9be1b3efd006ebc4b5183ee57d0a127631bf64f9e1d96b93d3aec3df5664665e

Analysis

max time kernel
129s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
02-07-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AhMyth-Setup_ia32.exe
Size

102.7MB
MD5

6028f29cc52658b28bfb3b25367e64b8
SHA1

7a8ced5be410a3dd157ce9fac99bb1c264c6430c
SHA256

9be1b3efd006ebc4b5183ee57d0a127631bf64f9e1d96b93d3aec3df5664665e
SHA512

d3eefce64005673e90f099fdfd94a5de4c892ddab62d6004d6c60081a641e7ac757c669fd660ad90d7a6ca0978c8383e499bb86b2c4386fd7ef3134d80075ce6
SSDEEP

3145728:jbwV80nfz18Pjbn+a1UdvjkKgWEIY/LepyYyAeKB:EbzqPjbnpqjk7OH0YyJKB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 13 IoCs

pid	Process
5052	AhMyth.exe
4828	AhMyth.exe
4024	AhMyth.exe
2388	AhMyth.exe
1072	AhMyth.exe
360	AhMyth.exe
2680	AhMyth.exe
1584	AhMyth.exe
1640	AhMyth.exe
3096	AhMyth.exe
4060	AhMyth.exe
4576	AhMyth.exe
2028	AhMyth.exe

Loads dropped DLL 26 IoCs

pid	Process
3144	AhMyth-Setup_ia32.exe
3144	AhMyth-Setup_ia32.exe
3144	AhMyth-Setup_ia32.exe
3144	AhMyth-Setup_ia32.exe
3144	AhMyth-Setup_ia32.exe
3144	AhMyth-Setup_ia32.exe
3144	AhMyth-Setup_ia32.exe
5052	AhMyth.exe
4828	AhMyth.exe
4828	AhMyth.exe
4828	AhMyth.exe
4828	AhMyth.exe
4024	AhMyth.exe
2388	AhMyth.exe
1072	AhMyth.exe
360	AhMyth.exe
2680	AhMyth.exe
1584	AhMyth.exe
1640	AhMyth.exe
3096	AhMyth.exe
4060	AhMyth.exe
4060	AhMyth.exe
4060	AhMyth.exe
4060	AhMyth.exe
4576	AhMyth.exe
2028	AhMyth.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4032	icacls.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
244	tasklist.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	AhMyth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	AhMyth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	AhMyth.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3144	AhMyth-Setup_ia32.exe
3144	AhMyth-Setup_ia32.exe
244	tasklist.exe
244	tasklist.exe
4024	AhMyth.exe
4024	AhMyth.exe
2388	AhMyth.exe
2388	AhMyth.exe
1072	AhMyth.exe
1072	AhMyth.exe
1584	AhMyth.exe
1584	AhMyth.exe
1640	AhMyth.exe
1640	AhMyth.exe
3096	AhMyth.exe
3096	AhMyth.exe
2028	AhMyth.exe
2028	AhMyth.exe
2028	AhMyth.exe
2028	AhMyth.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	244	tasklist.exe
Token: SeSecurityPrivilege	3144	AhMyth-Setup_ia32.exe
Token: 33	4188	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4188	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5052	AhMyth.exe
5052	AhMyth.exe
360	AhMyth.exe
360	AhMyth.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 1676	3144	AhMyth-Setup_ia32.exe	76
PID 3144 wrote to memory of 1676	3144	AhMyth-Setup_ia32.exe	76
PID 3144 wrote to memory of 1676	3144	AhMyth-Setup_ia32.exe	76
PID 1676 wrote to memory of 244	1676	cmd.exe	78
PID 1676 wrote to memory of 244	1676	cmd.exe	78
PID 1676 wrote to memory of 244	1676	cmd.exe	78
PID 1676 wrote to memory of 2308	1676	cmd.exe	79
PID 1676 wrote to memory of 2308	1676	cmd.exe	79
PID 1676 wrote to memory of 2308	1676	cmd.exe	79
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4828	5052	AhMyth.exe	85
PID 5052 wrote to memory of 4024	5052	AhMyth.exe	86
PID 5052 wrote to memory of 4024	5052	AhMyth.exe	86
PID 5052 wrote to memory of 4024	5052	AhMyth.exe	86
PID 5052 wrote to memory of 2388	5052	AhMyth.exe	87
PID 5052 wrote to memory of 2388	5052	AhMyth.exe	87
PID 5052 wrote to memory of 2388	5052	AhMyth.exe	87
PID 5052 wrote to memory of 1072	5052	AhMyth.exe	89
PID 5052 wrote to memory of 1072	5052	AhMyth.exe	89
PID 5052 wrote to memory of 1072	5052	AhMyth.exe	89
PID 5052 wrote to memory of 2680	5052	AhMyth.exe	91
PID 5052 wrote to memory of 2680	5052	AhMyth.exe	91
PID 5052 wrote to memory of 2680	5052	AhMyth.exe	91
PID 5052 wrote to memory of 2680	5052	AhMyth.exe	91
PID 5052 wrote to memory of 2680	5052	AhMyth.exe	91

