stormkitty | hxxps://gofile[.]io/d/c7vuUZ

Analysis

max time kernel
175s
max time network
279s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/c7vuUZ

Score

10^/10

stormkitty xworm discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Miyano-33512.portmap.io:33512

Mutex

0lhuiFsxouvCOiCD

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c68-56.dat	family_xworm
behavioral1/memory/1472-91-0x00000000009A0000-0x00000000009B0000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/1472-464-0x000000001CD30000-0x000000001CE50000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3968	powershell.exe
2292	powershell.exe
2064	powershell.exe
5188	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Bootstrapper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Bootstrapper.exe

Executes dropped EXE 2 IoCs

pid	Process
1472	Bootstrapper.exe
376	Bootstrapper.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Bootstrapper.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 578360.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1472	Bootstrapper.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
324	msedge.exe
324	msedge.exe
856	msedge.exe
856	msedge.exe
4516	identity_helper.exe
4516	identity_helper.exe
2132	msedge.exe
2132	msedge.exe
3968	powershell.exe
3968	powershell.exe
3968	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2064	powershell.exe
2064	powershell.exe
2064	powershell.exe
5188	powershell.exe
5188	powershell.exe
5188	powershell.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1472	Bootstrapper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	Bootstrapper.exe
Token: SeDebugPrivilege	376	Bootstrapper.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	5188	powershell.exe
Token: SeDebugPrivilege	1472	Bootstrapper.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
3504	helppane.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1472	Bootstrapper.exe
3504	helppane.exe
3504	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 3280	856	msedge.exe	83
PID 856 wrote to memory of 3280	856	msedge.exe	83
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 4588	856	msedge.exe	84
PID 856 wrote to memory of 324	856	msedge.exe	85
PID 856 wrote to memory of 324	856	msedge.exe	85
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86
PID 856 wrote to memory of 380	856	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/c7vuUZ
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6b9246f8,0x7ffb6b924708,0x7ffb6b924718
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2132
- C:\Users\Admin\Downloads\Bootstrapper.exe
  "C:\Users\Admin\Downloads\Bootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Bootstrapper.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Bootstrapper.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5188
- C:\Users\Admin\Downloads\Bootstrapper.exe
  "C:\Users\Admin\Downloads\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5432 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14043513598817340410,14038462854111887435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:5268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528884
  2⤵
  PID:5948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6b9246f8,0x7ffb6b924708,0x7ffb6b924718
    3⤵
    PID:5964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
63557ef50f39a93298d8e127b8c33379

SHA1
816fcfdc243ce7b5280bf51257a00423f8d69280

SHA256
b909b0208e0d0df28ddba35daa8e0bc7ee3b7954bb4d457d8042d6daf59c9aee

SHA512
b870a9661789bdc48ff49ebf92d4c074cc7dd239e383819c83bce072e28ff71b7fddc8d9fde2f09a6df151dea4ae51b679a6b7eb642383e7358cadad28ec20d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
2999aca57c5e79bbc31946d22ed78847

SHA1
d546c0d136e824831d7017ae7c9ebb475ac9432e

SHA256
480230399c4db5fc7ccf43c9902055bcea4fe3d209172e67cc069ba969c0f0d3

SHA512
c9e0d4a0c42ebf5975932efaa2a64a122f7640e4231467086c5cc279e5592713f0bc96588e05daae5e029e5c8b58896a95399d7b331dec91d1ebb5333f5b6b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
fd09b27c34a7bb7759b7503b56ab9d25

SHA1
8cee41b71864cf2e861b2d88e3633ddcadc867e9

SHA256
283c8094eeac07c169eb30ad5f16c0f4e7175010c839c18def05434df0f45ce5

SHA512
a6dd00399986b0de00c71b1fb2d751e43c0dd983adf040ee61ba9cc03cf9534627049381d07508297727a8e0c1fe6c28593f9cc840b55b009f4db22355dfe2ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
cc4f000a5e136f35154f046eb2db6281

