cryptbot | hxxps://href[.]li/?hxxps://cdn[.]discordapp[.]com/attachments/1280285701857869877/1285299774181867581/freeloadingversion-toolkit[.]zip?ex=66e9c431&is=66e872b1&hm=cb7ea93757308bd0911818e2b428fafe50e04d60654cc13d7c72742c5cd07e2b&

Analysis

max time kernel
126s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
17/09/2024, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://href.li/?https://cdn.discordapp.com/attachments/1280285701857869877/1285299774181867581/freeloadingversion-toolkit.zip?ex=66e9c431&is=66e872b1&hm=cb7ea93757308bd0911818e2b428fafe50e04d60654cc13d7c72742c5cd07e2b&

Score

10^/10

cryptbot credential_access discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

forcj4vt.top

analforeverlovyu.top

Attributes

url_path
/v1/upload.php

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 7 IoCs

pid	Process
2636	Set-up.exe
2736	wtrPhUIRdE.exe
428	MicrosoftToolkit.exe
2068	Microsoft Toolkit1.exe
3724	Microsoft Toolkit1.exe
2920	Set-up.exe
4720	MicrosoftToolkit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	href.li
3	href.li

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AutoKMS\AutoKMS.exe	Microsoft Toolkit1.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtrPhUIRdE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftToolkit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftToolkit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wtrPhUIRdE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wtrPhUIRdE.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133710215112575438"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4768	chrome.exe
4768	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 1904	4696	chrome.exe	71
PID 4696 wrote to memory of 1904	4696	chrome.exe	71
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 4048	4696	chrome.exe	73
PID 4696 wrote to memory of 3516	4696	chrome.exe	74
PID 4696 wrote to memory of 3516	4696	chrome.exe	74
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75
PID 4696 wrote to memory of 516	4696	chrome.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://href.li/?https://cdn.discordapp.com/attachments/1280285701857869877/1285299774181867581/freeloadingversion-toolkit.zip?ex=66e9c431&is=66e872b1&hm=cb7ea93757308bd0911818e2b428fafe50e04d60654cc13d7c72742c5cd07e2b&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffcb8cb9758,0x7ffcb8cb9768,0x7ffcb8cb9778
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1752,i,11658475527142840917,9909653898960982938,131072 /prefetch:2
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=1752,i,11658475527142840917,9909653898960982938,131072 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1752,i,11658475527142840917,9909653898960982938,131072 /prefetch:8
  2⤵
  PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2904 --field-trial-handle=1752,i,11658475527142840917,9909653898960982938,131072 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1752,i,11658475527142840917,9909653898960982938,131072 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4368 --field-trial-handle=1752,i,11658475527142840917,9909653898960982938,131072 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5260 --field-trial-handle=1752,i,11658475527142840917,9909653898960982938,131072 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1752,i,11658475527142840917,9909653898960982938,131072 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1604 --field-trial-handle=1752,i,11658475527142840917,9909653898960982938,131072 /prefetch:8
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 --field-trial-handle=1752,i,11658475527142840917,9909653898960982938,131072 /prefetch:8
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1752,i,11658475527142840917,9909653898960982938,131072 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4464 --field-trial-handle=1752,i,11658475527142840917,9909653898960982938,131072 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4432 --field-trial-handle=1752,i,11658475527142840917,9909653898960982938,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1788

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap1407:114:7zEvent16659
1⤵
PID:2740

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\freeloadingversion-toolkit\" -spe -an -ai#7zMap5175:114:7zEvent11270
1⤵
PID:4396

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\freeloadingversion-toolkit\" -an -ai#7zMap164:148:7zEvent15540
1⤵
PID:4212

C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit\Set-up.exe
"C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636
- C:\Users\Admin\AppData\Local\Temp\wtrPhUIRdE.exe
  "C:\Users\Admin\AppData\Local\Temp\wtrPhUIRdE.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\service123.exe
    "C:\Users\Admin\AppData\Local\Temp\service123.exe"
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2524
- C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe
  "C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:428
- - C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit\Microsoft Toolkit1.exe
    "C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit\Microsoft Toolkit1.exe"
    3⤵
    - Executes dropped EXE
    PID:2068

C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit\Microsoft Toolkit1.exe
"C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit\Microsoft Toolkit1.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3724

C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit\Set-up.exe
"C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920
- C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe
  "C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4720
- - C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit\Microsoft Toolkit1.exe
    "C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit\Microsoft Toolkit1.exe"
    3⤵
    PID:2672

