stormkitty | hxxps://mega[.]nz/file/ty03nJpZ#brr8ENYfmgjxTl_Ekxv2jBL08yGXw6sF_X1NWFFqdMo

Analysis

max time kernel
145s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-12-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/ty03nJpZ#brr8ENYfmgjxTl_Ekxv2jBL08yGXw6sF_X1NWFFqdMo

Score

10^/10

stormkitty xworm defense_evasion discovery execution persistence rat spyware stealer trojan vmprotect

Malware Config

Extracted

Family

xworm

designed-paragraph.gl.at.ply.gg:6553

Attributes

Install_directory
%AppData%
install_file
OneDrive.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/4580-447-0x000000001BB80000-0x000000001BB8E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/4580-397-0x00000000002A0000-0x00000000002D0000-memory.dmp	family_xworm
behavioral1/files/0x000400000000069b-396.dat	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/4580-448-0x000000001CF00000-0x000000001D020000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5096	powershell.exe
5160	powershell.exe
2976	powershell.exe
5428	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	Cloud.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	Cloud.exe

Executes dropped EXE 3 IoCs

pid	Process
5560	Cheat.EXE
2056	FIXROB~1.EXE
4580	Cloud.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000400000002a479-503.dat	vmprotect

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Cheat.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	FIXROB~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Roaming\\OneDrive.exe"	Cloud.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Cheat.EXE:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Cheat.EXE:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
5476	msedge.exe
5476	msedge.exe
3220	msedge.exe
3220	msedge.exe
2140	identity_helper.exe
2140	identity_helper.exe
2824	msedge.exe
2824	msedge.exe
872	msedge.exe
872	msedge.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
5160	powershell.exe
5160	powershell.exe
5160	powershell.exe
2976	powershell.exe
2976	powershell.exe
2976	powershell.exe
5428	powershell.exe
5428	powershell.exe
5428	powershell.exe
4580	Cloud.exe
4580	Cloud.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	3092	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3092	AUDIODG.EXE
Token: SeDebugPrivilege	4580	Cloud.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	5160	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	5428	powershell.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4580	Cloud.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 5756	3220	msedge.exe	79
PID 3220 wrote to memory of 5756	3220	msedge.exe	79
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 4756	3220	msedge.exe	80
PID 3220 wrote to memory of 5476	3220	msedge.exe	81
PID 3220 wrote to memory of 5476	3220	msedge.exe	81
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82
PID 3220 wrote to memory of 6052	3220	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/ty03nJpZ#brr8ENYfmgjxTl_Ekxv2jBL08yGXw6sF_X1NWFFqdMo
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3d2e3cb8,0x7ffc3d2e3cc8,0x7ffc3d2e3cd8
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1124 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:4240
- C:\Users\Admin\Downloads\Cheat.EXE
  "C:\Users\Admin\Downloads\Cheat.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5560
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FIXROB~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FIXROB~1.EXE
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cloud.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cloud.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cloud.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Cloud.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,17940334763252170530,7916608676003742107,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6472 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:816

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004BC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\System32\pcaui.exe
C:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
3da17551db6b74e9a2044159d60ec7e3

SHA1
f105c9ef03b8c23268468aab6c5e661605c29aa8

SHA256
15ac634eed69e3a760e4ae5e1d79cb5fdf62147913a26b962619d012e77b831c

SHA512
8941257a7619c7622c71c1e40bdf93eb6a52cc17055c4c63c02cd7e156fba9e1ef9988e3357d4bfdb815bb4ef0ba6634f6c51e4b59ee6ea8e486dda2e6c67e43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
5f4ce2f3dc319ee03f66a4b3ddba8956

SHA1
8874cefe5dacb2c14c096366743710fb27f01643

SHA256
ce8edf766ad7901535458e9e096df7f02029a479c151d3388eadb512c59ebe80

SHA512
3ccd1c51d3a35bba83d770919689972732cf0e0008b6269962ae9931c91fbf2b2b8530761a987ebf157290ce1b0e5c97fb47d6981eafeb0ebba76d3e59ac315b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\00\00000000

Filesize
4.5MB

MD5
77639c458113079063382764f3a700f0

SHA1
1f74288cad6a728e191349c641d79e06b8e8ef7a

SHA256
b49c087ffcbf1476d421dfb978301d31dccfcf2eccaea28f526f1f2d749902b3

SHA512
590f8d48d6e0c5c3750cc628ad5221c991a99290c18ab73fe44653e04fa59c321a482a53ce7a5dfb2fab2cec26539abfeb621d9c436e2fd8a6aa82104355647a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
baf2376c2065e6e5f035846e495e7223

