stormkitty | f01bae5d62f6320edfba317ce34413659200c30ace28fc9f671425c355e063ce

Analysis

max time kernel
146s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
21/04/2025, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XwormLoader.exe
Size

8.0MB
MD5

2d19886d92d96cbc75d0045c88ddb83a
SHA1

6ecda95b7b6da8a7c14a0394c1e9a2e76f9e5c5e
SHA256

d48f1ebd2111d5b730787c3d2247c27da0b35d95a2363aa70490e0e3db6e06a0
SHA512

a975de161952f092c97b7f6990da127e0aaf244ce9603508b0c377781cd4e67c84bf091e77b458f48f8354118afb45d292e0280535807ba26f0c6d28d57e7b1d
SSDEEP

196608:eXin21AV7RTxZxNsh9hGb8Wo+Nu1juzy9w6W3ADORlIG:dZ3XxNsjhGbXo+NuFuzy9w9wD42G

Score

10^/10

stormkitty xworm collection credential_access discovery execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

217.195.153.81:50000

Mutex

5UXpujbt6vWtkdEG

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001a00000002b126-145.dat	family_xworm
behavioral2/memory/2956-157-0x0000000000380000-0x0000000000390000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001a00000002b05c-17.dat	family_stormkitty
behavioral2/memory/2508-27-0x0000000000A50000-0x0000000000A94000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4240	powershell.exe
3012	powershell.exe
6108	powershell.exe
2852	powershell.exe

Uses browser remote debugging 2 TTPs 5 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5852	chrome.exe
4084	chrome.exe
2364	chrome.exe
1476	chrome.exe
2668	chrome.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x001a00000002b059-10.dat	net_reactor

Executes dropped EXE 6 IoCs

pid	Process
4208	Omnhybqtz.exe
2508	Tukexuutr.exe
5952	Xworm V5.6.exe
2956	svchost.exe
5876	svchost.exe
5272	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Tukexuutr.exe
Key opened	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Tukexuutr.exe
Key opened	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Tukexuutr.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io
2	ipinfo.io

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tukexuutr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3380	netsh.exe
2636	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Tukexuutr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Tukexuutr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
2508	Tukexuutr.exe
4240	powershell.exe
4240	powershell.exe
3012	powershell.exe
3012	powershell.exe
6108	powershell.exe
6108	powershell.exe
2852	powershell.exe
2852	powershell.exe
5852	chrome.exe
5852	chrome.exe
2956	svchost.exe
2956	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5852	chrome.exe
5852	chrome.exe
5852	chrome.exe
5852	chrome.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	Tukexuutr.exe
Token: SeDebugPrivilege	2956	svchost.exe
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	6108	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeShutdownPrivilege	5852	chrome.exe
Token: SeCreatePagefilePrivilege	5852	chrome.exe
Token: SeShutdownPrivilege	5852	chrome.exe
Token: SeCreatePagefilePrivilege	5852	chrome.exe
Token: SeShutdownPrivilege	5852	chrome.exe
Token: SeCreatePagefilePrivilege	5852	chrome.exe
Token: SeShutdownPrivilege	5852	chrome.exe
Token: SeCreatePagefilePrivilege	5852	chrome.exe
Token: SeDebugPrivilege	5876	svchost.exe
Token: SeDebugPrivilege	5272	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5852	chrome.exe
5852	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2956	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 4208	3512	XwormLoader.exe	78
PID 3512 wrote to memory of 4208	3512	XwormLoader.exe	78
PID 3512 wrote to memory of 2508	3512	XwormLoader.exe	79
PID 3512 wrote to memory of 2508	3512	XwormLoader.exe	79
PID 3512 wrote to memory of 2508	3512	XwormLoader.exe	79
PID 2508 wrote to memory of 2636	2508	Tukexuutr.exe	80
PID 2508 wrote to memory of 2636	2508	Tukexuutr.exe	80
PID 2508 wrote to memory of 2636	2508	Tukexuutr.exe	80
PID 2636 wrote to memory of 4576	2636	cmd.exe	82
PID 2636 wrote to memory of 4576	2636	cmd.exe	82
PID 2636 wrote to memory of 4576	2636	cmd.exe	82
PID 2636 wrote to memory of 3380	2636	cmd.exe	84
PID 2636 wrote to memory of 3380	2636	cmd.exe	84
PID 2636 wrote to memory of 3380	2636	cmd.exe	84
PID 2636 wrote to memory of 4456	2636	cmd.exe	85
PID 2636 wrote to memory of 4456	2636	cmd.exe	85
PID 2636 wrote to memory of 4456	2636	cmd.exe	85
PID 2508 wrote to memory of 3472	2508	Tukexuutr.exe	86
PID 2508 wrote to memory of 3472	2508	Tukexuutr.exe	86
PID 2508 wrote to memory of 3472	2508	Tukexuutr.exe	86
PID 3472 wrote to memory of 5804	3472	cmd.exe	88
PID 3472 wrote to memory of 5804	3472	cmd.exe	88
PID 3472 wrote to memory of 5804	3472	cmd.exe	88
PID 3472 wrote to memory of 880	3472	cmd.exe	89
PID 3472 wrote to memory of 880	3472	cmd.exe	89
PID 3472 wrote to memory of 880	3472	cmd.exe	89
PID 4208 wrote to memory of 5952	4208	Omnhybqtz.exe	90
PID 4208 wrote to memory of 5952	4208	Omnhybqtz.exe	90
PID 4208 wrote to memory of 2956	4208	Omnhybqtz.exe	91
PID 4208 wrote to memory of 2956	4208	Omnhybqtz.exe	91
PID 2956 wrote to memory of 4240	2956	svchost.exe	92
PID 2956 wrote to memory of 4240	2956	svchost.exe	92
PID 2956 wrote to memory of 3012	2956	svchost.exe	94
PID 2956 wrote to memory of 3012	2956	svchost.exe	94
PID 2956 wrote to memory of 6108	2956	svchost.exe	96
PID 2956 wrote to memory of 6108	2956	svchost.exe	96
PID 2508 wrote to memory of 5852	2508	Tukexuutr.exe	98
PID 2508 wrote to memory of 5852	2508	Tukexuutr.exe	98
PID 5852 wrote to memory of 5648	5852	chrome.exe	99
PID 5852 wrote to memory of 5648	5852	chrome.exe	99
PID 2956 wrote to memory of 2852	2956	svchost.exe	100
PID 2956 wrote to memory of 2852	2956	svchost.exe	100
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102
PID 5852 wrote to memory of 888	5852	chrome.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Tukexuutr.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Tukexuutr.exe

