stormkitty | hxxps://cdn[.]discordapp[.]com/attachments/1297224058857062474/1324842481543676068/ddos_tool[.]exe?ex=67799f35&is=67784db5&hm=ab9b89df5d823a64e71668d3649044a154a5024b770ad2a6159296a1d56e6c11&

Analysis

max time kernel
900s
max time network
728s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03-01-2025 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1297224058857062474/1324842481543676068/ddos_tool.exe?ex=67799f35&is=67784db5&hm=ab9b89df5d823a64e71668d3649044a154a5024b770ad2a6159296a1d56e6c11&

Score

10^/10

stormkitty xworm defense_evasion discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

responsibility-popular.gl.at.ply.gg:57012

Attributes

Install_directory
%Temp%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002aae2-84.dat	family_xworm
behavioral1/memory/2152-92-0x0000000000BC0000-0x0000000000BF4000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2152-161-0x000000001DBF0000-0x000000001DD10000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2332	powershell.exe
924	powershell.exe
4924	powershell.exe
4696	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser.lnk	Teams.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser.lnk	Teams.exe

Executes dropped EXE 16 IoCs

pid	Process
1468	ddos tool.exe
2152	Teams.exe
996	SystemUser.dll
1656	SystemUser.dll
4652	SystemUser.dll
5104	SystemUser.dll
3392	pfnvtq.exe
1212	Teams.exe
2744	SystemUser.dll
2364	SystemUser.dll
3664	SystemUser.dll
3780	SystemUser.dll
3148	SystemUser.dll
3788	SystemUser.dll
4348	SystemUser.dll
3964	SystemUser.dll

Loads dropped DLL 1 IoCs

pid	Process
2152	Teams.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemUser = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SystemUser.dll"	Teams.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ddos tool.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3732	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5032	ipconfig.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 643271.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ddos tool.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
3616	msedge.exe
3616	msedge.exe
4248	msedge.exe
4248	msedge.exe
4552	identity_helper.exe
4552	identity_helper.exe
3360	msedge.exe
3360	msedge.exe
628	msedge.exe
628	msedge.exe
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe
924	powershell.exe
924	powershell.exe
924	powershell.exe
4924	powershell.exe
4924	powershell.exe
4924	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
2152	Teams.exe
2152	Teams.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe
2152	Teams.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	Teams.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	2152	Teams.exe
Token: SeDebugPrivilege	996	SystemUser.dll
Token: SeDebugPrivilege	1656	SystemUser.dll
Token: SeDebugPrivilege	4652	SystemUser.dll
Token: SeDebugPrivilege	5104	SystemUser.dll
Token: SeDebugPrivilege	1212	Teams.exe
Token: 33	3792	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3792	AUDIODG.EXE
Token: SeDebugPrivilege	2744	SystemUser.dll
Token: SeDebugPrivilege	2364	SystemUser.dll
Token: SeDebugPrivilege	3664	SystemUser.dll
Token: SeDebugPrivilege	3780	SystemUser.dll
Token: SeDebugPrivilege	3148	SystemUser.dll
Token: SeDebugPrivilege	3788	SystemUser.dll
Token: SeDebugPrivilege	4348	SystemUser.dll
Token: SeDebugPrivilege	3964	SystemUser.dll

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2152	Teams.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 224	4248	msedge.exe	77
PID 4248 wrote to memory of 224	4248	msedge.exe	77
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 1124	4248	msedge.exe	78
PID 4248 wrote to memory of 3616	4248	msedge.exe	79
PID 4248 wrote to memory of 3616	4248	msedge.exe	79
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80
PID 4248 wrote to memory of 2628	4248	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1297224058857062474/1324842481543676068/ddos_tool.exe?ex=67799f35&is=67784db5&hm=ab9b89df5d823a64e71668d3649044a154a5024b770ad2a6159296a1d56e6c11&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8feab3cb8,0x7ff8feab3cc8,0x7ff8feab3cd8
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:628
- C:\Users\Admin\Downloads\ddos tool.exe
  "C:\Users\Admin\Downloads\ddos tool.exe"
  2⤵
  - Executes dropped EXE
  PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lil bot.bat" "
    3⤵
    PID:3600
- - C:\Users\Admin\AppData\Local\Temp\Teams.exe
    "C:\Users\Admin\AppData\Local\Temp\Teams.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Teams.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Teams.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SystemUser.dll'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser.dll'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4696
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser" /tr "C:\Users\Admin\AppData\Local\Temp\SystemUser.dll"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\pfnvtq.exe
      "C:\Users\Admin\AppData\Local\Temp\pfnvtq.exe"
      4⤵
      Executes dropped EXE
      PID:3392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lil bot.bat" "
        5⤵
        
