xworm | hxxps://cdn[.]discordapp[.]com/attachments/1331365260795449354/1331365647149437102/CDX177[.]rar?ex=67915a61&is=679008e1&hm=afd4ab51ccb024d5f03b4e4e7a73b3f176356189938914c8d5ac0704d4246d0f&

Analysis

max time kernel
197s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1331365260795449354/1331365647149437102/CDX177.rar?ex=67915a61&is=679008e1&hm=afd4ab51ccb024d5f03b4e4e7a73b3f176356189938914c8d5ac0704d4246d0f&

Score

10^/10

xworm discovery execution persistence pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

posts-vessel.gl.at.ply.gg:36177

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7242122864:AAFBsG5SAGw_Flfuys74YhEnKLTVdPESOnc

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023d76-971.dat	family_xworm
behavioral1/memory/5420-978-0x0000000000E70000-0x0000000000E86000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5132	powershell.exe
5600	powershell.exe
784	powershell.exe
1160	powershell.exe
5664	powershell.exe
5556	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	CDX177.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	CDX17.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Microsoft update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	CDX17.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corp.lnk	Microsoft update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corp.lnk	Microsoft update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe	CDX17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe	CDX17.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe	CDX17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe	CDX17.exe

Executes dropped EXE 11 IoCs

pid	Process
2792	CDX177.exe
5964	CDX17.exe
1596	CDX177.exe
5156	CDX177.exe
5420	Microsoft update.exe
1556	CDX177.exe
748	CDX177.exe
5928	CDX17.exe
4928	CDX177.exe
6136	CDX177.exe
5684	Microsoft update.exe

Loads dropped DLL 64 IoCs

pid	Process
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
5156	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
748	CDX177.exe
6136	CDX177.exe
6136	CDX177.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Microsoft update.exe"	CDX17.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Microsoft update.exe"	CDX17.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
125	ip-api.com
166	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0005000000000739-848.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDX177.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133819664718515419"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000d94c58689918db012ac3b7bfa018db01a966ccb0466cdb0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3032	msedge.exe
3032	msedge.exe
3616	msedge.exe
3616	msedge.exe
1704	identity_helper.exe
1704	identity_helper.exe
3356	msedge.exe
3356	msedge.exe
1916	chrome.exe
1916	chrome.exe
784	powershell.exe
784	powershell.exe
784	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
5664	powershell.exe
5664	powershell.exe
5664	powershell.exe
5556	powershell.exe
5556	powershell.exe
5556	powershell.exe
5132	powershell.exe
5132	powershell.exe
5132	powershell.exe
1852	chrome.exe
1852	chrome.exe
5600	powershell.exe
5600	powershell.exe
5600	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3060	7zFM.exe
5140	chrome.exe
5728	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3060	7zFM.exe
Token: 35	3060	7zFM.exe
Token: SeSecurityPrivilege	3060	7zFM.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeDebugPrivilege	5964	CDX17.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	5420	Microsoft update.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	5664	powershell.exe
Token: SeDebugPrivilege	5556	powershell.exe
Token: SeDebugPrivilege	5132	powershell.exe
Token: SeDebugPrivilege	5420	Microsoft update.exe
Token: SeShutdownPrivilege	1852	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3060	7zFM.exe
3616	msedge.exe
3060	7zFM.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4968	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
5140	chrome.exe
2792	CDX177.exe
1596	CDX177.exe
5156	CDX177.exe
5728	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 5116	3616	msedge.exe	85
PID 3616 wrote to memory of 5116	3616	msedge.exe	85
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 4524	3616	msedge.exe	86
PID 3616 wrote to memory of 3032	3616	msedge.exe	87
PID 3616 wrote to memory of 3032	3616	msedge.exe	87
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88
PID 3616 wrote to memory of 2344	3616	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1331365260795449354/1331365647149437102/CDX177.rar?ex=67915a61&is=679008e1&hm=afd4ab51ccb024d5f03b4e4e7a73b3f176356189938914c8d5ac0704d4246d0f&
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1c4a46f8,0x7ffe1c4a4708,0x7ffe1c4a4718
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8386783280091183342,15013929726843462513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:4500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4072

