stormkitty | 26e8bfe6387a4568268cdca0a4e29e91ac931ca992c4f302b1959d618c40f785

Analysis

max time kernel
591s
max time network
595s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08-09-2024 23:11

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

SkibidiSigmaMenu.exe
Size

70KB
MD5

9bb0248901431694342b164db44348bb
SHA1

369504cc3868711bc8595c3dd27d0a147fffc84f
SHA256

26e8bfe6387a4568268cdca0a4e29e91ac931ca992c4f302b1959d618c40f785
SHA512

ac7183655cdcaec9cc814ebd995b8cbfd6fead495d48c2d3fba613c6747ff9da88d3c3558df914ca73e2eaae41833ed5defff79188d600e3b19763a887348878
SSDEEP

1536:DMhSs+/aEqCyQQE+g5bQxLOVqMI6dmuOPtO01exz:Ah/+SXzu5b60rhO1Ougz

Score

10^/10

stormkitty xworm credential_access discovery execution persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

sale-florence.gl.at.ply.gg:15298

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/4712-1214-0x00000000015D0000-0x00000000015DE000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/4712-1-0x0000000000CD0000-0x0000000000CE8000-memory.dmp	family_xworm
behavioral1/files/0x0012000000025b25-73.dat	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/4712-76-0x000000001D620000-0x000000001D740000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5048	powershell.exe
764	powershell.exe
2204	powershell.exe
4860	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Falcon.lnk	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Falcon.lnk	SkibidiSigmaMenu.exe

Executes dropped EXE 10 IoCs

pid	Process
1284	Falcon
4440	Falcon
4388	Falcon
1236	Falcon
1952	Falcon
4688	Falcon
3632	Falcon
5080	Falcon
3184	Falcon
2076	Falcon

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Falcon = "C:\\Users\\Admin\\AppData\\Local\\Falcon"	SkibidiSigmaMenu.exe

Drops desktop.ini file(s) 16 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Links\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3007475212-2160282277-2943627620-1000\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	SkibidiSigmaMenu.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	SkibidiSigmaMenu.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	SkibidiSigmaMenu.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	SkibidiSigmaMenu.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4736	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1372	vlc.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
5048	powershell.exe
5048	powershell.exe
764	powershell.exe
764	powershell.exe
2204	powershell.exe
2204	powershell.exe
4860	powershell.exe
4860	powershell.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
4712	SkibidiSigmaMenu.exe
660	msedge.exe
660	msedge.exe
1864	msedge.exe
1864	msedge.exe
4840	msedge.exe
4840	msedge.exe
2296	identity_helper.exe
2296	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1372	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1864	msedge.exe
1864	msedge.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	4712	SkibidiSigmaMenu.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	4712	SkibidiSigmaMenu.exe
Token: SeDebugPrivilege	1284	Falcon
Token: SeDebugPrivilege	4440	Falcon
Token: 33	400	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	400	AUDIODG.EXE
Token: SeDebugPrivilege	4388	Falcon
Token: SeDebugPrivilege	1236	Falcon
Token: SeDebugPrivilege	1952	Falcon
Token: SeDebugPrivilege	4688	Falcon
Token: SeDebugPrivilege	3632	Falcon
Token: SeDebugPrivilege	5080	Falcon
Token: SeDebugPrivilege	3184	Falcon
Token: 33	4644	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4644	AUDIODG.EXE
Token: 33	1372	vlc.exe
Token: SeIncBasePriorityPrivilege	1372	vlc.exe
Token: SeDebugPrivilege	2076	Falcon
Token: SeShutdownPrivilege	4712	SkibidiSigmaMenu.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1372	vlc.exe
1372	vlc.exe
1372	vlc.exe
1372	vlc.exe
1372	vlc.exe
1372	vlc.exe
1372	vlc.exe
1372	vlc.exe
1372	vlc.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1372	vlc.exe
1372	vlc.exe
1372	vlc.exe
1372	vlc.exe
1372	vlc.exe
1372	vlc.exe
1372	vlc.exe
1372	vlc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4712	SkibidiSigmaMenu.exe
1872	MiniSearchHost.exe
1372	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 5048	4712	SkibidiSigmaMenu.exe	81
PID 4712 wrote to memory of 5048	4712	SkibidiSigmaMenu.exe	81
PID 4712 wrote to memory of 764	4712	SkibidiSigmaMenu.exe	86
PID 4712 wrote to memory of 764	4712	SkibidiSigmaMenu.exe	86
PID 4712 wrote to memory of 2204	4712	SkibidiSigmaMenu.exe	88
PID 4712 wrote to memory of 2204	4712	SkibidiSigmaMenu.exe	88
PID 4712 wrote to memory of 4860	4712	SkibidiSigmaMenu.exe	90
PID 4712 wrote to memory of 4860	4712	SkibidiSigmaMenu.exe	90
PID 4712 wrote to memory of 4736	4712	SkibidiSigmaMenu.exe	92
PID 4712 wrote to memory of 4736	4712	SkibidiSigmaMenu.exe	92
PID 4712 wrote to memory of 1864	4712	SkibidiSigmaMenu.exe	100
PID 4712 wrote to memory of 1864	4712	SkibidiSigmaMenu.exe	100
PID 1864 wrote to memory of 3108	1864	msedge.exe	101
PID 1864 wrote to memory of 3108	1864	msedge.exe	101
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 1580	1864	msedge.exe	102
PID 1864 wrote to memory of 660	1864	msedge.exe	103
PID 1864 wrote to memory of 660	1864	msedge.exe	103
PID 1864 wrote to memory of 1076	1864	msedge.exe	104
PID 1864 wrote to memory of 1076	1864	msedge.exe	104
PID 1864 wrote to memory of 1076	1864	msedge.exe	104
PID 1864 wrote to memory of 1076	1864	msedge.exe	104
PID 1864 wrote to memory of 1076	1864	msedge.exe	104
PID 1864 wrote to memory of 1076	1864	msedge.exe	104
PID 1864 wrote to memory of 1076	1864	msedge.exe	104
PID 1864 wrote to memory of 1076	1864	msedge.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SkibidiSigmaMenu.exe
"C:\Users\Admin\AppData\Local\Temp\SkibidiSigmaMenu.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SkibidiSigmaMenu.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SkibidiSigmaMenu.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Falcon'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Falcon'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Falcon" /tr "C:\Users\Admin\AppData\Local\Falcon"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff988943cb8,0x7ff988943cc8,0x7ff988943cd8
    3⤵
    PID:3108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,13381732961067064480,1331060739958126071,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
    3⤵
    PID:1580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,13381732961067064480,1331060739958126071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,13381732961067064480,1331060739958126071,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
    3⤵
    PID:1076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13381732961067064480,1331060739958126071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
    3⤵
    PID:3820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13381732961067064480,1331060739958126071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
    3⤵
    PID:3740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,13381732961067064480,1331060739958126071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4840
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,13381732961067064480,1331060739958126071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2296
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ghsljo.vbs"
  2⤵
  PID:1176
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\irbuwn.mp3"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2316