        PID:4012
    - - C:\Users\Admin\AppData\Local\Temp\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Teams.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
  - - C:\Windows\SYSTEM32\CMD.EXE
      "CMD.EXE"
      4⤵
      PID:4852
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig
        5⤵
        Gathers network information
        
        PID:5032
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "SystemUser"
      4⤵
      PID:2144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA773.tmp.bat""
      4⤵
      PID:968
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,903789090933995427,11181844962146969626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:3884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
C:\Users\Admin\AppData\Local\Temp\SystemUser.dll
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SystemUser.dll.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7145ec3fa29a4f2df900d1418974538

SHA1
1368d579635ba1a53d7af0ed89bf0b001f149f9d

SHA256
efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

SHA512
5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d91478312beae099b8ed57e547611ba2

SHA1
4b927559aedbde267a6193e3e480fb18e75c43d7

SHA256
df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

SHA512
4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\578f4431-f27b-4a03-9475-d5f3f5519aa9.tmp

Filesize
186B

MD5
859cf9cd77c9a6bd5b0af56f08fb5128

SHA1
d62387a78e8a1643ba3117187479da14bce1b65c

SHA256
d16c0bd72e9deb73d2e3a40eb21ac668477363c33e58765884b1663324a4eb05

SHA512
e60f5d7000507794a20316c7110fbee3f1d9b02efdba877bec150d5d63939eff3aa9fbba758709a8094c65a083b158840563a8e8399b64e16a077d12a1cb8fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
58ff836d1e3739abcc5c21510068771b

SHA1
e83f19e2834b9a36470dc9d76a5355169df26faf

SHA256
fecf50c5430b79e887aa6fada4c97d34ffc8831bc3da35f24d16199f0b35ea9f

SHA512
ebb4ecfa8a17f4cdaa407f88b28d9219f11ef28c4342a794c551006cbfe75ebb17b82cfe87c9a1e59a3d3fcdabf2ebbe8b18557f55c498057c4fd11d4af3becf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
3d386d523080fae5cea794bda5710502

SHA1
2b50af3ce352e43ea371fa0f604cdbeb47ebfa24

SHA256
0dd9c09b6762057ad97277d53c643eb47e8acbc0e3428cb4ba620bd9b9b7d926

SHA512
9c95fb21b200a52cc158144ad78286156edbdc8caeefeb1d8ca57c579166e638c733dbac218a089b0d2d44eb426cac6a92595cc955bff661e324fbdffce40844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
fba11bfc2f4c42a285755861ba544c19

SHA1
77b59ec3bedd654300d882639736cf64b835a21f

SHA256
a6b69edf648615465fd7c231e577760b2889336d9a7df9f504d62bc53b0514c3

SHA512
31f36d8432843d63a5eb6b21c7e6b26dcb0efedf8ce4c031390d33aab9c85e9a1b9b1af1eefb2de76087247e6c3e5a24ab9fefaa4ecc43626a5135856efceaef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
93d5bb33f012ef469f5192c1d0610d91

SHA1
26d609cc1510360f04e9776d6a9d5cf1a4437266

SHA256
a6f050738ef1d2605355ea08ffa723f4f97684413b728184dc0988bba4ec879b

SHA512
32808a452b100dbecc535abb741525dba1f9547a5581f3040db49a8369496b5f4fcf606d1d85020ef3022bcfc2eb6067a69979ed988e48cd8d48f28ffa4d4089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b4921e403cff723113f1c1bb2ae3b768

SHA1
5720ef907e43e9a81cd153da983f9349842a6425

SHA256
6e6bf70042dd7cb4c8b84ab93d4efbd8a56fef8a692357f2828939ba3e30ce77

SHA512
8ea24d2566299d524802b4b29d7a0cf52b7dd30f9e6de5146a9b7323014bebb21d2dd5c4e47b97d66d12fb5263062a2b7049b1f6087d28ec1cac727888b8c383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
8125a889e1ebd0cef04cc4e5178f8926