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1520

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4664

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\CDX177.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe0cd6cc40,0x7ffe0cd6cc4c,0x7ffe0cd6cc58
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1956,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1948,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2412 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3328,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3708,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5060,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5340,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5332,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5184,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5672,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5400 /prefetch:2
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5700,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4684,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5828,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3356,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5816,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4936,i,10496780345613374784,18048097551854328940,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5140

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1536

C:\Users\Admin\Desktop\CDX177.exe
"C:\Users\Admin\Desktop\CDX177.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2792
- C:\Users\Admin\AppData\Local\Temp\CDX17.exe
  "C:\Users\Admin\AppData\Local\Temp\CDX17.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\CDX177.exe
    "C:\Users\Admin\AppData\Local\Temp\CDX177.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\CDX177.exe
      "C:\Users\Admin\AppData\Local\Temp\CDX177.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:5156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:784
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft Corp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Corp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe0cd6cc40,0x7ffe0cd6cc4c,0x7ffe0cd6cc58
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2028,i,6281733450578462377,393518678330877117,262144 --variations-seed-version=20250121-050130.881000 --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,6281733450578462377,393518678330877117,262144 --variations-seed-version=20250121-050130.881000 --mojo-platform-channel-handle=2040 /prefetch:3
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,6281733450578462377,393518678330877117,262144 --variations-seed-version=20250121-050130.881000 --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,6281733450578462377,393518678330877117,262144 --variations-seed-version=20250121-050130.881000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,6281733450578462377,393518678330877117,262144 --variations-seed-version=20250121-050130.881000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3668,i,6281733450578462377,393518678330877117,262144 --variations-seed-version=20250121-050130.881000 --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4724,i,6281733450578462377,393518678330877117,262144 --variations-seed-version=20250121-050130.881000 --mojo-platform-channel-handle=4384 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5016,i,6281733450578462377,393518678330877117,262144 --variations-seed-version=20250121-050130.881000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:5324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5212,i,6281733450578462377,393518678330877117,262144 --variations-seed-version=20250121-050130.881000 --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3548,i,6281733450578462377,393518678330877117,262144 --variations-seed-version=20250121-050130.881000 --mojo-platform-channel-handle=3136 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5728

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5980

C:\Users\Admin\AppData\Local\Temp\CDX177.exe
"C:\Users\Admin\AppData\Local\Temp\CDX177.exe"
1⤵
- Executes dropped EXE
PID:1556
- C:\Users\Admin\AppData\Local\Temp\CDX177.exe
  "C:\Users\Admin\AppData\Local\Temp\CDX177.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:748

C:\Users\Admin\AppData\Local\Temp\CDX17.exe
"C:\Users\Admin\AppData\Local\Temp\CDX17.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:5928
- C:\Users\Admin\AppData\Local\Temp\CDX177.exe
  "C:\Users\Admin\AppData\Local\Temp\CDX177.exe"
  2⤵
  - Executes dropped EXE
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\CDX177.exe
    "C:\Users\Admin\AppData\Local\Temp\CDX177.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5600
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe"
  2⤵
  - Executes dropped EXE
  PID:5684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b65d667045a646269e3eb65f457698f1

SHA1
a263ce582c0157238655530107dbec05a3475c54

SHA256
23848757826358c47263fa65d53bb5ec49286b717f7f2c9c8e83192a39e35bb6

SHA512
87f10412feee145f16f790fbbcf0353db1b0097bda352c2cd147028db69a1e98779be880e133fed17af6ed73eb615a51e5616966c8a7b7de364ec75f37c67567

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\45158c92-c718-49fe-8a0e-665f75e8704e.tmp

