stormkitty | 6ef09a9d766a9ca209da5fc075de5c3e7152c3f49e88bb2db61e061f0bd2184d

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
Size

3.4MB
MD5

cdcc0ad2446684e736fa5813caee0a57
SHA1

21aad2f791e2c12deed221484ff00ed8a0edb799
SHA256

6ef09a9d766a9ca209da5fc075de5c3e7152c3f49e88bb2db61e061f0bd2184d
SHA512

6d17654a61116fab4b0b1128699dbbf2751d63e78615f822452a9a1ebe62889df401ed1ba795a04535446c86d4b122036f346e8744e6ac15d6e9c8a1240ec6c2
SSDEEP

98304:lnbDOSv7J7SvNZZToTcMBailCO3QBKGFqL9z/2MSbB:xOKF7SJToAMU8uBK2qL9ZSF

Score

10^/10

stormkitty collection discovery evasion stealer themida trojan

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/744-11-0x00000000005E0000-0x0000000000E76000-memory.dmp	family_stormkitty
behavioral2/memory/744-12-0x00000000005E0000-0x0000000000E76000-memory.dmp	family_stormkitty
behavioral2/memory/744-82-0x00000000005E0000-0x0000000000E76000-memory.dmp	family_stormkitty

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/744-11-0x00000000005E0000-0x0000000000E76000-memory.dmp	themida
behavioral2/memory/744-12-0x00000000005E0000-0x0000000000E76000-memory.dmp	themida
behavioral2/memory/744-82-0x00000000005E0000-0x0000000000E76000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

pid	process
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1840 744 WerFault.exe cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

pid	pid_target	process	target process
1840	744	WerFault.exe	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
1020	msedge.exe
1020	msedge.exe
2748	msedge.exe
2748	msedge.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
1072	msedge.exe
1072	msedge.exe
1100	msedge.exe
1100	msedge.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

2748 msedge.exe
2748 msedge.exe
1100 msedge.exe
1100 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 744 cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
Token: SeSecurityPrivilege 1908 msiexec.exe

description	pid	process
Token: SeDebugPrivilege	744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
Token: SeSecurityPrivilege	1908	msiexec.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

msedge.exemsedge.exe

pid	process
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exemsedge.exe

pid	process
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exemsedge.exe

description	pid	process	target process
PID 744 wrote to memory of 2748	744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe	msedge.exe
PID 744 wrote to memory of 2748	744	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe	msedge.exe
PID 2748 wrote to memory of 2872	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2872	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1660	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1020	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1020	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4548	2748	msedge.exe	msedge.exe

outlook_office_path 1 IoCs

Processes:

cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

outlook_win_path 1 IoCs

Processes:

cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cdcc0ad2446684e736fa5813caee0a57_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fa9646f8,0x7ff9fa964708,0x7ff9fa964718
    3⤵
    PID:2872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,2145599939312098000,4408013759439729728,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:1660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,2145599939312098000,4408013759439729728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,2145599939312098000,4408013759439729728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
    3⤵
    PID:4548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2145599939312098000,4408013759439729728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
    3⤵
    PID:3540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2145599939312098000,4408013759439729728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
    3⤵
    PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://127.0.0.1:13752
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fa9646f8,0x7ff9fa964708,0x7ff9fa964718
    3⤵
    PID:1672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,103693812118826114,5547255139905846873,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
    3⤵
    PID:1528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,103693812118826114,5547255139905846873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,103693812118826114,5547255139905846873,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
    3⤵
    PID:3484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,103693812118826114,5547255139905846873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
    3⤵
    PID:3492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,103693812118826114,5547255139905846873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    PID:228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 2464
  2⤵
  - Program crash
  PID:1840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 744 -ip 744
1⤵
PID:1756

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
6774e4a261d40e7266daa86e8d78e4f3

SHA1
6af5a7c7f5cde78cc3e8692836a84ea39c9a21d9

SHA256
dd4c9e2197f68c77b34882bef1411ee1d5d8583aabf0e34fd32a200c357d9da0

SHA512
9dc311db21c07de76b2b38e9522d7e57b54d345aafbb26d9627e1cd7ae2bfacc719c7c76a202059d2e1146e885fde13a1e01dae79bcb9c3f77eda7a52d739f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2bf096ff353a69ee14627f23dba4ed40

SHA1
1f97015ec80333bc5396119509659f0fe72195f0

SHA256
3ed29db9ecaabad100e8ca9d78d410259c31ae252111bcfaa23cacda8bc84176

SHA512
26d92d2c893805093bcc8cec8e8481bf1dbac747e836eec0d98ca9fd4c57e29cba52966578408437496381386bea5f66276a941ee6b7e4a7dcc6df4c00dbf96f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
118B

MD5
7733303dbe19b64c38f3de4fe224be9a

SHA1
8ca37b38028a2db895a4570e0536859b3cc5c279

SHA256
b10c1ba416a632cd57232c81a5c2e8ee76a716e0737d10eabe1d430bec50739d

SHA512
e8cd965bca0480db9808cb1b461ac5bf5935c3cbf31c10fdf090d406f4bc4f3187d717199dcf94197b8df24c1d6e4ff07241d8cfffd9aee06cce9674f0220e29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
5cfab8d308095cbbc30deabeeeca6dd4