C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit\Set-up.exe
"C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit\Set-up.exe"
1⤵
PID:3156
- C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe
  "C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"
  2⤵
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Toolkit\Settings.xml

Filesize
2KB

MD5
a97c232b9be25e5437b15e1ea7de11d6

SHA1
22b8fc8509439799e8eaebcfd28a5a78c4b14ae6

SHA256
062592bb39713abb43c09b0a1b35b45570e1581e82cd7a23ae9ad0338e01518c

SHA512
88d092336e1ed366729651100a2bf1d3c01046946fc8d75956eea5d4dc6f94e88cf31c5e0653c03f771fc5ea3e06270c60215adbae8441d504ee842262c942db

Download Submit
C:\ProgramData\Microsoft Toolkit\Settings.xml

Filesize
2KB

MD5
d9035ffa214d9a2c2e3bf5a81a0727e6

SHA1
057e1255c10950df3e0bff21c3a0c72fe5f7a729

SHA256
ccf8796cc4edf0d15ed986a8f32033a9c693ac634ee625ce778d5323939221c3

SHA512
34184eee57c15e7f5de544f12a2651b4737defdc2c42258625a8605984955a337d19a1164e5cb6d786549435a74ea38c1e00889a4b4e638484ab3c2ceb335fcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
22.8MB

MD5
c4db5f7ed77ce7d64e1e8552943212ef

SHA1
6726758a1f4a706508cb26894b7a7d3fcd190912

SHA256
cde15b02521c2d2e700f16878d1598d1ca0d1349fe062284cb12d74fb8032f8e

SHA512
898df8cf6b83dabe305957da4f959a813617d8922553c8ea8dd5fe7eb88f628c2aff97bd9953fb28bd9d837ac48590802797d49da1e2cb353202764005932813

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
e687a09667a42b3dfae9c77dd688b4b3

SHA1
1c7498bbfddbb1f8fc7fb4f6edca12adf19c06c3

SHA256
a58dbb0f1b375ea010ca15cb19eaf1713d8d9eb3775808b4cf0a54b4dfb57e65

SHA512
217d80b35bee0cdf6561607b0b8f9600e8d3520b020d6dcd41108c955375e52c5fc651637f0e8e5d81528e5e0c831b9e469f2bdbd2c2686d300e7ff2bf1685a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9f29f09bebaeb728d6f5e3c7c7b6ab4f

SHA1
1c3c25a92e75e83c0c20a0a7c8a070ada07c32ee

SHA256
9165d916fd3cf11ded81b66a569077ba73a28449d677a2014005173607781831

SHA512
1e9a5fd394a82c303e6a3b09184fb615ad9c42c029e9824543f0e09917eb292000d269fdaa074890146b1e47823be75568bdfa6110090b9532a92a6ec30f28df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
372B

MD5
a7a794986e3f4d8353c77f295fdd3740

SHA1
d479bd9d059c0fff2d8ccb7f7e179975e0407caf

SHA256
d0bf8ff7d6a5c256ad0abd470116aade771b8393a3fe4be1f8ce1e01ec1d2cc1

SHA512
34796e4c4c26eebf449c2cf81f80ec4bd79bec089af89917f0da354d6d0f164ac1dea400cf5e5df5404d97822172b590338f3832ab8a6efcc230f1771fe2b08f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
372B

MD5
5bb41a06ae7b9069b5ba2ee9dac8ee59

SHA1
4bafc5d003b0bd59b63bf2c217407185e61c8fe2

SHA256
726f372043e9e5b3dbeb2d0ea0181b0430fd2d1a9b6fcfb210e845918d95076b

SHA512
92743c9773a0304e6df689aa461c85fd9d4db07502f33a9973b1b3ff605700839614962bb6359476804b52801c95c029501f210d27b95742e5de63c11febfa96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b05fb51e893d8e7d54af19e5ddb0d82e

SHA1
ccef37778795ecc0a53ca587b2a456ebe7831fe9

SHA256
d5c30e318f1c9f53ce947e355295a0561172e3d6b5f909049e0452241f47d284

SHA512
659d47e4e2eda90e853793400fabaa7d91ae5c932b83f2ca0669520b58a6f66d199ab48bd78ca7d1384adf82464f0c7b95e966bac69d51530ce7c88c7ca498c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c97bdd501332eeff038621b538c5e65e

SHA1
127fa8081cd5cb178288a581dfb8b006f087ddb2

SHA256
d19bc794c35091305d12f2193bda13f6a17c48b1b39ee7b885471b0ec4ae77cc

SHA512
0328bfb1c3bd1b3633d26c167f379b7915d2bbd0d13b94ff2af7ec25fbaf1685ffb8487269348cf263682be43750b5d409310d67f3d954a4a33912c0358628c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0884c6437ccd4417c447da40f6d89550