Filesize
9KB

MD5
aa2f8f03511075d936d130d819daac1b

SHA1
530bd63b8c4e0068c98c7cad6e8e5436908a44fb

SHA256
17831857e0b2936aff6c465bfb2c06f2ac504ed7432e3022e2ddbba22a0ec0ad

SHA512
cc031cb6e788a370e3869b9f14ae143436e813062f88861873f1c9d53bcad58c086811e27b00dd911b636f63bb7827ec145eb27045e28ad0393afa828a51b984

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6e52c93ac5310870ba341e320b9a1c4c

SHA1
8b15abf80ff790424247f26bc1bcd94fd33612ff

SHA256
16cbf181c4db03184859eb3779b503689632fafa8a1e9cf1679d4a63baaeb37a

SHA512
92c8f237bf6485b6fcb562fac1019d5ad43b0eab81afb7823e98e533e6da90d9e4c1e26741d64e17eb479fd14eb7995c8df84a445054ec7fcb1186722665aa80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
a056021d6c1ef505a891bcb786377fb6

SHA1
f86091a2c9b8eb0f0bd4fcbf3fed28dbde832c28

SHA256
58e9f8dda398bad0ddb65c00713bfd755b88ef1fd16fbe1d51f7283e929054a1

SHA512
2c53b9cd0208d8cb717e22de550637f52298d2738f66c62ee6451e92b61138b4ea91dcee7ee2af94d54483c7dcc2f2e7beeaccea0a2d4ec3eff914f4a1b3e9eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
1f1f1602d50fa5c5b3373440a2b15995

SHA1
6a510d2d7adbed7dba29078123bd3f22f8d28ca6

SHA256
a2a8c4a47c9346a7c2a1e21206c17b5c3916b5cb793ef9324f0cc6f3708e2c53

SHA512
c9d93e4ff34eab1530a286053b07e650198cb1dc40b59fd08bbf2edc53ba0cea1c04dda0836fe2e3d8b365e40b1f77014ee106cbac0cd180cc83a02e387d8990

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
9b2cf61017e57a7433b6233f4b09998c

SHA1
da9c5d85913fcba21a48fe0b52eb1127a59ae1df

SHA256
f0a2d53f838464306f0ded200c872809400c60930eff695ca4c77003d6c8993a

SHA512
9284c5cd860cff04ee1e2c2be60e9199f07b6c84ba9026276a4d59fe2199b0b4f955adafe663718a2555b4b413f1d12d9ed53e6d086777cb943794e401558c8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
26752c8acc6b0c26de350b77bb8a81f6

SHA1
1f0fc627abb2a36b5201e4f87fc1c948fa586cc6

SHA256
92c70601f1da31958103530eb361118d49c46b3850d7a64abaf08d6cc2e299ba

SHA512
32f9d96256d3c0838b3417e75aadea3d73e2ec2b85cc66c556aa83f89a43f99ca7b22d66e2a33f4132a7c04d5b68607ce678b76c78c5c568a5162b6d7673a22b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
7c4bb04c8dd83c9fa33952235272d488

SHA1
d2c0644a548cf2b1cb92ada0f99dc050e0ad90e0

SHA256
79cb30aaf98c553800e6daff5a1bfa7a1833d64d923082a7bba025ba4c07b9ce

SHA512
06ac1f5f747fc615ff853d8dd78869b1b895bb8cd5067146aeab7240b7fe68076a9fb2a1edacc20a8a6757dd172cce5d155a3c714c44be36801eb98eb3340f87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
4178b46b7c4d5c7c39e70e5f6db6ba5d

SHA1
1c03f7f80bc255186f4f72327f9c8467d83ff5b3

SHA256
623cc74ea056f6a90044b3b5383149fa7f24646a9b54ed509d78d9029936b9b9

SHA512
c79bc787e70c42d0acdfac6c299e0daefe9d79271af0290ba14d5fde94b2895ebf44b5c14458f10deb68e20b33df16a66765a94904f3c4850aaf23271ba23bf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d2a2334b85cd7c0f052e4bc64692e2ff

