fc4880ca9e55f57a69fcbc047e67bff7af42db510b00c337235af31858d95beb

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AhMyth-master/.github/Dev/01. Server Updates.js
Size

18KB
MD5

ea60720a439cf98b0c2ee27785ee4b0e
SHA1

c504c61b41272e061526e070b5368b32883157d6
SHA256

49c415f266acc83363e09d7c598afcd67fc2a39c6bc0e5ce2b3b8891d7fba3a9
SHA512

4baf154b81ae258723c2536a46edb5b636911227d04328bed3f64bb1ff55ac390bc5f3adb4510abb448474d373da54660dc6a8bed30275e9129bb8d3095291f4
SSDEEP

192:/BmBYL6VYLE/zB+2IQU7jYuJcWBARP7E65BH6BNvekwsOftPTW:/BwOQU7hBQPv+NKtPTW

Score

4^/10

discovery execution

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2360	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2244	chrome.exe
2244	chrome.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	firefox.exe
Token: SeDebugPrivilege	1636	firefox.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe
2360	WINWORD.EXE
2360	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 1636	468	firefox.exe	36
PID 468 wrote to memory of 1636	468	firefox.exe	36
PID 468 wrote to memory of 1636	468	firefox.exe	36
PID 468 wrote to memory of 1636	468	firefox.exe	36
PID 468 wrote to memory of 1636	468	firefox.exe	36
PID 468 wrote to memory of 1636	468	firefox.exe	36
PID 468 wrote to memory of 1636	468	firefox.exe	36
PID 468 wrote to memory of 1636	468	firefox.exe	36
PID 468 wrote to memory of 1636	468	firefox.exe	36
PID 468 wrote to memory of 1636	468	firefox.exe	36
PID 468 wrote to memory of 1636	468	firefox.exe	36
PID 468 wrote to memory of 1636	468	firefox.exe	36
PID 1636 wrote to memory of 2316	1636	firefox.exe	37
PID 1636 wrote to memory of 2316	1636	firefox.exe	37
PID 1636 wrote to memory of 2316	1636	firefox.exe	37
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2436	1636	firefox.exe	38
PID 1636 wrote to memory of 2632	1636	firefox.exe	39
PID 1636 wrote to memory of 2632	1636	firefox.exe	39
PID 1636 wrote to memory of 2632	1636	firefox.exe	39
PID 1636 wrote to memory of 2632	1636	firefox.exe	39
PID 1636 wrote to memory of 2632	1636	firefox.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\AhMyth-master\.github\Dev\01. Server Updates.js"
1⤵
PID:2544

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1916

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:468
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.0.1853549715\1370867246" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a99d7ad3-b3d1-4b66-b84e-de33e18506d4} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 1296 10df4458 gpu
    3⤵
    PID:2316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.1.1377536366\2109635896" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afd9b68d-169b-4238-b278-ab8eed0a35fd} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 1488 e6f558 socket
    3⤵
    - Checks processor information in registry
    PID:2436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.2.1720485059\483944785" -childID 1 -isForBrowser -prefsHandle 2132 -prefMapHandle 2148 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be639a7c-c541-4538-93c2-68ed02ceadc8} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 2124 19f83e58 tab
    3⤵
    PID:2632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.3.187557099\1204182154" -childID 2 -isForBrowser -prefsHandle 800 -prefMapHandle 1656 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fc8a02a-44a1-4f37-babf-698cb19cfbf0} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 580 e71658 tab
    3⤵
    PID:1852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.4.1074473997\228330116" -childID 3 -isForBrowser -prefsHandle 2768 -prefMapHandle 2764 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74c004d2-4393-416d-9ade-37833772ac40} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 2780 e61958 tab
    3⤵
    PID:2764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.5.2107023155\1586520334" -childID 4 -isForBrowser -prefsHandle 3800 -prefMapHandle 3804 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3de09a9-7b8c-49f7-a31f-30414ee780f0} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 3464 1ec7e558 tab
    3⤵
    PID:2400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.6.1612849633\1122615951" -childID 5 -isForBrowser -prefsHandle 3920 -prefMapHandle 3924 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50e56cf3-58e4-4d5d-903e-66fe69e44072} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 3908 1ec81558 tab
    3⤵
    PID:3060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.7.146993085\656759987" -childID 6 -isForBrowser -prefsHandle 4112 -prefMapHandle 4116 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {171e15ac-399a-46e3-b9ba-003ceccbfdab} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 4100 204ec558 tab
    3⤵
    PID:2396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.8.557719736\1305240268" -childID 7 -isForBrowser -prefsHandle 4412 -prefMapHandle 4416 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28489f2a-5781-47ca-8bee-cfc4fed7c7b9} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 3660 21f60258 tab
    3⤵
    PID:1500

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\GetCheckpoint.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6699758,0x7fef6699768,0x7fef6699778
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1180,i,7671326656726886659,12877552896723104190,131072 /prefetch:2
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1180,i,7671326656726886659,12877552896723104190,131072 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1536 --field-trial-handle=1180,i,7671326656726886659,12877552896723104190,131072 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1496 --field-trial-handle=1180,i,7671326656726886659,12877552896723104190,131072 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2236 --field-trial-handle=1180,i,7671326656726886659,12877552896723104190,131072 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1356 --field-trial-handle=1180,i,7671326656726886659,12877552896723104190,131072 /prefetch:2
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2268 --field-trial-handle=1180,i,7671326656726886659,12877552896723104190,131072 /prefetch:1
  2⤵
  PID:2356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\9aa4789c-b981-46ce-bfe7-4563dde1b775.tmp

Filesize
311KB

MD5
b2697db3d8db8deb83f3222ec07c6ffe

SHA1
ff82b1193912987a4015977de4a158b58ac3d3c2

SHA256
73180c457bf6459053ef54b9634c05a034e7d7d5c1db32eda5f09b09ddc81394

SHA512
4b988b9fe13e660a8b195af546594fa3cb0141bcd1924a1ba05a60c34241c1a2e59695462124db5354c2ab7fc248a49e85e2147683f9d11de0dd061825c87e0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
b76dc30186deb2e8fa7249cabce6911c

SHA1
c8edfd3d4ebbc4d92b6099a1d2fc16010ccb8de3

SHA256
46729fcc8bad24aaf0b48bd36587674d882dd73383ea0af1f06b9013f6e9a22f

SHA512
b100ce1ead861b073305ca50a584667e5b2e66f5e1cda69851f0ce21995b19eb80b82ca047a819fe9174ad4b5f06b5c63d39166de95ce5953886f854c6519318

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
522e39e7594b1c4eac5240f0fd05216a

SHA1
7ff1e0349d38ba5f608336010e9465c7a324967c

SHA256
d6a1e33be4eeba336bd3451708aa7c158723891985a372b1390050d7a01d94ad

SHA512
cca77f7473ddb24275bc075756a9507ea04f19daadf98a3857a683792675e9d53c681cfd50d042b9fa11630e1b38b7495858ad311a9b0904bec033b8854bce91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\db\data.safe.bin

Filesize
3KB

MD5
c2a4067d2e62a326ab293a7cfcb0d157

SHA1
b6061c0b7584baf02b925c69222ff4da6340b7f2

SHA256
75e370d2bca9928d224b2ad6f41b8931eeb4d984ce3382416a63b49f33bcfbae

SHA512
c780ffe4d819ba70db655a13115afd014de3de2f7d1ff5987a356014c602760ba9df32cc1d58b9adfcb7b1cc595ea2846d5936ca324ed208aba86b1668b6fb0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
807f2c5d34f566cc927f499fc0902b88

SHA1
26b4ac88ea6739dfdb9ec00b534fbfecbab2bb1f

SHA256
a40165d27d8ad689e8b3013cf3974af3800b42243facbc7c62e079e9df848dd5

SHA512
97d3c71c1a54ab93cf7b7f80fcecf63bd9de5d768624b0890ee4a19466b74c3c3c10d1daefc650f731876d42d12f82be08149eb70c945ca2baf797502a11cd44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\3ee67599-3560-401c-bf05-83136ce8d384

Filesize
745B

MD5
de1560473a01bddd4a7152f43d0fbd65

SHA1
4043964b0a2494f88cd2224ca9d46495b4a740fe

SHA256
4e3187d81c568dbbb6619fc2cb27d69ed90a36347f34eb9126d9f769e43f857f

SHA512
056c701748fe2ee327ad9c16b22d1bfa8af5b64610fc095d80454bf2b29beae9eb476ba8b3a5f46ffc4094f754373a7305747c454f9770a63d256b12aba81b09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\7a07a086-2483-4a85-ae1f-7d4bc4079998

Filesize
10KB

MD5
5493f7f22a3b56a493e4cf037bca30e1

SHA1
691658e0db8e71e55df1f90364fe1fa4e21bbd21

SHA256
6f93e93ad666c6073bc65cd3ac90e012df80ea4d60777c035f2a7bbd446196ea

SHA512
a144f8a8a260c5ea9895dbafc15e1be5ebfbdef8f4277291d61ae0d44dd06726a27d38aafa2ac8ffc1add7aeacdfc3935b078f1a4458006d88b1a296698c5222

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

Filesize
6KB

MD5
1aa29706a882f88b8babe3dc47ebfc6f

SHA1
7896e790db715675342d0e2907900826de9d5a69

SHA256
30bab5b67e34612bb6bf5445658d9cef9477c4ee16237d2972ae8698b71c77e6

SHA512
d6c416fe7e55d3d8712423bb8de3e2690c485eb7ec40151985c726132bfe21b5294118be20e60771357254d1e3829f0ab6247a6a53257ee310efdcce97e5dd64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

Filesize
6KB

MD5
1b6d469ebb22e272805573e327280aa9

SHA1
a74fddf8072f4213675a1d0315744778e0b14a51

SHA256
b182b622841cd8511e53c4dcf9c2d86ce4e5b8ed86f923b839a6c3420b28ba60

SHA512
9fc3f05c1f7b1a08d7e83c699876c73983cddb01ba8ec2dab97a7fe8b38adb60e8792cfdce252225ccdbb93e34617a73612fce8b6aeec88816fb3066fe3a800e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js

Filesize
6KB

MD5
b4feb09fc7d91691f10b174e675bcf1d

SHA1
e8b030659ea22f4f0dc925079d3e55891ffa23a1

SHA256
9809927962d497373a28b300893d5a8362b8e082a03ef50f2bb0b51104f0d82c

SHA512
0d8b5753db924b927262ff4d7b7222b6f19cadc449a1c48c60c7b186fac8fed338e6988c7a1f1ac387e9b15a483134940d3fc38f2a034f594624846cbb72dec0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
ebf8c3bf36e1bf01657426f22ab1bb6b

SHA1
a2ec45444a2d6996ab151f40081a7a1245b68d07

SHA256
72c3209c94e90daa6e0e8b26d32507b3f692e0f22fa6f379bc329d4496c64980

SHA512
81384f5efe6d057022fefcd8f58e750201f6166d658eae3e62ca5c59114118ac5038deb06b22333e9f100db7ea37a8feda8baafb9ceda33b0ddc00361114bef7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
5f67588da12955d9e065494ad30b9039

SHA1
f95a160ecdeafaa5c9f3948f05ac6d9da014f234

SHA256
6314fa5c30e73879a55575836c93701d1b882c60eaabe4f2956171cb440fbef8

SHA512
59ddaf911c2f6fca21fe973f4b53b181a03b6fc44f11fdbef8845cc79af9c6ba9512afb86ec4fc73f8191389f74727e6a2882f3565789c23da6dd75166eb5ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
89223823a536b9c9b6df54593ec5ca84

SHA1
48f5143e925061b00a4f164bee4ce2b8e5e2bc2b

SHA256
78dc43c5be9159c6a844bcc0555dbf14369067d7e923d797a18f520038f5e5a3

SHA512
344a79aa6f2bf2fe24b217a523f661434b7da53de8ccd5deb4ee5dc6207fc8d89d3327cdbec5718ec25e429f0c3d2e529db027b76ba1285d806c3922eb516983

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
fb8a0600f09d8ec869f1df2a8659ee8f

SHA1
6e0fe8298921bc24355e14b84b539546e9da421e

SHA256
4c6523e5c05088327cccf192d97cc3c781bd4861771e3c78ee63e9ff30e20eb8

SHA512
13d8633915425508603b8d8e758b7cd9f2128c16972259631e4d87e3dd71eeef139bbb009f330dfa2da5acb33b1e8978667fe7367b57848c17b1e19899c10a46

Download Submit
memory/2360-309-0x000000002F041000-0x000000002F042000-memory.dmp

Filesize
4KB

Download
memory/2360-310-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2360-311-0x0000000071A7D000-0x0000000071A88000-memory.dmp

Filesize
44KB

Download
memory/2360-341-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2360-342-0x0000000071A7D000-0x0000000071A88000-memory.dmp

Filesize
44KB

Download