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Users\Admin\AppData\Local\Falcon
C:\Users\Admin\AppData\Local\Falcon
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Users\Admin\AppData\Local\Falcon
C:\Users\Admin\AppData\Local\Falcon
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004B4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Users\Admin\AppData\Local\Falcon
C:\Users\Admin\AppData\Local\Falcon
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Users\Admin\AppData\Local\Falcon
C:\Users\Admin\AppData\Local\Falcon
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Users\Admin\AppData\Local\Falcon
C:\Users\Admin\AppData\Local\Falcon
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Users\Admin\AppData\Local\Falcon
C:\Users\Admin\AppData\Local\Falcon
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Users\Admin\AppData\Local\Falcon
C:\Users\Admin\AppData\Local\Falcon
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Users\Admin\AppData\Local\Falcon
C:\Users\Admin\AppData\Local\Falcon
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Users\Admin\AppData\Local\Falcon
C:\Users\Admin\AppData\Local\Falcon
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004B4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Users\Admin\AppData\Local\Falcon
C:\Users\Admin\AppData\Local\Falcon
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Falcon

Filesize
70KB

MD5
9bb0248901431694342b164db44348bb

SHA1
369504cc3868711bc8595c3dd27d0a147fffc84f

SHA256
26e8bfe6387a4568268cdca0a4e29e91ac931ca992c4f302b1959d618c40f785

SHA512
ac7183655cdcaec9cc814ebd995b8cbfd6fead495d48c2d3fba613c6747ff9da88d3c3558df914ca73e2eaae41833ed5defff79188d600e3b19763a887348878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Falcon.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
64ea7891ce464cac6ead073d11d05cb6

SHA1
a34dece047e9d7f78878d15ef6e4bea6b9ae5ebe

SHA256
81d266e8c7470ff579a164e31971551c4226f4122f4f8ed07244bb1a9f42d288

SHA512
47368ff80a329b26fdbd2142965d65191d0ecd704c9ee200b0b4d8b07628eb78d239d7982a983b405352d895f140b4576754d7989a1b20e2f9f91fd35558b262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
beddacaa9f0a7e86c74cf02750222d0d

