hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

24/02/2025, 02:19

250224-cscjgayrdl 8

24/02/2025, 02:15

24/02/2025, 02:13

24/02/2025, 02:06

24/02/2025, 01:57

24/02/2025, 01:53

Analysis

max time kernel
104s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
24/02/2025, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
23	3304	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
4196	Amus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microzoft_Ofiz = "C:\\Windows\\KdzEregli.exe"	Amus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
22	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Messenger.exe	Amus.exe
File opened for modification	C:\Windows\My_Pictures.exe	Amus.exe
File created	C:\Windows\Cekirge.exe	Amus.exe
File created	C:\Windows\Ankara.exe	Amus.exe
File created	C:\Windows\Anti_Virus.exe	Amus.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Messenger.exe	Amus.exe
File created	C:\Windows\Meydanbasi.exe	Amus.exe
File created	C:\Windows\Pire.exe	Amus.exe
File opened for modification	C:\Windows\Pire.exe	Amus.exe
File opened for modification	C:\Windows\Cekirge.exe	Amus.exe
File opened for modification	C:\Windows\Ankara.exe	Amus.exe
File opened for modification	C:\Windows\Adapazari.exe	Amus.exe
File created	C:\Windows\KdzEregli.exe	Amus.exe
File created	C:\Windows\Pide.exe	Amus.exe
File opened for modification	C:\Windows\Pide.exe	Amus.exe
File created	C:\Windows\Adapazari.exe	Amus.exe
File created	C:\Windows\My_Pictures.exe	Amus.exe
File opened for modification	C:\Windows\Meydanbasi.exe	Amus.exe
File opened for modification	C:\Windows\Anti_Virus.exe	Amus.exe
File opened for modification	C:\Windows\KdzEregli.exe	Amus.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amus.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133848368423253513"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5092	chrome.exe
5092	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5092	chrome.exe
5092	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4196	Amus.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 1828	5092	chrome.exe	82
PID 5092 wrote to memory of 1828	5092	chrome.exe	82
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 4804	5092	chrome.exe	83
PID 5092 wrote to memory of 3304	5092	chrome.exe	84
PID 5092 wrote to memory of 3304	5092	chrome.exe	84
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85
PID 5092 wrote to memory of 2804	5092	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6fefcc40,0x7ffb6fefcc4c,0x7ffb6fefcc58
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2284,i,11997941063587909098,12643955287572455362,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2292 /prefetch:2
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1800,i,11997941063587909098,12643955287572455362,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2496 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1876,i,11997941063587909098,12643955287572455362,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2528 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,11997941063587909098,12643955287572455362,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3096,i,11997941063587909098,12643955287572455362,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4524,i,11997941063587909098,12643955287572455362,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5056,i,11997941063587909098,12643955287572455362,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5064,i,11997941063587909098,12643955287572455362,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5072,i,11997941063587909098,12643955287572455362,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5060,i,11997941063587909098,12643955287572455362,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5104,i,11997941063587909098,12643955287572455362,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5488,i,11997941063587909098,12643955287572455362,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4672
- C:\Users\Admin\Downloads\Amus.exe
  "C:\Users\Admin\Downloads\Amus.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4196

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3852

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004E8
1⤵
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1216293c4d25377f73f972043fa401b7

SHA1
3f856dbc800dd6de473357fc9f0b3adddb96abc4

SHA256
fed68d1add8a0b0fe260eaa061d8ebee963a95ce215f91dcd78eac86d52588b5

SHA512
897ffd8610a488b00f68e13e816971093c97e5c7910eed0618bdd11282b300c8b12fae4db55c596839670a8d84b26096b74b768810be828ac80fbf899b52c8d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
bf86905f0e1761c0b9c2c9f4e0624765