SHA1
40637ffafedf2d39e6f49d5fbfd764eb8056baeb

SHA256
4e2d424ba1b7f93f52d4ee7372c84c844065d7e55d40fc26f0594033c23cef01

SHA512
3fe5f11a657b497b6958589eb94b4d6b3099727629d812ebebef05baa271ba10ec6364dab7c7a77ba5f3281f33e04b423f84b2d7c76d8366c1fad504fe060055

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
469b081e8431a2048a830a571d3679b5

SHA1
bd3c1ec5c370a371d21bfee79f5707d5361411a9

SHA256
9bb10574a4d5b4f866ef7938b8c8b7e8d2349f5e00401a624c56b7ade4bc2c95

SHA512
9e1039e2303e631722b18eec4944f906c067707922993e2be2de958677353ff4e11b8970889f72339bd9f5c0db3919ba9197a4097918c6d87e07b0ee50420019

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b322774e6240c6b3dd9f3ec679b07bf5

SHA1
20563d97e48fde8d2f92d18bbf952cb8c019a62d

SHA256
1498734135e9d05443c3de012b799556a211176a8b1304be66e9fa712794fa5d

SHA512
683cca7a49ee1a89fabbc0b8a83da8b1f90f73f33eea21b2d0f3af57927ce76fbcb2fd51d0319e8bb0d533c53272f4158cbe8e037605a4e591763f45e27bb002

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a8f878c36ebb1ebec8ae17ab422607c2

SHA1
51805d53287f7af39a6d85026bc3de2d37df94c1

SHA256
a5061a0c09d798475a7fe6bfd3f8b553bbf22a76bf0705242a526367b3fb7594

SHA512
c81e4466f26a505ea4c1e104d8d691f6f9d12fea9242f3237418a3892b894956a9dcf4d9bf00198b56a9971ed17187d1590b5cf078ad578aca9171f317bde631

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f0158bbd5c44b218263a4edf1c25c8e5

SHA1
47b4e58108114cce17b3308fc8a916fb9fb9940f

SHA256
97106747c4e60ac3e1ba57853645a0f44c28e65a347e726fba2a1e0fae5b837f

SHA512
76bf30c4c92e423e2793f54e1b86735237a49e95d88ad1fd6a7d1e75612625e05f8c0830390125492d8b245b9db740486f88947acd163059b2050493177e9eba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b3b67382652667704008b0ef29e77253

SHA1
60941922924e1df3ce06f04f4557412f4c4f18bd

SHA256
eccce762beb17108b661b06f7f80387e7b60b9ccc837f22d02b5c36aed07c1fa

SHA512
0cb0f4d5f6aa2034fb24e09a50778c36b4df0e52ee773e2374c770391202b240313e7dcb8da0c7733cf981d3b0f8ce0bbf6131fec154da033ca408430533dc7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8407ef4a8811bfc736cf2cf5b4b9cb05

SHA1
1307dbaaf7b7d83326018f0bb801a2e4272f5ac2

SHA256
3d1ee2e211a80ef8738d707d25f5e690c5e3bed334d669d57f8dd5baa2a1b585

SHA512
2cb6b40236a1a95f4ad36493c9719cc5b38994df4041fb7a461567e392696db751cf8dd1fcbb3b7c2bbcca30267463dbee66a30f5a62f04bce21c559a5bbadfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
86242fc25a08f1d6ee725a2ef786b525

SHA1
30f142b9eddff9da013b2e9c56ddc6402c95ba47

SHA256
3fffe276f287f78d184ab4961a1d3bd0ad652e2c0cafd53c0d022dae96299f3a

SHA512
be8fbb9c73f2cde704ba090b0b840673b23a24679b0a11eb4add87e6a5a0282e6f61e78e4a68fc1867b3f10a0e39480944885d4ebbe7f9fff9db033597c60608