SHA1
50b39d51a61f601a965d63b2ea3b420d2eff164c

SHA256
178692341dbb9fe42c21a54e0c96ab919522086b703d2791334c71058622ec8a

SHA512
0ade09c1491fac4ef7982afb582b6f49a0c6d3121aa5e7a01f8a2589392f26588df8f2b91879192bd6894946b8fa5b6a06f48940a50edb28d6d80e7c5a9d4ce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a1e42978cba8475fa4a464cd1ba50b92

SHA1
757bd11f85e60ab2760856c265941db911845dbf

SHA256
c3d1aee0c11f76e29056868ebd9d9caabad8b4c99e7298f23e7a54b911695593

SHA512
5b52a4eda632b29b32c35730c5940ff2f6b29d0442f93f329d398a717324c06e4107c1e7252bf1e372785117244544547754a596b482291566003c20d275b8ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8a7ab7bae6a69946da69507ee7ae7b0

SHA1
b367c72fa4948493819e1c32c32239aa6e78c252

SHA256
cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272

SHA512
89b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
c3e08121cabb9380e3d50cadde97d53a

SHA1
0e666954e83e97e3883e52092fe2be88a520e8f8

SHA256
76e1d3ab7320c4b863adb091b5b77205d81e13eafb539a18ebe3d8ea46b29433

SHA512
9a6ef7710781d2f3a1f873129b21990548c1b275720080d87fe4051b464b0aef4ad8625656c388a65163563c6fb2086c29c01ba5f518c5b9679e7227fcc7941f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
d9c90cc81a3965139958ce95221b3e3f

SHA1
e1053a91bd6481e12b86b6a79aae7193e44875b4

SHA256
f99e8c101bde6270bec53e6c18f76fb0f7973acf74f15fac1462b85f2872b1ac

SHA512
a3d4907bcba240286c401ad824fba47f7d1029ddc0ccc776a52049fc2668a7503adf115fe013c1d536d7acb733610b68432a4ccf5069df06f5b7551605128e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dpfrlq4u.ggn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghsljo.vbs

Filesize
86B

MD5
ce65d24b7fa15cf5cd386f73ebf401ae

SHA1
c5956e48003f6447757cfc68351e434c93d7fd29

SHA256
a7d896d40208d80856728dd14f279510d0c7dcc00c4aa238714ebd7f8774e081

SHA512
942b490f1ecbcc828fef87fc322c379348ffa46d020d22b288075c40012b1d6ec42a0da4a16b09f607c5011bfbe5055d8e73ddf907da15cd188823e833c33a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\irbuwn.mp3

Filesize
7.6MB

MD5
480f0961f2413fd7e517bafe8ff44b2f

SHA1
f4cf3d714c19b1148011b9c2183fd5ba32655cc2

SHA256
f90438691ecb4ea5d042475e337dee9727c8a61749ada9f5511210c73bb5457f

SHA512
c39b06156dc608e0ff37f3fdd9a9fd4adfed35ab7b48496abd62dd2ceadfe94b858e71bfa9516a133ce28ee5bbd126fa82d527b4220bd50e5f02971e63bf8d35

Download Submit
C:\Users\Admin\Contacts\desktop.ini

Filesize
412B

MD5
449f2e76e519890a212814d96ce67d64

SHA1
a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd

SHA256
48a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7

SHA512
c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
642B

MD5
5d4fb876db28ff74943b4ff4299ad462

SHA1
dc65b3780ccd15d3042be500b0c44bbcc2839f20

SHA256
b9051462858ca68913737d30737a13a2497c5c4bf329eedb1797883f47d86c32

SHA512
617e1f4571cceedf626cdf7c6cd46bc9670c0f11a1b6f21277843e16dc6914ece8257f3f37c81e25dfb7b928bbb0aaf55f55ef1909f0d215a4afb2d653daa639

Download Submit
C:\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Users\Admin\Links\desktop.ini

Filesize
504B

MD5
3b960da228cc489b622697659c885d64

SHA1
00686a12f1a43501f6eea2140da9be141a11bd3b

SHA256
a4234e2cf44c57609fd7cb0f9f0a33ee136b542fba5121ac02d85b38fb2ea02d

SHA512
3cc46f016865b3d541506cb15d7b22c83e1434bf73de23b158101aff08532eac29a6d9709060e9681cbeb375e2f843497ce80c3085579a8266c7f22b9567efd6

Download Submit
C:\Users\Admin\Music\desktop.ini

Filesize
504B

MD5
06e8f7e6ddd666dbd323f7d9210f91ae

SHA1
883ae527ee83ed9346cd82c33dfc0eb97298dc14

SHA256
8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68

SHA512
f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98

Download Submit
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
8a0012774251850b1f60aa627b6dd439

SHA1
1154824c4b220d213e511cd7ed0c7db04ef80348

SHA256
f37926501ca0d9d29b70b4150e21bf4875444baf67eb993c3b1bddc1d9a032e5

SHA512
f28a0ef42011d94189e0616642db21197b5aaf9498896ac00c382ac8ce8736e22f71b152dda9bdc6aa45f3ce3806c19ccf2b71521f4acbe8336c0ea11a5fdc4f