SHA1
55e75754a8f225ae9a5bac00e840f94cfd3f9641

SHA256
a5c488a6fe2afde4e271e6304a0d5b6e16d8c2672b88a04f2764d0e989336b5f

SHA512
865495cac513a3337d200aad65a917d6f63325d0970d1cfed116fe3bdf6d57a9c82f32d6ded5e3ebefa293eaaa9668aea677e9b5e7e330329f3bebcd72c86c1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
91bc5b56f08063bea3c8bbfec3cc261d

SHA1
fbf356828974df108650f20c111dfc83addd8355

SHA256
28a04d3d734d9d942294022a3ed68ad693a6f4aa80be081deeedb06d2cf048cf

SHA512
57761a69fa7929d0a1be04c0221eb98556727eff0df104da09e775ce03b41b82448c6e05f21a0e306d6690b84d47f7952a7e6b44921d9f7fc733f5b218996f20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7c7ba8e311298d21c463f8c146eda2bc

SHA1
beab017a82d847d7c03940f8ac75996c8c01fd02

SHA256
a2da6556b96821235ccd88c8f6fa15c1d6b52c6030f9e7004503a13205cdc258

SHA512
61baaf24fe981c7571d9eca2ab27904a1d7675d171931a67d1ec58a4fc0226fed410a8b58b94c6b222c7ca6197d9e09dca32b5d58719f1ba5185d17c505f5669

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
37692a2e46c3199ea090b4dd6aad7d3c

SHA1
ed6cf811968ca3dd32f49955eb86294a2e816226

SHA256
181da3d88aef821bc9cc37223f292e0e0c90d37ff0a2ce82cf8973ec0162ed15

SHA512
fc985593f8ef51d2ed091686cc9bd500da1627b9225e27edc76bc6cc4319c8b843db9aec571529a01c57af352f97e537bbbcf9d039dc559133bb3e2580cf39d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fbd46ddf460ca4a5162d15df8697f781

SHA1
9524d7e27343ea08fc2421eb1e59434af592535e

SHA256
8caab1a27035a119464c7ed257d3cf734cb61accae764ea1c16a0bb9c054bd92

SHA512
4c9414d698dfe06af47f5197d1d4b1d6467683f216eab5fb1a1a2cf7400238363d4f0b97f6190b00fc3c570f5a5530783f667516fc8be37739c083042ccc935c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7ba504a8ac44f88d6728b75c8f89f667

SHA1
2282c193545651d674975de9a4038c3e28420710

SHA256
89b9c6a4f0606e9542ebc28489ebc750eb668cd6b3847645a3c583db52c3f5c9

SHA512
4bd3683a61ed2b60a7d5c2751ab39839761c59822946dabb820b8d44fb24e03b259b4530671cfac9c6a1dac4a77c4c23c0a584c35b8e1495cfdfc69ec910571c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7327bb0aaa0543fbf9ea9ce950d1bbe6

SHA1
a195e96f6a2636c73f3d07adb837944b70223b2d

SHA256
52536e34baf53192b6e3ef705a9fed9fc6d75f7ec0ddb0802443d9661bc9d0b8

SHA512
75f6eee076195bae718af972ce74ca8a36f4a66d12f3574e43ff95a72285340d49268c27472b5f7aee6f5344a2e79985c72602322ba50e81b7204e46f862f450

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2fd6da52346996d659442f0ce6d3dc3d

SHA1
436c44bc2b3607fa34ffedc03a22592d4cbc34b9

SHA256
703919ffd5262b21577d8feb962c49094a4f0be3725607ec0d68e2f613b1d5ce

SHA512
26e2253f13f39f451c794d2bdfedef857ed7175dd12cd144a6d52d32ac1e585595b6a9dfc5fa146d57f594135214b10ad4e892c581f8f8900c8178f51538f5a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
27383d6bcfa9d872a834973ceb3e1366

SHA1
619d6736b52df6f2d0fbea7d31cd4f14850f54a1

SHA256
e40e1adcd2f99ca0f79dffadd09e99746e0949e46d92f4b495c2d00e56413260

SHA512
4fb261a05c2b7f3e495eb7faf7c4cc83691e608be69ca57ea81777f4fe2364ada81488aa8cb09c129678bade9f1d72e28d343b8919f55a36106b858e8930be91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bb11ebb7b76f63eda2717a419014d50e

