Analysis
-
max time kernel
100s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-11-2024 20:41
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/2396-448-0x0000000000400000-0x0000000000432000-memory.dmp family_stormkitty -
Stormkitty family
-
Executes dropped EXE 4 IoCs
pid Process 3252 RebelCracked.exe 4892 RuntimeBroker.exe 4404 RebelCracked.exe 2396 RuntimeBroker.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4892 set thread context of 2396 4892 RuntimeBroker.exe 118 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RuntimeBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RuntimeBroker.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Rebel.7z:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 5228 msedge.exe 5228 msedge.exe 5348 msedge.exe 5348 msedge.exe 5600 msedge.exe 5600 msedge.exe 2600 identity_helper.exe 2600 identity_helper.exe 5244 msedge.exe 5244 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1332 7zG.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeRestorePrivilege 1332 7zG.exe Token: 35 1332 7zG.exe Token: SeSecurityPrivilege 1332 7zG.exe Token: SeSecurityPrivilege 1332 7zG.exe Token: SeRestorePrivilege 5676 7zG.exe Token: 35 5676 7zG.exe Token: SeSecurityPrivilege 5676 7zG.exe Token: SeSecurityPrivilege 5676 7zG.exe Token: SeRestorePrivilege 2260 7zG.exe Token: 35 2260 7zG.exe Token: SeSecurityPrivilege 2260 7zG.exe Token: SeSecurityPrivilege 2260 7zG.exe Token: SeDebugPrivilege 2396 RuntimeBroker.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
pid Process 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 1332 7zG.exe 5676 7zG.exe 2260 7zG.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe 5348 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5600 OpenWith.exe 2256 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5348 wrote to memory of 3348 5348 msedge.exe 77 PID 5348 wrote to memory of 3348 5348 msedge.exe 77 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 4880 5348 msedge.exe 78 PID 5348 wrote to memory of 5228 5348 msedge.exe 79 PID 5348 wrote to memory of 5228 5348 msedge.exe 79 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80 PID 5348 wrote to memory of 1136 5348 msedge.exe 80
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/by9n59rwi4ek33p/Rebel.7z/file1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5348 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff994db3cb8,0x7ff994db3cc8,0x7ff994db3cd82⤵PID:3348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵PID:4880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:82⤵PID:1136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:12⤵PID:6096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:12⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:12⤵PID:744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:2944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:12⤵PID:2216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:12⤵PID:3460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:12⤵PID:1756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:12⤵PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:12⤵PID:5944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:12⤵PID:5920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:12⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:12⤵PID:5644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:12⤵PID:5776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:12⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:12⤵PID:4188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7956 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7332 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5244
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5004
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:740
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:984
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\New folder\" -an -ai#7zMap7807:88:7zEvent156881⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1332
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5600
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2256
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\New folder\" -an -ai#7zMap22173:88:7zEvent117281⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5676
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\New folder\" -an -ai#7zMap32258:88:7zEvent68461⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2260
-