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
24e7d0853a66414fc97bb3a663a8200c

SHA1
db1ff961377779afd85581abd246b340d5aed3d2

SHA256
b22ac70d4e8efd1aea97adeab4374f5b0f00e1452ef164af16077637f4a0a586

SHA512
ed967ba6fecc81725376465a67412aedbe9d20c5a388e93af9d659d871fc4e4d611fb594e33f6783f45b41d55e6c92789bb663a8f11a3b3a63cdf09482dea5e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
75ec46fba1dc3c4d04913ad8c05a0bd1

SHA1
3de5c4a3a994b9c00838a6ce6b4d11c8c728b73e

SHA256
5444b70b3e4157973dd6acc7c833b53f5588b11768ef7ff31aaeb358e48ad8de

SHA512
5e3e9666c4c552c8c15e35a1eb947eb83fa9956a2000747d8956c5da651a323f992786afa6cd275260c05f3ef8968eef81d82f1895a11099ca2a7446e1a82fc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f297aa8e746c4709cd509ced3f327661

SHA1
12e05b26b452ebd54f8bfda88ef2f975494f0499

SHA256
819152bac558a8fb64944483842b6f69c30a1e497c2724102cdab3e3b002a356

SHA512
72f49a5d5cc631adda9815e4c74dbd19ec03dc8006817deca57790a9be3bee570eca9c98ee41547cc9e2f8d1056d1a687498c8fb8e8598ad50ac74c2a8161fbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
d9f702fd4e194aa416d92bf61950ada6

SHA1
40c44c014ba4bfd40e809d3e62e14cf7ce4fa33b

SHA256
7f186a1a24641b4c8d18c97ff55284fcc8b8ef2d8f98153b22fc90f3fa7157f3

SHA512
841d3e7edfb7c81d5205cf9ab249104ad47708402bfe94a44fcdd4ace9b5cbea5a5737597eeece6d8b3ded0828cf99a7200c6f1ee57b21c98273c33b3b5e32be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
119KB

MD5
1a632b7c4785ee1833835585b50594e7

SHA1
681dcd85834f93c5436a611147a08bcbb7b32ef1

SHA256
f731434ba81cad39e64d1ce8d259985dd93c56c9e9cfeddb2d6d0eea4bb7fd2a

SHA512
84098104f71df675f6432414cdb85578d0b3e473ecc6cd21aff92c5ba8d45618884905dc003f7b4748bb88491ad7d37167bcb008a9c4fcccc432cfc0affb5e17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
43a788e5021160df7c0b154bbeffd8f8

SHA1
1add3765f4b1c7b9a435747a56f778c1eafeee4f

SHA256
ddfab245362adfef284bcbb529330ed4131bf8dcd9f0cffb3826919646ddefec

SHA512
e3aea2ff3f84b8968f7471b655a55aa87fc194071d1514a1a02ed492f9555b8fadf04a3f0f37ebaade49991698e027fc0c4afaa2e92027357e807971f4d83b2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
119KB

MD5
5b0dd0d98e59fa15e2b7fad4b03b8a83

SHA1
7887b676f108611d7f7a361bb986e8f21844ed13

SHA256
bccebbc07a90e3b2d5e3b158a813280e3c8bd6dccc809c2d9a5ca484d3c80af4

SHA512
88b526d64210d1e85733d402c0c6498c10a19bffa41ef2c070d08346a681161dea074201de1f7cd4774b6b581f0489d09f4a1ccb75c4efd9a4cf583cba733452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3481f7dce9c20415da76f10cbcf1feae