SHA1
32fbb3c814f7bcb1fd40cf81023a66b2d57696d2

SHA256
1d375a406287500d80e00bde1591bf3dd5f143e743b91d52a23197168c4d1bfa

SHA512
30aa4269faaf2258fe01fa0dc3934f3d1396e7233df6d30fd18bb8da247e311d681bb548b84f4a3ebd234c4aea067634f78f2dd83bdf21dc6f53ccf42ac0a8ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
968fe20df0e1a0fdaffa55caa7c7057b

SHA1
ddec21f1dfa2ab00c991cb913fef747a98e89e67

SHA256
fc04606e6ee2b45861c8f874377d9cad50ea36d750c0666a8bf7e2e79d628a7b

SHA512
052b61f2fac05b4be2b5d80da58c1ef731d7c93a58168d35c6f5694e4b88fa847c06b290699e56171b545c41b2e8ddd64f23636467ad71eb2c4ac6f7f56f121a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a75253d352896585ca91a20ba24e621e

SHA1
501524e3e0c02e999d23cad6efeecc7dfe16ea22

SHA256
ee072ef80fe39ce71b7ff7526fcbc55b75e1b65d2c7d8e8a62eeec0931e2c61d

SHA512
3e7b5e6d7b054f416a20c11f7e9ac00255fc70a4517aec565496c1a8017324ecb812b4cd32257589ce625af5efc67059ebba122ef9a329003112d1953f61621a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8a37940253349f91b9c9d57e8ed4835d

SHA1
ccf3397ce5c15f0a23872dc8e1bcfbcaa7450212

SHA256
e7a241c5174e40e3eae49748a7f85bebed929edfd052ec346fa5cd2b130ba450

SHA512
b082efcc63371ebb9d4566eb009618b07836d7f76edeed1c11aa99bfba1bf4d2fd652a59909bdefa17748873f6e3f2bead295d2e8020d8ca41b47d6065e66534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
053a7f1c669c9e04e71b42a003b104a2

SHA1
0d6c6d20cd5f1329f263fda08ee9822adc8974be

SHA256
b94ba58d98f1f9e3fdcc54b94c1a972a7247aff4b65335aaa52c7def2bcb4dfa

SHA512
c722a3367ba4368de3bee3803466818ef87e3b0a57e8a9c02dcc9f5ad844aa3e92de999f47e603d12ca1cd2de9ee5bf9f62ef4276ff7bfffb5fe651b4be9eedb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c56aa7cb4c943da014c00912f994e1d6

SHA1
fa6cb22912894c61567d07454caee795c18bcea1

SHA256
5020a3a23da9d278c7b02070040b345caad6aeb810fe833d3c7955362e1fef27

SHA512
ca63bc89baa67c896cea12aa22f6c2e4e517b54a134f71d66826c2963b46d8b15a72aae681f89b1b25d8b07015c7f429ace30eb0d0ec7bbe0669ddb4ac1a39d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
23a9eb5b6d47001ffd9652d13004913b

SHA1
b3bdcee5057d96f08577eb7990f0f61bcea26543

SHA256
91d8136391c00d96e15296084262f1860e537eee18e814448fbd6a3ca8573de9

SHA512
803855cb5dc4796f247f344e7975edb456651c3e7dcda3ff74056a8ff875e9ec4fdab52284d5221fb8c1025aacdd6c53aa8ca9a5733cac6075696dce027bf7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
67791c52fe5bee3bd13227e57a4bd54d

SHA1
d6e846953725ed6eeab1e4b03303f4020b1ace18

SHA256
2b87e364d1b98b63ab3236ac279638a3b19f1a6b56dbe68b2c9bc2cd368c12ab

SHA512
e4757b6b3d7804717b26dec144cc3e66b449d4675996c5f04d6369c83ff3ca03a32d8a41e38b6aa8fbd8433caa3a6ce6cece8da44ea8e27aa8aeb359f4bbc0fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0b2681df7c0e656c264042f2e3247df0

SHA1
38830cc6687009c3e146fed23ead4cb0be325bbb

SHA256
88a91e9a6f6cb1727a4ffc289425f8bb436930216056c489a89f05e3736bafe8

SHA512
5056fe4c3360270c622498ec3d27653fd5aaed3d9ac2f6c334f226ac0fc8010895f4603b740ec4cb6e86972a5214c70d2e22c337077b3790aec1e50fcf2f81bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
13323b897bdbe82d46ac208fa57e726d