C:\Users\Admin\Desktop\New folder\Rebel\RebelCracked.exe"C:\Users\Admin\Desktop\New folder\Rebel\RebelCracked.exe"1⤵
- Executes dropped EXE
PID:3252 -
C:\Users\Admin\AppData\Local\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4892 -
C:\Users\Admin\AppData\Local\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
-
C:\Users\Admin\Desktop\New folder\Rebel\RebelCracked.exe"C:\Users\Admin\Desktop\New folder\Rebel\RebelCracked.exe"2⤵
- Executes dropped EXE
PID:4404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
706B
MD51356da7590c7343415dc5977d32b17c8
SHA16b2d7cb07839255395f6b24391fe5fec5201e359
SHA2562126fa4651af160534e852712f55be80e16308e9cad3fed7b0bd3ac6ce528702
SHA5126f1cff058fd47eb299d81dcb53d6c8138d433c8f2d44fc281639ed72f88bfcaa56e100367a77f856a8e06a490a932bc0ae53d6ed10e78fcfbebb97be9d8cb97c
-
Filesize
152B
MD5003b92b33b2eb97e6c1a0929121829b8
SHA16f18e96c7a2e07fb5a80acb3c9916748fd48827a
SHA2568001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54
SHA51218005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77
-
Filesize
152B
MD5051a939f60dced99602add88b5b71f58
SHA1a71acd61be911ff6ff7e5a9e5965597c8c7c0765
SHA2562cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10
SHA512a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\226dbf78-f8cb-4254-95cc-1dd07f005925.tmp
Filesize10KB
MD559e35b5eb8a5bc19b923b300b728965f
SHA10e583a06993239e63a4ec2d33e72b78f12ffac7e
SHA256017d1483211fccac8663f9d169563765633a9cd8e675d45e9ec0368614dcde27
SHA5127fbd4ee8003aa3f6890ed0c7cecf22a16cf5d861896a2fe64a8b51f100128095e4e6aaa00420cfef425ade5da468c0999a35edbc8f3a62f5d0d7e0dcaad4d2ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5fccd0915042e17d17f42a8e9bdf569a0
SHA1a535eb70a75164b26ce6319a49b184dbae715701
SHA256e66d9b769f428df82d1193ee334db3657f878884ee13d7d933a8354a23da1924
SHA5120c0507661cd35389b0bbe3c0eaee7acaa646fc5d132509050580b99402f0044c4223433231580e6789f2cb943c84906db53658560fcdfd127ca5f70676e15daf
-
Filesize
9KB
MD52beaf2ec87aa0204769631c690ff5c58
SHA191796501f570c89ee503a0de696945dcaa779c86
SHA2564f2429f56f8640bf3b73284f4447ed2b201fa27ba6e7ddce7c66258051377ff3
SHA5126e956261bf7b78ccb57d6124ae9debafd09c23fa5fa37d45447d52be496901da24a310f5139bc5453c1642386140b3b197930d156c805f589662c04b980bd560
-
Filesize
5KB
MD51665ab878f90d1a56dd3454e3f0dde18
SHA163494d365428bf653f8446630ee7b639d08e85f3
SHA25621a36d2336e5d3f0f196a6ecc549d07182e98ee87693eb08096b86014276efa2
SHA5124baf015f210d47226b279d03629ef0bc8c463b2e91bb29454833f2550e9a26492c4ccc7bd74003a0c0448eaa721f205b729a9c8b224c4b96937ee6ac5187c50c
-
Filesize
10KB
MD579267b0982f10d319faa41ba07c42ece
SHA1671abec5d5d76303cddde0f8c506ead0fc36a761
SHA256b9d2349378a1ab8a85713d7a398571b6e5ff0222b6eb643be0fbef1cea2c71b8
SHA512c40d685b5362d61d12c7f8a5241ede8c39a46285b5f4b2ce284937f213c88db521e53b169068539eab3d74eec301b5605fa842fabf3370b96808aafaa9bfda19
-
Filesize
2KB
MD5550d0e6c12cb2065f5b31f23dfc84959
SHA15a75735841a618081700ded3d01e59842a1bf71c
SHA2567d8c2c39e079f0f41253a37e44a2a7d4e033442d8cf8c449c30099245cb250bc
SHA5127982130aebf1a32350d9d4c17021b6b639ff26675a55431d07bc917aab642d9811b6ea0f27d4d47ba851c0480635817b4eeca5ed17b5f817d90b9b258b09363b
-
Filesize
2KB
MD5eebe3d7b2f640fa01d16338a192a08a7
SHA12caaeb2667888876978795efcd1522b62d058271
SHA256b1b2a019a352599ded870f2830b7bf3b03c3ee068557e9bd6343a8a8de17e98e
SHA51238f55a1bdba7b362232b57675b976a43af8fecf9660301a7af8ac5b59104dfe3b60f97e31a382925c148d6675d7ebbd82954ffddfe55f6c3f1077feb2fc91d4d
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5ade2d318cd5c6dc64b1c2ba8abb109bf
SHA13146b5e65cecd57d6ca74bd516791f8b2e1b19af
SHA256be24dfdc5e054f0c962bf139737362671e3f82a783e6d1688f6b335aef8b5e99
SHA512c474eee35883c5e724754691e5dc066e88f98ff32cd6b00d91ef89b84e0340dcd110beace519c2eea3941e43de24ba2bd418efe912015f11f2cf5b4e597b821d
-
Filesize
10KB
MD5088cf21400fb766fb64b0df4c64ae123
SHA1b493176295bf7806b05e68c9c966245812b487c1
SHA256c5b6ddc61dc50c0e1758ba38306718c9ef1ec88f47e31ea767a7175235901dc1
SHA512f463e54dc9da1d47621a60546f901af550d3b73ff8527a4d9f5b0ddcf7b4ce89482cbc7079d3f33d3e8d6220b03662e6774bf0f8034bfaf04b95e311f55e0f81
-
Filesize
330KB
MD575e456775c0a52b6bbe724739fa3b4a7
SHA11f4c575e98d48775f239ceae474e03a3058099ea
SHA256e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3
SHA512b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471
-
Filesize
344KB
MD5a84fd0fc75b9c761e9b7923a08da41c7
SHA12597048612041cd7a8c95002c73e9c2818bb2097
SHA2569d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006
SHA512a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98