SHA1
5d1ef425aba9d15982f190d8895415bfde28c36c

SHA256
08d3eae57788efb98f7d5be328a3e002fed1b38575a7e47c85377c8427a16b84

SHA512
2912a28ce8ee0dce506202d492d48b68a8474d8ea29662e97d4fd18a53aa58d89cde3b1c59df567e9f2e4f59dddba3e0d18820602f4c6259f6190ebbe2049639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
88bcd6370bf4ae8665117b1b508c9e47

SHA1
5afa884cee56930e57ae14cb31936d8485eadb59

SHA256
ca54d8b6a5071f356cd1a1eaf8dda99715aeb23c827a431534f7866b9db35cf1

SHA512
28af836ce36d74cf95cbeb04e2db0abba856e57caed2b5f8cde4eac960aedfb8054eed237697a8ee067be71565691941b66219d0e325989da9029bd0ecca6bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b7c80859ca51558b989bdc98782d536e

SHA1
71dc5c48e192373501de1dfebd9fb7d57c36890c

SHA256
1bcff0e5d8c7cf99c9a57123a40ac4d9db612125e63ddabce59ff616b6878db6

SHA512
19b30405aac0d6be5163288762e4a33fec9d018d5d8691b3535467f1d9bdd89b0796ae5a127506c64089beb1e2d80ac69ad70f5590a53659e1fbc4045fdbd47c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cc455b2cae00f6d65a6f8dacaaeaff31

SHA1
bf94e07a1673f7af9f9b843cbdb819184884c989

SHA256
fb33d4077ecedfc7e4eb4349fd87d7df23efd0b8a71f3b19fc633e4444815446

SHA512
88f10bfb71e716007a04c3cf4ab02ef23b1eba50180061e2e07dbcde5511e0cc4dd5e37b558082e1693bea6a5cf7078c41156f60e5535cb475d1269de5039a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b68b332648e3b680333dffbae266abc4

SHA1
147e76da40e73eaa38872f9fa2935a414dce8883

SHA256
dbc2e47c53b01cd9dee64183315ea4327ea38ace6076ba9680f6b19084de0b48

SHA512
acb8291cc7ae81061cf286848ab1ad688d444dcc3da79a07da5b5f2c8113fc45af64e81e6d4d87ec2c34ecc9f537e9186b01993bb379184f824bc022fef3a134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
18afde52d37fc5adf9122e30f6462105

SHA1
065efe11a988e28ba81da2f54efe35e87971002d

SHA256
48667dab61534af4fabbfe8cc913616cec7f42f795ac45502d522b90ca13444c

SHA512
ffd3eba054f81d568cfcff5853f99bfc7b03180d320de66a642027c1f9ec218f3d8b44c40f8a768f04ed78c40f9461a7acf0fa16a492122103bd2c744e83715e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f408be8-ed74-4a6b-9a93-b8bda86d7521.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\999c2bf0-9a1b-4622-8c7e-6da074b2e25f.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDX17.exe

Filesize
12.0MB

MD5
da53b80f4f4f15dfdc361923c956d7a0

SHA1
d21c7bae35d890f3d513dd66edfca4a5a44d2b33

SHA256
2083419e1347688c72bacffd79dcee432dde0650f970ffc40f32d75c151d8a53

SHA512
8615124d30e1b8e8289ae030760e429165caf856d37d910a99e5945970ec2c3965011d5e6f83e02c1ef330432c9fdf288411c43c16724e9b0f0d78c6ac28441b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDX177.exe

Filesize
12.1MB

MD5
874a09960bf0a3d8b4f5cfc31e20220b

SHA1
22b3a10ff9bca267bf918571ebb64c28e14407f3

SHA256
ad1bc8cfe4a71484b616bf799c079655a11b4978497f8fca82ac6c10363d7cbc

SHA512
31be14a384f48f0d5703ebbcc76fa0e8e30cceafe04ee4dca1155ebb6587d46087cfcded3ea42ef3aa505337ca08c2d3a2d20d6ffd129190f9918ba4f0c42c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\_bz2.pyd