C:\Users\Admin\AppData\Local\Temp\AhMyth-Setup_ia32.exe
"C:\Users\Admin\AppData\Local\Temp\AhMyth-Setup_ia32.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq AhMyth.exe" | find "AhMyth.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq AhMyth.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:244
- - C:\Windows\SysWOW64\find.exe
    find "AhMyth.exe"
    3⤵
    PID:2308

C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe
"C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe
  "C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe" --type=gpu-process --field-trial-handle=1508,17527111859664491200,8527005874965820519,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1516 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4828
- C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe
  "C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1508,17527111859664491200,8527005874965820519,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2080 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe
  "C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe" --type=renderer --field-trial-handle=1508,17527111859664491200,8527005874965820519,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\AhMyth\resources\app.asar" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2388
- C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe
  "C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe" --type=renderer --field-trial-handle=1508,17527111859664491200,8527005874965820519,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\AhMyth\resources\app.asar" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2392 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1072
- C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe
  "C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1508,17527111859664491200,8527005874965820519,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2680
- C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe
  "C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe" --type=gpu-process --field-trial-handle=1508,17527111859664491200,8527005874965820519,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2892 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5076

C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe
"C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:360
- C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe
  "C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe" --type=gpu-process --field-trial-handle=1500,1930594983343271005,8030961098702284173,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1520 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4060
- C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe
  "C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,1930594983343271005,8030961098702284173,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2112 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1584
- C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe
  "C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe" --type=renderer --field-trial-handle=1500,1930594983343271005,8030961098702284173,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\AhMyth\resources\app.asar" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2264 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1640
- C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe
  "C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe" --type=renderer --field-trial-handle=1500,1930594983343271005,8030961098702284173,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\AhMyth\resources\app.asar" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2416 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "java -version"
    3⤵
    PID:4784
  - - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
      java -version
      4⤵
      PID:2064
    - - C:\Windows\system32\icacls.exe
        
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        5⤵
        Modifies file permissions
        
        PID:4032
- C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe
  "C:\Users\Admin\AppData\Local\Programs\AhMyth\AhMyth.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1500,1930594983343271005,8030961098702284173,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4576

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\AhMyth\chrome_100_percent.pak

Filesize
121KB

MD5
06baf0ad34e0231bd76651203dba8326

SHA1
a5f99ecdcc06dec9d7f9ce0a8c66e46969117391

SHA256
5ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189

SHA512
aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91

Download Submit
C:\Users\Admin\AppData\Local\Programs\AhMyth\chrome_200_percent.pak