SHA1
04d7bc27a8df83ff82e45e2fad48cac3fdb2dd26

SHA256
cfc0808580a17b799b7729ccfa43f9ae2f05fe6b01b25365ffc288880b923615

SHA512
d7c77a614e5ba3166a97dd03dc7ca4e5766c2d35cfa4b5ea5c279ffb120376d000680ebd89c9c4d364b7c894773f135418bdccfd9b55905fcc7553022ebfc7fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
683B

MD5
c247063e854d6402d80d0411438cb015

SHA1
1c27ececfdc8c402f34454032afc294cb521ddc2

SHA256
10f9b949e5a8a9d84a6ddc69853899e290245a3db33e5d1c0fe9869be7e1c141

SHA512
e8df37b7124d1d2e1e7718065bdcbd330408d91d9a541d685e50173e329cd1776d322b5b9b09c978ab37197a9fd2b83f72d38d93d9fc32add2a6802c2e8f63d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
af37e39de81bdee39b60eb28cc58a54d

SHA1
e743c591a8e2f0ec6082969662abf7535c444fc6

SHA256
81c5cdcf737de4b1c1ca1b11ac83ca3ead05f2ae1f6e9347cad7213a7ab56b4c

SHA512
a7d594187232d92de104eed7b1c7321d7261b62e815b87de1880df659f79884a25dedf06c5ffa15107229b8bc8215972825f82e88e562b87f4e3025684fd6c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2843b18b4e62e8931c208b1d114fbec1

SHA1
5a895e8f569fc4c7bab9ddbc26de10d200ce1830

SHA256
b6e94119b3239db083aed48d20d6eabb0ac284af8f322213e18182dbcf98a316

SHA512
a4d365c05e8441a6ed1007293ea520b02fd5d3b9eb078ce5dfd6f0c94c0d01cd9e4698f5193d06560a5a5cb62e96943a0e89513b8c0b07bca06f7812b4431c90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3c2740a3dadc8fa56ef043e5d8d7d941

SHA1
dccfc07898e5bf79a65f13b9a374b40dfef0a79f

SHA256
7f131b94382f795c0f3744bc0569289abb8fb07a5a1ea1df9efb644043edf3ff

SHA512
01da85f23425ca8c498b05e2fa1497bc378946407a3a6a224891c3f8a05055a745936c8caea6ca32b1864c0f73007fde6a0e2cb0c5ad37f113888bd814ae76fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0149d604cc75dd0ef1720ed3d5782a18

SHA1
562a9a71b87d1975cffdc3379984fcfc9b7e1121

SHA256
371bda653b86d108bc46b058534b0232f7f1933d5e95bff5f6e67670efc6140e

SHA512
b157b51f94b3a674f6f988e129538eec54329c1b4223db77123ce49d0bc26c3ce93292210f77750da5861e4f2d1fa5d2a2fb0b20ba3736d67476b8cce0d941c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2f518b35f3f907ffc25aa8e5c079c0b8

SHA1
5ca870e89bd701aa7a767b388cd84366cbb7d8fb

SHA256
3218c9be5d953d65d535f11986213957f2ae5ba1b630aa7b611644652dc60632

SHA512
14a0bfe05cfdd27a18370efe1f1c48da24f7c42a8228dc764b21c945a0bd8ca1c5d82a942833e72899ef3a86a5079c2216ab1662347c2d91be4dd519ff5104e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
83e7a259981a57d08229d295cbd0d659

SHA1
8bbcc7414f9bf0d8847cf7a53ca6f0afde10b9d3

SHA256
84115c70e0c9006336784fd87244d5e1384692bd9d17e3fd6fa2c0456ef38f76

SHA512
6a20ed69e62d8d6b20aa88906c367ba1b75d810a8b3ee9ed6534fe43e960be37e9701d0fbe0d93d6200d702ebc2d088a816d11878b1b37b9e045a4f78faa070c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59a975.TMP