SHA1
53a4c05f351b549cb52d10003e0ac4d4c8b41176

SHA256
65c78cf669ce81dd9b6e8f192c34550647fa00e7e23498671b97beb9ebbad13d

SHA512
6e837758eae4b4ed12207e0bffe93878f4651b97a8d410b66ccfa82310c3ca597c72e8766a0edd0ab6dd5895735dc4b91ccd2d211cef3ce425ae6131d2e185f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
737B

MD5
8934aaf56520dff890d80e7cce404765

SHA1
f012fb672895f6ca7510be19036f7f097096fa10

SHA256
3e3286bbd97f786f9cdbd000e60c3f7497baf4820ebf65f9ced6177dc55d0201

SHA512
77bcce363d38358615b9b5a3d70605fa92985ef334ab24cb8e08e3c3f3bb97098525f3f12d4a2e91c59e47a8eb8c17c09abb1ac4a19e3f8e424ce0f1c7d935c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
a5d06469414d1b05391b155eea37e7f2

SHA1
833ad7b0be3ea62142d4a6c335a1d5008b46de7d

SHA256
50de63f4ec3ccfe6e38b2af5aa468a2e1b4ab0f32dbfae843f1540392f1444bb

SHA512
3c70c9624caed77e0d072285e6de5b0ac0effc3a31c2387077ecdbb03c6f42838522f4a53c67c818f8c619163292959a29fb1462e1459268ffeeff20b62cfbe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
e461061c759ed407158b0cd1c23400d7

SHA1
2006ab61e1b6902cf0f9110e7a19eaff00b45751

SHA256
5ee795d8cbc1e5e35d2a156199e68f1383a8c148de2955898f2088ae2a91d49f

SHA512
2d2a91acefbef371f3b08a01ae7964d6a5d0484f94e1c9acf050207b645a95695ac2622cd2d3c026e4b8f2825c64f1763aacdfed4525bae3629a136538202619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
1e0786d0d53cda16328e119259c42b3b

SHA1
e171ee4387c80d390c25c2f7a0b837b916b7d864

SHA256
ff9528d80beed66a2495cdf5d39b44008480683b9053162003032c61f0056798

SHA512
4ea9e86149f922765b486dcd6e47aa9c08e423233e439437d2dce842bb5a30156817da59a4576ddb8378536b39f8d5e6b9cb7c3aade68a9629a19d2b0d7f4bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
f97896541a6d96f79e94156e48c95376

SHA1
9fa1d169c241da117b7f1c2dc099e337001ac221

SHA256
372cc8ddb408cd5c9ba72b5fbc2a2dc7a1a2492e023e75cd6b0d0625f8297194

SHA512
baa34034979ae1bb63d613589768e86e60eac8617d475b40037ea9cd554b9a9dbd94aea4e8cee4912d08c24205e00487d6e3ba4cf0a9f6054cc325d90417e4bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe57e119.TMP

Filesize
598B

MD5
e027630305b7da4da95d5c61c3f45682

SHA1
36e936fa64056153b9c0d73bc19e804360972cc4

SHA256
ebca7856c2fadf0789d24a696d0bc1ff2ef9304b12df3e755f861bd5e233a3fa

SHA512
af97ef1f99fd25cf3d63ecffdac2ced8315bf56fc4c2ef1a316469d688bd8e1ee25ec7e50ef91218ff61294d62b25702a7084d320d9ef31a707ffc7184f5bbe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d95ef62195b3de53c41c4245ff4a3dd1

SHA1
529a6bb281e652d397d1f4d68e1f247a1bc03ba5

SHA256
db66ae58e77b1ecee5c26b76f80b71a6f2edf2a66495c5d6bb8a396387593016

SHA512
73944669b10676adad54f891cea6523053374faf5a760762afd3fcb316bd7c7e2f380f348b5e13feff7592666558d9d4ebcb1c5fb193e937cf49cc63797b5f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e154113cbc847d54083536bab64a688

SHA1
42b3026b8f71518d4b8f829b79ff02a9f2c4b8d0

SHA256
bf43c176cc43e258c429c6e940117a4578833d47041575eb13d3bdec13b44d30

SHA512
43092590a7d18d75866fa1efb8ef96c06d2a22d0be76d987934d211eac728cff5517ce1e3582a81ca196b5c2ec82ccc1c554c1ca07d41fae488cb8f108e69833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2aa47f8966635467a9d071c305da85b7