Filesize
181KB

MD5
57c27201e7cd33471da7ec205fe9973c

SHA1
a8e7bce09c4cbdae2797611b2be8aeb5491036f9

SHA256
dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b

SHA512
57258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4

Download Submit
C:\Users\Admin\AppData\Local\Programs\AhMyth\d3dcompiler_47.dll

Filesize
3.5MB

MD5
2f2e363c9a9baa0a9626db374cc4e8a4

SHA1
17f405e81e5fce4c5a02ca049f7bd48b31674c8f

SHA256
2630f4188bd2ea5451ca61d83869bf7068a4f0440401c949a9feb9fb476e15df

SHA512
e668a5d1f5e6f821ebfa0913e201f0dfd8da2f96605701f8db18d14ea4fdeac73aeb9b4fe1f22eaeffcdd1c0f73a6701763727d5b09775666f82b678404e4924

Download Submit
C:\Users\Admin\AppData\Local\Programs\AhMyth\ffmpeg.dll

Filesize
2.5MB

MD5
54f1cb94776e46864f987eaf0593fbb6

SHA1
f3a9957e79ef290b31e600726b0eef771858b1bd

SHA256
81cab2e7ff56c8a06421419a2dac9481b87d5e50ef6f89a40e9de2d28d4998f2

SHA512
f5aacf89877ac29f4da3263cc7b37b5f25a3425762f96bad90a8389dc596ccef470292f548a1dfce891abd47f4df10d6f2a95fa2f1a4d3a59c2da2ed972c91cc

Download Submit
C:\Users\Admin\AppData\Local\Programs\AhMyth\icudtl.dat

Filesize
10.0MB

MD5
ad2988770b8cb3281a28783ad833a201

SHA1
94b7586ee187d9b58405485f4c551b55615f11b5

SHA256
df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108

SHA512
f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01

Download Submit
C:\Users\Admin\AppData\Local\Programs\AhMyth\libEGL.dll

Filesize
358KB

MD5
c83a0d55e9d4ba00a41c79a677c444f6

SHA1
798b64c0326459c99278eae214cfc6159f1ab16b

SHA256
9322a0e0d0c8a8be035d29e581de402284ffba4d980806596dedbec7be8a08ca

SHA512
121d20db79975098fdec00d4299aac57c61b3ce4bbcfa45aac79243a46052851e91b466c5f4697db039f59b02e1be7ac2f90cf6dcdc4365d8038a1387ebdeba9

Download Submit
C:\Users\Admin\AppData\Local\Programs\AhMyth\libglesv2.dll

Filesize
6.3MB

MD5
ecabe9e35db94666c73b78408aaacc33

SHA1
29368f59ad5854d775f81f10987c5813248db413

SHA256
8b9571808714bcd01c3156c7cd254fad104797cbe1ff6c823677b713dcc352b2

SHA512
1a39cd4fb3fdca40117f62031804e48da2f7ec63fe1e6377902b5a8d5c76b3d40b155d028481801ec4338332a486c7999ee685115d5fb4546c2ddd47b0693971

Download Submit
C:\Users\Admin\AppData\Local\Programs\AhMyth\locales\en-US.pak

Filesize
83KB

MD5
bd8f7b719110342b7cefb16ddd05ec55

SHA1
82a79aeaa1dd4b1464b67053ba1766a4498c13e7

SHA256
d1d3f892be16329c79f9a8ee8c5fa1c9fb46d17edfeb56a3d9407f9d7587a0de

SHA512
7cd1493e59e87c70927e66769eb200f79a57e1eb1223af4eb4064088571893d3e32cbc4b5ece568fd308992aad65684aa280dc9834f2b5d327bdee514b046e5e

Download Submit
C:\Users\Admin\AppData\Local\Programs\AhMyth\resources.pak

Filesize
4.8MB

MD5
d13873f6fb051266deb3599b14535806

SHA1
143782c0ce5a5773ae0aae7a22377c8a6d18a5b2

SHA256
7b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506

SHA512
1ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939

Download Submit
C:\Users\Admin\AppData\Local\Programs\AhMyth\resources\app.asar.unpacked\app\Factory\Ahmyth\res\values-ar\strings.xml