Filesize
370B

MD5
ebd72abb2869292b19668ec17077edf3

SHA1
26e9bc0265595c9fb2b86443d05da886228f26ee

SHA256
a025f4dc7febbeefc296d9e31cff7b2b35d7efbeef8a28762626b345f0d92e54

SHA512
8e17bd4d1e1229efffbb5ee43b5c9cb1614089b09d0a47e26a85580faa42e76826d4f0c37476e0cc7462fcee0e457e9baf596ac677e6c2a06d3bc746833b76e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
a8f16f1e1490bfcc40842ae083ddb513

SHA1
53783206369c039915046e3cfc40ebb74b88faa4

SHA256
8caf596353ecf356885461778ee260fa28f3af6d6d30d8e0137507596b6ff1cc

SHA512
5c4e950498a73e853be969d219099ec7928eda9c2e48bbb2a4f9a5635fc7f7a764e8fa34a299229494b62598274ca936dd6e9a664b279816506746b061242e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9eecd7b7d08e50236785ef08cf151bc3

SHA1
f030071fc8c6890e5478e4c464b1c74ab64583b7

SHA256
e9033d91b9c92bacf5a5d6d9be646cdd544d0ba4b1337735d903ae9b1ebfc1f7

SHA512
7d7008a04694532bb358ad1257bc87de224e9efc3d71ded8c7171fc03000837d00ce9b85f72222cc26239926e60a06d7a84410a591359042cc0493d38d0fa19e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d80de4240cf3d6d7d9ed34ebdc4b640b

SHA1
5edf68fdde3616ea7263507c0ac8ca049f6479b5

SHA256
7dd6ac1adee244782a117fb6c349d08c1246e4f155107ba79eb25b13f18a21b8

SHA512
2b4c38d4bebdc9ac898f4128aac40ccddf6724856941bcd11ede80e9d433f0fe855000ef76dde7b3fd28180604522bf89192d1bf3a80d0b749855377e9827443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
05a956bec8eb48b0f2bc13540f4aae08

SHA1
de7a4e8064cc0888694bd529a9ebaf2fcfe75eac

SHA256
ea2afa442384f239c155c95c330109d35a7095ec2183a558f8ac98b46a0c9b52

SHA512
22a616eb5377bd57633afb4b0ca9579c0a33971fcc2cfabc3bc310fd47fb6b9172a7ea613e75880101df575240743e460b4e119d4a26a95886c24a7fb4d634c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0f6e028814d99a316c5459167942146e

SHA1
b38698d22f35a0222d50a767e7c6b282b64c2b03

SHA256
0e62fa316411566c279b977c3bfefffe67008b441d996027f4ed040004903f3c

SHA512
3d4cd6c875d5890a22e83dce9bf5c8ca2056d8870c33078d836c02ec668145e752c2699bf234554e8c0da739d3bbc7a3491b0a310b6d5335e7f7540effabdd08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxxahwrq.gso.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 578360.crdownload

Filesize
35KB

MD5
e09ce0dd0e292b7cece0dade6c3762b8

SHA1
4891616983f79a6efa3e13e2fc90637eb0fa43f4

SHA256
49456fdeee9e777ef227c400c9ba1402d339091d5b0115fe63d8498cb1273fc9

SHA512
a7ec1a4316ec5109b801959aab20cee5c18de24990c1e35ac210a1ad5181c049428b1a416bad5e933ef1a83f5cc6265ca119d2bb1a9017dc16b3eb663e2cc3ef

Download Submit
memory/1472-222-0x000000001BC30000-0x000000001BC3A000-memory.dmp

Filesize
40KB

Download
memory/1472-187-0x00000000011C0000-0x00000000011CC000-memory.dmp

Filesize
48KB

Download
memory/1472-464-0x000000001CD30000-0x000000001CE50000-memory.dmp

Filesize
1.1MB

Download
memory/1472-91-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/3968-102-0x000002695BC60000-0x000002695BC82000-memory.dmp

Filesize
136KB

Download