000097E0000-0x0000000009846000-memory.dmp

Filesize
408KB

Download
memory/220-410-0x0000000005AA0000-0x0000000005B3C000-memory.dmp

Filesize
624KB

Download
memory/220-416-0x0000000005CD0000-0x0000000005CDA000-memory.dmp

Filesize
40KB

Download
memory/1440-399-0x0000000000120000-0x0000000000362000-memory.dmp

Filesize
2.3MB

Download
memory/1440-400-0x0000000005190000-0x0000000005734000-memory.dmp

Filesize
5.6MB

Download
memory/2532-446-0x0000025FAF8B0000-0x0000025FAF8D6000-memory.dmp

Filesize
152KB

Download
memory/2532-441-0x0000025FAF730000-0x0000025FAF7E2000-memory.dmp

Filesize
712KB

Download
memory/2532-442-0x0000025FAF830000-0x0000025FAF880000-memory.dmp

Filesize
320KB

Download
memory/2532-443-0x0000025FAF880000-0x0000025FAF8A2000-memory.dmp

Filesize
136KB

Download
memory/2532-445-0x0000025FB0500000-0x0000025FB053A000-memory.dmp

Filesize
232KB

Download
memory/2532-447-0x0000025FB0540000-0x0000025FB086E000-memory.dmp

Filesize
3.2MB

Download
memory/2532-439-0x0000025FAF6C0000-0x0000025FAF72A000-memory.dmp

Filesize
424KB

Download
memory/2532-469-0x0000025FB04C0000-0x0000025FB04D2000-memory.dmp

Filesize
72KB

Download
memory/3452-418-0x0000021DEB360000-0x0000021DEB902000-memory.dmp

Filesize
5.6MB

Download
memory/3452-427-0x0000021DEBD80000-0x0000021DEBD8A000-memory.dmp

Filesize
40KB

Download
memory/3452-426-0x0000021DEBD60000-0x0000021DEBD7E000-memory.dmp

Filesize
120KB

Download
memory/3452-424-0x0000021DEBDF0000-0x0000021DEBE66000-memory.dmp

Filesize
472KB

Download