Filesize
139B

MD5
fb8f8b6b6af3fc4cc9e38049d29f68a1

SHA1
68fc85de9cfca09fd7e4ef4743107470d048eb5e

SHA256
93dc3f1043cd8ebbafc142591d8c0c1de4de841ff9d0728c681c9ce65651af01

SHA512
58554e18de5b75f0aa4624d35a1e44632379973709b2cc179e2d0523bcae038b4f8d3641459167d4b65937380e8b5aadc0636ee83b1514eec322e1ced087a13d

Download Submit
C:\Users\Admin\AppData\Local\Programs\AhMyth\v8_context_snapshot.bin

Filesize
167KB

MD5
2c28ffbe331f4a32c7799bcb941dcca1

SHA1
d572497341ac1e8079531616f0bef7611dd12243

SHA256
96d85880d161bd37a28ad13777337e5121189a6ac45b9232c74e052d6d1e27f2

SHA512
f18ca45dbd04499bb3ea74cb59414ae4bf497be0cedd96d9f3693591198a1afeaf48ae4e7c7a0c31e31c1a128a34c990f2837fb576e0ffb288edc860b27563ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa46AF.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa46AF.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa46AF.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa46AF.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa46AF.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa46AF.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\AhMyth\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\AhMyth\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
6152a6af2f8addf5e5c9f042cbb27984

SHA1
203a099bad10d107c26880c65c3b91f0736db555

SHA256
9d7d4a188569431f5c6cd443dcef77b34501a57445565c287617aed00a77617a

SHA512
f2d11454ba1fa9c069dc623ce42368a0b3434dfcc9c08f84072de9a1062e73bf85dbfb404119ab0dad290cbc50e2a2c8aab7cc4b0b814059bf3b127d9eb7ff5e

Download Submit
C:\Users\Admin\AppData\Roaming\AhMyth\Cookies

Filesize
20KB

MD5
51d10912a9ff6d5aee691297c6c30d50

SHA1
77904d8bcffd1606ef1aa0652890924765394781

SHA256
1cedd7d97d40f37e34dc0bb98027f76073351eea8fcc0161b46c66595fe622c3

SHA512
bac2b7f99d19f53b9a56cb3408d7834f935009bba63196ffb66414ca64003e39f9cd76f45494b15a1f272f640a9f0a789007b4a7c22164fa40dff264550a68fc

Download Submit
C:\Users\Admin\AppData\Roaming\AhMyth\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\AhMyth\Network Persistent State

Filesize
263B

MD5
d2dd509625e692c95fe3be48233f732a

SHA1
36b67ac439faac59791b493cdb458f67d52ab45e

SHA256
41c84e9ebddb6362e9b835c966ba7438fe44f1b8518c55eb5d2b65233ee8c8f7

SHA512
deebfbe095d9bfd4fe78b3f16cc040c67eaf207fe9efebf1d0477104295c80c827ef42be374be727ffc9b87256b464a31866ddcb7296b4841a657e42435a6388

Download Submit
C:\Users\Admin\AppData\Roaming\AhMyth\Preferences

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\AhMyth\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\AhMyth\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\AhMyth\TransportSecurity

Filesize
204B

MD5
a94336895c72edfec80349684a1955ad

SHA1
2ca87a0c99f2f1b2a2f6a8c6ccc546aa959fb5b9

SHA256
959c9116e26e75790faa2eba299b4b0220ee3fb0254f19df218297bc0fae90b1

SHA512
85792937d7db10712b5f91927a0d76dfc9948da1b24a8b8ffd7b04cd60fe645725a0399aea0d1703e0c1faaa3501c4c64fea3cc8533152f910a849490df14802

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2064-1724-0x0000019194170000-0x0000019194171000-memory.dmp

Filesize
4KB

Download