SHA1
2fc765f7423c297065524e9550e5fc1016561e89

SHA256
a99594a46c2a788bafb0cd7f8243657726f73303a7495bace735708a1e9e3cd6

SHA512
a4cbe7a02f2615ca0cc72e09d99078a00bd011dcb7cd98b9eb6434881b3a7cd668ebc51e98d6addd1ae721715191ce65cba53900062bbae8397838230120fb61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
89146c8f4d424507ded11fffa6db1667

SHA1
d40e209c61f12046dcdf3496c7dafbd240844409

SHA256
913000bde1b1b559316f0c03bf29126b18749fd1f8417df4e52ee7dc2a314027

SHA512
ad25e294753326e271350085961fd8b91a78c20cc1cddf9b57e7d06d94c9161732c2595d60693b35fe30d8db088774b46ebc06a28fdd60ba8ae652f9297ac6ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
48229148fbc30ff607a4bb8fe89724aa

SHA1
46818e79abee6d561bb87e23bc02a6a3c5e9bedf

SHA256
8557b04a6a43cec6ca00011890b3950cd4d8a6fc3995505fc651dc46598359c6

SHA512
6684a9e689d779add54f4b2adb8fc2e819398e2c6607a170d68a1e1908057cf6d59e94ac8b54703ec9563c4c6c740402820834dc69331a713f2f9f936ab10fb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
b70244b1857cc550c454c7979452e303

SHA1
281588d74652c53dab6d147e330a6ab24fe96bf6

SHA256
174cbe86b02fb6f3f8c972090967be8b7577bfac427c7a3c87598e08f5ac164c

SHA512
b73100f8a4d946730c9ea8e86a0cbd90b173662e599812d6aadbcc8647b02f52aa065e32131e101aff26788dd5bd1c9f103ec00bad4ac0b84af6449ccd66b93c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
194B

MD5
a48763b50473dbd0a0922258703d673e

SHA1
5a3572629bcdf5586d79823b6ddbf3d9736aa251

SHA256
9bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd

SHA512
536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
e324756181871fcef40086c0a3e5ddc7

SHA1
5486a46af0d6fedafbde9d5eeaffdb0c15d94640

SHA256
88d9d79ad74f16168f8e0210acd714ba09572128516da839529a667191d40b37

SHA512
2b5b37ac2459840c2f426fbc29fb4aaae24a83e805a487e3c98338754a1d7b40c0bbc38fbc3ec2a9d595856ab8d313d057ef578782294c711ca919cbf2eece9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
\??\pipe\LOCAL\crashpad_2748_LKWNFOEYUWBTCRNQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/744-71-0x0000000007460000-0x0000000007A04000-memory.dmp

Filesize
5.6MB

Download
memory/744-0-0x00000000005E0000-0x0000000000E76000-memory.dmp

Filesize
8.6MB

Download
memory/744-17-0x0000000005ED0000-0x0000000005F62000-memory.dmp

Filesize
584KB

Download
memory/744-83-0x0000000076980000-0x0000000076A70000-memory.dmp

Filesize
960KB

Download
memory/744-5-0x0000000076980000-0x0000000076A70000-memory.dmp

Filesize
960KB

Download
memory/744-8-0x0000000076980000-0x0000000076A70000-memory.dmp

Filesize
960KB

Download
memory/744-35-0x00000000005E0000-0x0000000000E76000-memory.dmp

Filesize
8.6MB

Download
memory/744-15-0x0000000076980000-0x0000000076A70000-memory.dmp

Filesize
960KB

Download
memory/744-14-0x00000000059C0000-0x0000000005A5C000-memory.dmp

Filesize
624KB

Download
memory/744-13-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/744-57-0x00000000769A0000-0x00000000769A1000-memory.dmp

Filesize
4KB

Download
memory/744-16-0x0000000005DB0000-0x0000000005E26000-memory.dmp

Filesize
472KB

Download
memory/744-12-0x00000000005E0000-0x0000000000E76000-memory.dmp

Filesize
8.6MB

Download
memory/744-11-0x00000000005E0000-0x0000000000E76000-memory.dmp

Filesize
8.6MB

Download
memory/744-2-0x0000000076980000-0x0000000076A70000-memory.dmp

Filesize
960KB

Download
memory/744-7-0x0000000076980000-0x0000000076A70000-memory.dmp

Filesize
960KB

Download
memory/744-1-0x00000000769A0000-0x00000000769A1000-memory.dmp

Filesize
4KB

Download
memory/744-3-0x0000000076980000-0x0000000076A70000-memory.dmp

Filesize
960KB

Download
memory/744-6-0x0000000076980000-0x0000000076A70000-memory.dmp

Filesize
960KB

Download
memory/744-82-0x00000000005E0000-0x0000000000E76000-memory.dmp

Filesize
8.6MB

Download
memory/744-4-0x0000000076980000-0x0000000076A70000-memory.dmp

Filesize
960KB

Download