Filesize
83KB

MD5
30f396f8411274f15ac85b14b7b3cd3d

SHA1
d3921f39e193d89aa93c2677cbfb47bc1ede949c

SHA256
cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f

SHA512
7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\_ctypes.pyd

Filesize
122KB

MD5
5377ab365c86bbcdd998580a79be28b4

SHA1
b0a6342df76c4da5b1e28a036025e274be322b35

SHA256
6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93

SHA512
56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\_lzma.pyd

Filesize
156KB

MD5
9e94fac072a14ca9ed3f20292169e5b2

SHA1
1eeac19715ea32a65641d82a380b9fa624e3cf0d

SHA256
a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f

SHA512
b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\base_library.zip

Filesize
1.3MB

MD5
21bf7b131747990a41b9f8759c119302

SHA1
70d4da24b4c5a12763864bf06ebd4295c16092d9

SHA256
f36454a982f5665d4e7fcc69ee81146965358fcb7f5d59f2cd8861ca89c66efa

SHA512
4cb45e9c48d4544c1a171d88581f857d8c5cf74e273bb2acf40a50a35c5148fe7d6e9afcf5e1046a7d7ae77f9196f7308ae3869c18d813fcd48021b4d112deb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\python3.dll

Filesize
66KB

MD5
5eace36402143b0205635818363d8e57

SHA1
ae7b03251a0bac083dec3b1802b5ca9c10132b4c

SHA256
25a39e721c26e53bec292395d093211bba70465280acfa2059fa52957ec975b2

SHA512
7cb3619ea46fbaaf45abfa3d6f29e7a5522777980e0a9d2da021d6c68bcc380abe38e8004e1f31d817371fb3cdd5425d4bb115cb2dc0d40d59d111a2d98b21d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxgecjvc.shc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1916_40971312\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe

Filesize
62KB

MD5
afc3486911c9ca7d133143be2dff7eec

SHA1
dd35fd8c591abae851b03da703c437546e03e2bd

SHA256
ac39edd764044e21cff5c8e70f07af148b6ce8574fad75b70dafef805ed3e5fa

SHA512
fd469559117160652103a485a640b4fab6900d8707b02b3737c169be48016f7a9b1f35a1e235abe7ed0f6dc4e483ed43343cc8642e7b2e3e64d1d7e8b6468d3d

Download Submit
C:\Users\Admin\Desktop\CDX177.exe

Filesize
12.1MB

MD5
11c1c8e6795c914f4ea8c68c391df66e

SHA1
d89221da98b43ac0036e087e459dbd928787a97f

SHA256
09ce40bc48eaa8d5be9c03f2b2d528de43a09123739a5a35cf7c7dab71968801

SHA512
24baaa10fb74a55d24e718164806f6c6a2bd0f029ff4082964bac2b694661ce22ad1ea3cc50b10e684d79347d3f131b0757380992a1a5b665f278fbad7947f9c

Download Submit
C:\Users\Admin\Downloads\CDX177.rar

Filesize
12.0MB

MD5
ee3260a889d8c68ba4cc76ed5a6a22ac

SHA1
aabc62a74f56f1db243e0cf3d741c5e63d0f5448

SHA256
df8064b4e7be3e38d3a667e8f398492e23b1214f8afa59bb09307e495a006daf

SHA512
c01ffc3e523c0205b6cb3e49ba88775c4edd1b6a66028023def06ba3769f17be95e2ac2517db5e96c1061d7f8413550a2ed24d3b8e386ef1ca15f8d4dcdfc736

Download Submit
memory/784-945-0x0000024FFC980000-0x0000024FFC9A2000-memory.dmp

Filesize
136KB

Download
memory/5420-978-0x0000000000E70000-0x0000000000E86000-memory.dmp

Filesize
88KB

Download
memory/5964-843-0x0000000000010000-0x0000000000C16000-memory.dmp

Filesize
12.0MB

Download