SHA1
dc125ca019f5e9118e21bb6f9777d1dca5886153

SHA256
bd0b058afcd15e08e4e07956378b382c8055ed0c3b84e24017dc4e994f895823

SHA512
68370179c6608efd4a76a60eb0eaf2f6708463951f32ec3ce85bba694135e372a15074fd504f55e2005caddb704e80dae34e0c6a09d59a355d7a040a4e0693e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5812e7.TMP

Filesize
48B

MD5
e19e1a101b684b578cdac2d046023bfd

SHA1
b12be8edf4ea8bbdb40b8019f555c944d30554fa

SHA256
c852030e612f40f0f2e1fe3321be8918e262dc06388307dec13680ec181d0b11

SHA512
6aaebf9026a92a7f59bd8ff0bd62303877e922c1ae35ab8607ad51b744241af67fb27c35c60763459c95f624827d35dca9584e576553d294317537326c1c4393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5920fc4b2695dd0bc1795733c26d7c41

SHA1
967a27f6ee7fee6bc7b53839df4efd28f3123007

SHA256
d782a6a335a32b1b38dd51d1c5bfba62f80c7d4a305d41430eaa60f62308f985

SHA512
4bd209701673945be2fdaa8e8996215dece581fb98bad8e96f07a5f082c2b958577cb66738f4571ee0069193d887f7ee0cd3f8a1c73397921b8b0b0713c825cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
24161e09a3d96cea9cd537084ba3590f

SHA1
745ad6cc775ce7ace022d64c6c3b5de7191d5355

SHA256
ac7413f0a6f17243d262ae1f26f2a4efe38b23c5eba108d3919806b8aae24e05

SHA512
49317ae50752534e35953af7b992b7c7385341fcfce6d6c2b96af314b2044cc756d3dd2dbf18d238cfc326abffdded928123ba3b993255b111f567ccb6002bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FIXROB~1.EXE

Filesize
43.9MB

MD5
a232ea950c0c2da02bba193fca7d4aaf

SHA1
3f271669b0e3a4379d7fa7bf1c53f9a4f6a46da5

SHA256
75b3d600a8bfdeca62b1a0b8ca6724cb1fb355eb241b7017eff1ff493b0c2e13

SHA512
31b23235127f4a7991dc760aaf7f7bd9bd395744a3647da058bc782f33e3c41620585189be671d83b74ef37e12e4bf4e85dc17293a845560df8cd17125f74b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cloud.exe

Filesize
172KB

MD5
d48238a69705315094e798bff666e1cd

SHA1
332e7dd34204e55de94e30c392c0d14bb30eff0f

SHA256
7eda5c47bae628e7dc31cdb977299c5898b52f74dc6ee3dae52bf38b44643674

SHA512
5be45342356e7d21b638fbbaaf4664b8f14c6560d63a2efb2f050b4a1c3ae93438ded06a9742aa09ae7f40581990931efe98ec7d0e05a7628c05cac7ed4b642e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3nfbja2.c1e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsbrwf.exe

Filesize
527KB

MD5
9ba66360205350d3d5b1c93c7badf223

SHA1
67116d682e68e7052354b9ef9d562984bc4052b0

SHA256
1d0bff487908ce2a28871b8502cd04b0472b8a823f3704aa3207fc09f02f0fda

SHA512
0e69bc0ee9db5d1ef0524e8b9dee41392c6523d6f032d2bf8b8660f0301bd06ced8edb8a7dbc1b6905e6db248eb75600d2fcaa4b22f01da434a9edcb3991116a

Download Submit
C:\Users\Admin\Downloads\Cheat.EXE:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/4580-397-0x00000000002A0000-0x00000000002D0000-memory.dmp

Filesize
192KB

Download
memory/4580-446-0x0000000002400000-0x000000000240E000-memory.dmp

Filesize
56KB

Download
memory/4580-448-0x000000001CF00000-0x000000001D020000-memory.dmp

Filesize
1.1MB

Download
memory/4580-447-0x000000001BB80000-0x000000001BB8E000-memory.dmp

Filesize
56KB

Download
memory/4580-445-0x000000001CA90000-0x000000001CDE0000-memory.dmp

Filesize
3.3MB

Download
memory/4580-444-0x000000001AF60000-0x000000001AF6C000-memory.dmp

Filesize
48KB

Download
memory/5096-406-0x00000163A8830000-0x00000163A8852000-memory.dmp

Filesize
136KB

Download