SHA1
8109e46487efec3aeefda650a4f3c4ceab24520a

SHA256
0f6f57cc341884f5305c3c1fe822e999af9aec70642bf4bd8417c41bf51ed51e

SHA512
baf4eb0393e787760acbad94da974622468edb387fe43123cba2282755be6b8e1e76e8e21d184f6549e1884e8e3887076341fb4bae3a419e93aefe462f62a7fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2452ccabc1585ce0626aad0fc2897507

SHA1
d774fe00aee1e73dc4fc1bffe41730d8bc563205

SHA256
4e1f8bca81bccca4bb8fac60aad2ac2542b99c668321c2afd38948eaa39825fb

SHA512
67852c288c4c220a633884a521cb47ebf1ffa1945f90f782f14f0ad4fe441521a0b0751755b381b067ad04d2fea85582fdca593f6927dc81084b06876cce1259

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6e42f958eb4dc1b96f6a870f0d5c1230

SHA1
df3618c179ecf3d3878e30d5dbceb9ee37fb1de3

SHA256
6ef458da9d31e5fea5bc090de9bf4e36e6b2f33fd8072c9f38276bd7db2165fb

SHA512
ff74d552fe8ee76a06dfc41f631887a2c6d51fc7bad847d575e4cabe43c014f9c0ba8d42fc6425111523ec980b6d0b0839cb3dd66fb7be9e19944bbb805db35c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b79d83db936efe41df14966b58771e8

SHA1
0523dc0e2634852b75a1fe90e5db269aa860a0a7

SHA256
16770ade1c0d338cc70a81daa12ce7c12254877fe83cedf106552cfa46ad8786

SHA512
dff7f99a9509fc0ca030516f27f6c624688586fafc0dee9fda6a18f6bf67f36783a3987152f29acb05824d6cd4273e4092b38596f1ccaf877a09c52af61f4608

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
ada6133a5831411bc745bd023d141c08

SHA1
5cef3211736f8b3ba4c248fd06380f460e9db33f

SHA256
b4406fc6a45d022d8adcde23fdcdf7fb598888fd18497086bffb0dd86a7056ee

SHA512
c3ba2db1e600bd14e2a2f895679b9e6ab04e9f3ed25868c335ac4054d1b2ffd99b32b0ab8c9c6fc9c3d0ac1507cece54773a3ce640fd3ba83eceb81b49ee9585

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
9b0c95eab83fda1d48c0560e4c393a99

SHA1
815fe21ba3121accbd5621ed67ae17dc9fe1ab28

SHA256
168d3636ad5d0421fd17bdaaf9d8c380da4fcc9bb6f79c49689bd2213741c9b4

SHA512
7206e04150de3379eea1ec5a53ed1ce8c6d7e836fa5b0cf0aec6234b2cac86f06f60f8e506ac841261409c95de06560a2297e75c499f220aa6192cb9725c018f

Download Submit
C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier

Filesize
223B

MD5
de655c6be12c4ca3f066e83c2bdc0a25

SHA1
16e4fd6d25a44e9ad776169bd6652bd3dff1d0f2

SHA256
9992cc03e025ef4e0925fa7fb763e66e263185352f44ddf6249124ea7e07b0e2

SHA512
934f49066ad9e3a24ddf808fa3da5fe27f578cf4a277560d7e44e0d32cbd547adbacab9ae056cbb26b89f63074923466b05c0fbe9207cfd96af346289226ee37

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 218660.crdownload

Filesize
50KB

MD5
47abd68080eee0ea1b95ae31968a3069

SHA1
ffbdf4b2224b92bd78779a7c5ac366ccb007c14d

SHA256
b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec

SHA512
c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a

Download Submit
memory/4196-284-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download