SHA1
145af93614fb6cd2c88122a18a1240bc3f7e619c

SHA256
9ec8c95029b7598fdb62a60cbebb66fe45ba36bc464060d1e77247f9d81c2563

SHA512
7674788a3fd0ea52e8e2cdf31446b60cce01c24e26ac0539ef0b84b8c057900a0e8105740e9f74f2538d6b8dda4804b0cf9ae441d0db0e00af00b6f8c1e4a63d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f0e62045515b66d0a0105abc22dbf19

SHA1
894d685122f3f3c9a3457df2f0b12b0e851b394c

SHA256
529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

SHA512
f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fd25e341479afdcce2ed08b16f7fbf5

SHA1
2819dfb8d97f63e0743f035082de92da01b1456d

SHA256
7b34e50262a0eb3b37ef1fa00ce429e456cb9891c5fca83c6f7dfea0ffa1e1e7

SHA512
6255f99a97911e070ff87d24451b47e4e24baadb319f59959c93ab9b3572f70eaa91c1cf392c74f0ea63b085a4bccb95aaa35f1ce0f425a62d2e7953544a4a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teams.exe

Filesize
187KB

MD5
45ab951734afa65081f4d0a6f8d2175e

SHA1
b5fea20ce797dc2325b16e10c1b115acf01eb8d5

SHA256
315ae9ab63637f813ab39554f26dfe5a5d51a6c06a56ad3940767bb23b3dd68f

SHA512
2048e7ff1706ec055e553330bfd5722dfde98c25c1c46f5032bbe9c73ea92695645f6b9702a7e2506ddad1a774787a73b83cfdf3cbf99f0dc372f80748d08c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bkiojopu.ytr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lil bot.bat

Filesize
201B

MD5
be7d9f4d62714b425956a909e607ef91

SHA1
bf46f93281de8a5c980f75dafc530e34efce4bda

SHA256
98f450d4daaf023a911a561c2f82e915a44ee2f13d7bb1761a3de4fc494fcab4

SHA512
6fdc94d7ffd159ebcbf49368f3c6fefc63b2bef77acf03e8c31e5f986a4cea05dbbed8354e9c9732e705dfb50527e52e2fa70e9c9e1aa6cc92a95c56169b9744

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2431.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA773.tmp.bat

Filesize
157B

MD5
01553883d1be24bac9e0213d361139c7

SHA1
b9aa237d79f8cafece9249581ddbcf190db427db

SHA256
ffc949683f2ef75c5b118ce0b60717d05ed3a7bdbdd400aaa9eae46a1628de15

SHA512
018b2f847d96dd5d15908989b16b921c9542a9e9c55fc707d92f989b94918c109af13500a877a28d17a1958365836e8270a56192afe0e7286a42db8f4a4a2501

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 643271.crdownload

Filesize
199KB

MD5
a5644dc7298b5bd632f3656816fff5ed

SHA1
64a165e790724d9c9d5c221db96d72a61cbe8f4d

SHA256
48b2dcdf48cda77f19d3713f86b0dbb7dd0bf71399b77c5745368f9945bdac0e

SHA512
e4729bfc8dcf5aa6a5f245c74f6e3af493c767dc18ad6112018b5f50712a201fa023118933df88888be1b04bf33079839db9fc99a7d8ad98eacf2c25a6a15efe

Download Submit
memory/1468-76-0x0000000000C40000-0x0000000000C78000-memory.dmp

Filesize
224KB

Download
memory/2152-502-0x000000001CCA0000-0x000000001CCDA000-memory.dmp

Filesize
232KB

Download
memory/2152-486-0x000000001CC20000-0x000000001CC2A000-memory.dmp

Filesize
40KB

Download
memory/2152-92-0x0000000000BC0000-0x0000000000BF4000-memory.dmp

Filesize
208KB

Download
memory/2152-160-0x000000001B8F0000-0x000000001B8FC000-memory.dmp

Filesize
48KB

Download
memory/2152-290-0x000000001BE10000-0x000000001BE9E000-memory.dmp

Filesize
568KB

Download
memory/2152-657-0x000000001C3F0000-0x000000001C3FA000-memory.dmp

Filesize
40KB

Download
memory/2152-658-0x000000001C640000-0x000000001C652000-memory.dmp

Filesize
72KB

Download
memory/2152-161-0x000000001DBF0000-0x000000001DD10000-memory.dmp

Filesize
1.1MB

Download
memory/2332-99-0x000002AE456C0000-0x000002AE456E2000-memory.dmp

Filesize
136KB

Download