Edrwkgn.exe -

While specific hashes change frequently to avoid antivirus detection, analysis of this specific executable reveals common behavioral indicators:

sigcheck.exe -i edrwkgn.exe

If edrwkgn.exe is detected on a system, immediate action is required: edrwkgn.exe

Analysis: Submit the file hash to a malware sandbox (like VirusTotal or Any.Run) to confirm the verdict and identify associated network indicators for firewall blocking.

Credential Reset: As IcedID and Latrodectus are capable of stealing credentials, it is critical to reset passwords for all accounts on the affected system.

If you find edrwkgn.exe on your system, run these immediately:

dumpbin /imports edrwkgn.exe

Delete the file and remove persistence entries.

Scan with updated antivirus and EDR tools.

Check for lateral movement – search network for same file hash.

When edrwkgn.exe (or the script loading it) executes, it typically performs the following actions:

Defense Evasion:

Command and Control (C2):

strings edrwkgn.exe > output.txt

Look for:

SIGN IN YOUR ACCOUNT TO HAVE ACCESS TO DIFFERENT FEATURES

FORGOT YOUR DETAILS?

CREATE ACCOUNT

Edrwkgn.exe -