C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Users\Admin\AppData\Local\Temp\Omnhybqtz.exe
  "C:\Users\Admin\AppData\Local\Temp\Omnhybqtz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates system info in registry
    PID:5952
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2852
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4792
- C:\Users\Admin\AppData\Local\Temp\Tukexuutr.exe
  "C:\Users\Admin\AppData\Local\Temp\Tukexuutr.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4576
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3380
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:5804
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5852
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94832dcf8,0x7ff94832dd04,0x7ff94832dd10
      4⤵
      PID:5648
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1960,i,1360337043270603191,5703488634406202338,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1952 /prefetch:2
      4⤵
      PID:888
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1436,i,1360337043270603191,5703488634406202338,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2244 /prefetch:11
      4⤵
      PID:1228
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,1360337043270603191,5703488634406202338,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2340 /prefetch:13
      4⤵
      PID:4976
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,1360337043270603191,5703488634406202338,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4084
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,1360337043270603191,5703488634406202338,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2364
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4224,i,1360337043270603191,5703488634406202338,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4268 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:1476
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=2364,i,1360337043270603191,5703488634406202338,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4748 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2668

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2616

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5876

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5272

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
40cb0610f67218084e89092fbfab62e4

SHA1
70a7994941e04f25fb2441256a44cb196df9be49

SHA256
49944c5b8d61c4a2da7ac040c2ee492b73a40fef3a896e4b8362c00d66528588

SHA512
a0c9aeb18962cddd0c7338ffdf5642f255d1b995be246ff38885553bef53ed9d37e8984233e2c2eca4b8e8c7119d1a7c9ba953f8d6608c6d75a5c1d7546c26b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce173088fe3b48b3a8da7cfb77260403

SHA1
1dbb096cb5c2e8d593d50301890627b2a35c7597

SHA256
090e1af7f6bd99904fc69ea03c4f6c022ed17cb9a068955aa407c727ee21a8c2

SHA512
84033c5715b4944d6c6fc93037aea010f38c4dcb28ec3df21a897ce6d3dc06e4895133c010e078fafa7baa085d35a54f9486ccbf0468d9886492137a7b6856a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Temp\181.215.176.43\Browsers\Firefox\FirefoxBookmarks.txt

Filesize
81B

MD5
ea511fc534efd031f852fcf490b76104

SHA1
573e5fa397bc953df5422abbeb1a52bf94f7cf00

SHA256
e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

SHA512
f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\181.215.176.43\System\Process.txt

Filesize
4KB

MD5
c387092713299a9fa54f9f23b5a73aba

SHA1
6f9d15e72d599f49ac047d3c3ccd1b714940706b

SHA256
a100458a520bd849a56254d90cde489c1d5adad3119a919493832a4b627a7109

SHA512
f8303c69a0dbb9f86b05941864f266148b9aba3ec7c2aeef164974171073ec0ce2f27d5e17562d763099b7f18520fe82050308c96899a012fbce5b0e887519d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Omnhybqtz.exe