Download Submit
C:\Users\Admin\OneDrive\desktop.ini

Filesize
96B

MD5
c193d420fc5bbd3739b40dbe111cd882

SHA1
a60f6985aa750931d9988c3229242f868dd1ca35

SHA256
e5bfc54e8f2409eba7d560ebe1c9bb5c3d73b18c02913657ed9b20ae14925adc

SHA512
d983334b7dbe1e284dbc79cf971465663ca29cec45573b49f9ecdb851cdb6e5f9a6b49d710a1553bdae58c764887c65ba13fd75dfdd380c5c9ef9c0024aa3ef0

Download Submit
C:\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\Saved Games\desktop.ini

Filesize
282B

MD5
b441cf59b5a64f74ac3bed45be9fadfc

SHA1
3da72a52e451a26ca9a35611fa8716044a7c0bbc

SHA256
e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311

SHA512
fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3

Download Submit
C:\Users\Admin\Searches\desktop.ini

Filesize
524B

MD5
089d48a11bff0df720f1079f5dc58a83

SHA1
88f1c647378b5b22ebadb465dc80fcfd9e7b97c9

SHA256
a9e8ad0792b546a4a8ce49eda82b327ad9581141312efec3ac6f2d3ad5a05f17

SHA512
f0284a3cc46e9c23af22fec44ac7bbde0b72f5338260c402564242c3dd244f8f8ca71dd6ceabf6a2b539cacc85a204d9495f43c74f6876317ee8e808d4a60ed8

Download Submit
C:\Users\Admin\Videos\desktop.ini

Filesize
504B

MD5
50a956778107a4272aae83c86ece77cb

SHA1
10bce7ea45077c0baab055e0602eef787dba735e

SHA256
b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978

SHA512
d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a

Download Submit
memory/4712-895-0x000000001D170000-0x000000001D17D000-memory.dmp

Filesize
52KB

Download
memory/4712-894-0x000000001C6E0000-0x000000001C6E9000-memory.dmp

Filesize
36KB

Download
memory/4712-116-0x000000001B980000-0x000000001B98C000-memory.dmp

Filesize
48KB

Download
memory/4712-898-0x000000001C690000-0x000000001C6D6000-memory.dmp

Filesize
280KB

Download
memory/4712-904-0x000000001BCA0000-0x000000001BCAA000-memory.dmp

Filesize
40KB

Download
memory/4712-1060-0x000000001BDB0000-0x000000001BE60000-memory.dmp

Filesize
704KB

Download
memory/4712-1061-0x000000001DF70000-0x000000001E498000-memory.dmp

Filesize
5.2MB

Download
memory/4712-0-0x00007FF990D33000-0x00007FF990D35000-memory.dmp

Filesize
8KB

Download
memory/4712-1-0x0000000000CD0000-0x0000000000CE8000-memory.dmp

Filesize
96KB

Download
memory/4712-897-0x000000001D1A0000-0x000000001D1AB000-memory.dmp

Filesize
44KB

Download
memory/4712-896-0x000000001D180000-0x000000001D19E000-memory.dmp

Filesize
120KB

Download
memory/4712-893-0x000000001C690000-0x000000001C6D6000-memory.dmp

Filesize
280KB

Download
memory/4712-892-0x000000001C600000-0x000000001C68E000-memory.dmp

Filesize
568KB

Download
memory/4712-2-0x00007FF990D30000-0x00007FF9917F2000-memory.dmp

Filesize
10.8MB

Download
memory/4712-1214-0x00000000015D0000-0x00000000015DE000-memory.dmp

Filesize
56KB

Download
memory/4712-76-0x000000001D620000-0x000000001D740000-memory.dmp

Filesize
1.1MB

Download
memory/4712-60-0x00007FF990D30000-0x00007FF9917F2000-memory.dmp

Filesize
10.8MB

Download
memory/4712-52-0x00007FF990D33000-0x00007FF990D35000-memory.dmp

Filesize
8KB

Download
memory/5048-17-0x00007FF990D30000-0x00007FF9917F2000-memory.dmp

Filesize
10.8MB

Download
memory/5048-14-0x00007FF990D30000-0x00007FF9917F2000-memory.dmp

Filesize
10.8MB

Download
memory/5048-13-0x000002D251F00000-0x000002D251F22000-memory.dmp

Filesize
136KB

Download
memory/5048-4-0x00007FF990D30000-0x00007FF9917F2000-memory.dmp

Filesize
10.8MB

Download
memory/5048-3-0x00007FF990D30000-0x00007FF9917F2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads