hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/trojans/000[.]zip

Resubmissions

13-02-2025 04:31

250213-e5sgkasqhq 10

13-02-2025 04:24

250213-e1nb2ssqep 8

Analysis

max time kernel
52s
max time network
53s
platform
windows11-21h2_x64
resource
win11-20250211-en
resource tags

arch:x64arch:x86image:win11-20250211-enlocale:en-usos:windows11-21h2-x64system
submitted
13-02-2025 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/trojans/000.zip

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
28	raw.githubusercontent.com
29	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5040	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133838942914097657"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2417498994-1216132997-487892065-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2417498994-1216132997-487892065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2417498994-1216132997-487892065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2417498994-1216132997-487892065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\PowerPoint.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 3220	4472	chrome.exe	84
PID 4472 wrote to memory of 3220	4472	chrome.exe	84
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1968	4472	chrome.exe	85
PID 4472 wrote to memory of 1856	4472	chrome.exe	86
PID 4472 wrote to memory of 1856	4472	chrome.exe	86
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87
PID 4472 wrote to memory of 664	4472	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/trojans/000.zip
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c744cc40,0x7ff8c744cc4c,0x7ff8c744cc58
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,13471079145804355471,17320765564123837658,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=1632 /prefetch:2
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,13471079145804355471,17320765564123837658,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,13471079145804355471,17320765564123837658,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2340 /prefetch:8
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,13471079145804355471,17320765564123837658,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,13471079145804355471,17320765564123837658,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4300,i,13471079145804355471,17320765564123837658,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4988,i,13471079145804355471,17320765564123837658,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2612

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4144

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1668

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTFFRUM5NUQtQ0MzMS00NDcyLUI1QjAtMUY4MDZBNUNCRUY0fSIgdXNlcmlkPSJ7NjhCNkIwMjYtNDJDRC00NkUzLUI3MkMtM0Y5NDY2MDNGODU5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NEI2MDk0MDktQTQ4Ri00RDBGLUEyODEtQUIzMDYyMkI4Mzc5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczOTI4MjMwMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzUzNTk3Mjc0MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUyOTIwNzE5NjYiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
814fd1cc8e79b3518403d925b7f64cae

SHA1
faa7346823543e498ee7670d76cf2ef6070ca21e

SHA256
d179999895c4ff26dfb50507dd7b4d6de2377cc7f1e0430002debc4db0f190f6

SHA512
4b79b29fb2c5b4ea1de0f8de5c140141c2e933602c560991a7141673c3101e0b0df4ebd0b280b3be9b1d89a204865c2efe68becb93487eeb0391bb2379157d8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\3b5cd145-bb7d-43c4-9c5b-9ac144708d21.tmp

Filesize
857B

MD5
4b6ea37e940f523163d5866843d9b096

SHA1
8007d5fc9a2f102a9ee00ad0c04911055664d44a

SHA256
c1becf7abf35efe25817e8905f5a16be82cd8abe959131a9450cdddf566fa72c

SHA512
249a490ddc62d838238cf8771aefe261e7bdf03751ab244d6fe355433d07668e52c31c25ecd0373b42ae46f0568275fc63900be4c63d1dd44d19f3259cfbf5bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
dea5f6abd895843b5bcd4de71ae68b36

SHA1
783d764add50c50957675646be99edc0cce9746f

SHA256
ecb234d598e8a3a554c64b2fec815716d83adce52bbc6ad365f6068f3f8b360b

SHA512
b24c56666af5f4dcea8f8f8f3bed8b27ee3eab3d8fa2732eb498e474c6564111c3bd435402dbc504de777e38479f380dcd3a64b94c2bdd1b5ffb41c95be12b2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9e0633e7c01fa6a0b00ca44b828af9f1

SHA1
952c7d7c9a406528a111fe39fa7a580893ccf941

SHA256
3401bf99fecef7dd542ada3f9d14b7a24247bd047708f04bb3d2003ca9964542

SHA512
158f828021ce0a1da11406960e25fa42aac0d534f2048fef48ea2deab4130e36e8987848eb019a85c1ba3ef092ac1aca525810fb302a99387a646ffe14438810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
30d46d7de9c11497e3b41c38d3f4b233

SHA1
0a547b6252220f33ec531b38fb8b22b271970310

SHA256
d634000ff4c6ad1ddc8a69dc4fea7997d49134ef16c59cdef1d9f1d9259dea4b

SHA512
6135920353808b8fffc949f4a1c4486007e3a56fd17ff9fe755ed828bc0d6728ee2ccc0b69c40e3a96ebf45376ec1eef389f0214c353e2a9a69b199458000352

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b9d77467267860175b040e771459e300

SHA1
6ca6a9725ed9a158f37a125b95a73995c1ad1e0b

SHA256
b2ce17ac206a632449dfe726b55143971a55df3ca68f31cd6a8bb36313f781b7

SHA512
3f7ad469ae8290c0da72fd1e8a964cdd4be5005f25cd970172ece13193fe2789a99113d8811542ae49e6eb255d5b574854c8d045ff404217fa2bec5374ad4d3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9aa92d76e0d278ee978744227944a06d

SHA1
e13b1b0dc0d8ea62e877539159d6d979b7ebb8e0

SHA256
67e2b81c2bef5af847eedbc887b7db5afcad3578425e960afa4ff34aee5475f9

SHA512
021b66354cef658926bf1ffa198c35d9e73d56b2928b435e05c3c738855fe1f8859059f39e557623cd9495fb8c0d1d481e460758addf21460d33f5c2f16a7af5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
493b20a92a22515a7bab7c975c7177e7

SHA1
c9fc75749efb1a6a2cdd126bccb33d655ff6e8e0

SHA256
d18da85f47dff64a52334400f7a8350ef78c6faed1ebab6ee3fbfd3d1ff85751

SHA512
6dc7d915b4f8aeac231511324cd25d30d00d552f791dc0719f0cfa1697bad70f24bfd2de9ecc6051a2a433366561b739c54582d832e55a3b620c76c72334b676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
d90cc517c56f3b3f17e4430aae635dfa

SHA1
94d1b47cf2ab9e709effef600d373ce08cb80c3b

SHA256
4c688c114e22ed5d4014f5514b5bb506660e15b7cab7114567da85428f68af82

SHA512
6b8dcfca32dc764799721252e38fa894ba987efe9697f9e139f80e61089415815a9d76b4b6ab860aeb7244826d8cb1355dc87f451a49235ff673804079c71a7c

Download Submit
C:\Users\Admin\Downloads\PowerPoint.zip.crdownload

Filesize
66KB

MD5
196611c89b3b180d8a638d11d50926ed

SHA1
aa98b312dc0e9d7e59bef85b704ad87dc6c582d5

SHA256
4c10d3ddeba414775ebb5af4da5b7bb17ae52a92831fe09244f63c36b2c77f34

SHA512
19d60abf83b4a4fe5701e38e0c84f9492232ceb95b267ae5859c049cea12fee2328a5d26ffd850e38307fb10cb3955b7e5e49d916856c929442d45b87071d724

Download Submit
C:\Users\Admin\Downloads\PowerPoint.zip:Zone.Identifier

Filesize
239B

MD5
60f9d78be0974adcd306751fa164ef90

SHA1
307318a392db6cfca6d3b96629df78f825e89ff6

SHA256
2c35612c990594c175fc04c96a4af9fedd4881477294de2de3bee9dea1ce42e7

SHA512
be4991b69a4eec668d3eeea97f4b92ddd7c14374236a670711f025da01325de92df7a8bee8d45fbfd647d88944a909137b70de3460e6616d419d1ea318a9ded1

Download Submit