Filesize
7.8MB

MD5
e2d96d9ee0fc390755c45034ec782c33

SHA1
f5487d3d706f7554c3075ed8a0753b8581d33749

SHA256
2b00d8e00c84a130c58a3d4ee5d4548517fa4b95eb6ceb0429a0b857755ada29

SHA512
04608fe3591b841217e4b92b1020d5ca384b796d156a6b7c6664769c7bbd7345b03c8a6857d6fd2d1779f41eefd349635d0f7b2a1c4c8467c071edab4f9bd327

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tukexuutr.exe

Filesize
245KB

MD5
4fc027cda3ab806b71d90369f05e2e12

SHA1
57748ec8d12f215fc80559594a94e8f74e3a1ae3

SHA256
9f628e852ccd4c45b3e4ee68ada8c63ae593066cd386895c6f8beee4fbb46c6d

SHA512
e407ae686958bc5f66556317694ac372b02e150dad7c3b3623d2d6be991a0e349cba6aff61403299803b0d4b1f17fd5cedc822b06f0bff3866bc7250fbdc2715

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
cac67604904dce94d230953f170d4391

SHA1
9ea639f23a5699bb66ca5da55b2458347aed6f13

SHA256
64e5b7463d340b9a8b9d911860b4d635b0cf68afbe3593ed3cc6cbb13db0b27b

SHA512
af358008abb47a345a53dab222a01ab6c0ed10185fca8d2be9af2892161f150c8cc8a7f75272d1eb1acd17b49f32d3531adbc1cfdd153cc7c3e90841cabe766a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_awictkuy.d42.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
38KB

MD5
076f2c93e34a152c270907e33143fdf4

SHA1
26278090a3e808d79e76ce8dc3ef21f55524c9b4

SHA256
59d95ba60294f08afe88b16ca08c6befd1148ec4a120a674fc5bf8287205ebc5

SHA512
54cbde7e10665bf039d69df63a05dcd6886a883d51e8354d3cc78f2f0883a80b7441a24108053b9b23bacc4a8cff366fc52fa02e2a10e8f3f9c600a1e9fbe867

Download Submit
memory/2508-27-0x0000000000A50000-0x0000000000A94000-memory.dmp

Filesize
272KB

Download
memory/2508-31-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

Filesize
4KB

Download
memory/2508-35-0x00000000061C0000-0x00000000061D2000-memory.dmp

Filesize
72KB

Download
memory/2508-36-0x0000000006EB0000-0x0000000006F16000-memory.dmp

Filesize
408KB

Download
memory/2508-287-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

Filesize
4KB

Download
memory/2508-34-0x0000000006610000-0x0000000006B3C000-memory.dmp

Filesize
5.2MB

Download
memory/2508-29-0x0000000005540000-0x0000000005702000-memory.dmp

Filesize
1.8MB

Download
memory/2956-157-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/3512-5-0x0000000074E60000-0x0000000075611000-memory.dmp

Filesize
7.7MB

Download
memory/3512-4-0x0000000005910000-0x000000000591A000-memory.dmp

Filesize
40KB

Download
memory/3512-1-0x0000000000400000-0x0000000000C06000-memory.dmp

Filesize
8.0MB

Download
memory/3512-2-0x0000000005330000-0x00000000058D6000-memory.dmp

Filesize
5.6MB

Download
memory/3512-3-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/3512-28-0x0000000074E60000-0x0000000075611000-memory.dmp

Filesize
7.7MB

Download
memory/3512-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

Filesize
4KB

Download
memory/4208-32-0x00007FF950035000-0x00007FF950036000-memory.dmp

Filesize
4KB

Download
memory/4208-22-0x00007FF950035000-0x00007FF950036000-memory.dmp

Filesize
4KB

Download
memory/4208-30-0x00007FF94FD80000-0x00007FF950721000-memory.dmp

Filesize
9.6MB

Download
memory/4208-33-0x000000001C350000-0x000000001C3F6000-memory.dmp

Filesize
664KB

Download
memory/4208-158-0x00007FF94FD80000-0x00007FF950721000-memory.dmp

Filesize
9.6MB

Download
memory/4240-209-0x000001D727F60000-0x000001D727F82000-memory.dmp

Filesize
136KB

Download
memory/5952-139-0x000002596FC60000-0x0000025970B48000-memory.dmp

Filesize
14.9MB

Download
memory/5952-285-0x00000259747A0000-0x0000025974994000-memory.dmp

Filesize
2.0MB

Download