SHA1
e87e6167a0fdfe5578e5267113962f1a1e930780

SHA256
ff224066b72701e537a3bd6b4d36f7aaa15564d84827d45e58a2f7d40ca7ee71

SHA512
6f361c65cd733b267f1522afe0ebb41bc03c79b4a7a64d3b7151284d22cb936a5cbc5dacafe5b504a9c3b68f2c802fe8495b07c3038dfb7e7f7814300be8a662

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
44677dce1b0eeffe83191679d4dd9c3d

SHA1
abb682991ece0aef8495b581f29834b0cdaa0029

SHA256
83fe154f72dc8e0b53c22179a2749539ce4b4008fdd3bb687a7e8b569599f9f9

SHA512
1ed232cae8841558a0f6bc47a16fc52d6c55f83d57fa935b6bc9709541169d4f9c659ae6b36d9bb16fbfaf895f3774e5c955be9d4e3e66ebb5956d77a77665a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
23af3065223e42623f7f2a59fd36ea26

SHA1
1448ffb78d45bb3ca96b2dd0bc2cb968a1cd958d

SHA256
722ab590555185088ea78835da530c4314ceb33457be182b844af164b39f534c

SHA512
c85467f1685aa760b4b5fa310b19d60a506f7edad2734e55c133081958cc7ba8a078bcfcac1eafd253e6666b9bf8982e75fe925ea2115808f1fe7d3268139936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
812d1e99ce5b21027324181fa7716d49

SHA1
0d9db36d0eccaf2afc67d02e63931a10c8c75316

SHA256
be8c0540d41e01090283c025978ec38fa4aa229dfe5a1124c857cf15f9c7a2ba

SHA512
7d52c10251e44669f9fac9184efd283ddc7aeb24726d73c610216eef93fb5e55a6582e422a689e08c9b553f40843d7a6e619787d27fe34a6f2481e5e036c727e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
149KB

MD5
8e8bb9a4ae0dd663d571e2df3437018d

SHA1
6fe16b32dac3fa846ed3d3fadb16e7dd4ea3315a

SHA256
bba42dfb3938ab92fd8d0f3483a524951632b9ddc45aef88f325fc9e7956dbaa

SHA512
0d7523e573b33e0c8d690e16132c29f47b54371ea839e8b869b25511ad5f86c3501e1f673b8e43e1d43ff97438073f5af7abb920ea94d9c2492cf2e1a09c60a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
50b9e39192b74e4ab4ca42ef162d6e45

SHA1
9561562ba3b787e5b82268e96401443bebcf20c8

SHA256
5d2c96820f91ec26a3a5f374ea056c8e7f7feaabcde45a251e88aa90da9e777b

SHA512
8fbfc5be1cd034725eca886cf363460766c718956e8514b48fb6e431fe9a0485a5088751facdbd84e547e2084539731321a8c45d35a4df2f01841b463266dc4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Microsoft Toolkit1.exe.log

Filesize
2KB

MD5
0e839622914b061b7d2ce53956b2779f

SHA1
306c156d2041cf65ef119fbdd8978ca03b3fba00

SHA256
050030edbbdd56b603cd340ed7b3de3f7d0bd7c08c534c225fc999970c2000b6

SHA512
2f1d9ee46710e1aef405091f81e6f1cef18ac7a7280844b15ee0a89716c9eb4d5ff406acc71c35c1376321fb56b6c029547066e11bd032241479a6afe3abda84

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe

Filesize
13.5MB

MD5
008c96c28b4d4102ccb81ad3f43c5382

SHA1
2ca6124f6b6ef50e52bb20577bea7868a1d2d294

SHA256
bd319b39ef0bace0f893d310289c4a6abda05a773f91838a0c337fa24244ebf1

SHA512
28f5b436f82d5d60bee3bcf8ee450a0f122343064de5613a6b1417896070efc6ba6ae34eb2240e5a4074e87a8ba03f7ee82a50a1bf1f391fc790932081195141

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe

Filesize
5.8MB

MD5
5acd49c7e643f60a7867e090ab399e05

SHA1
9c3102c12a44b6114b9add18039bd6c1b0814b30

SHA256
50f0a180bf9fe2aa89b43513ab00e132db4693b895854c18ee764f08b1416101

SHA512
6dcd753afb22f6a4d5f859798caa929f8a55c474ca641051988902324db5a9e8c9197318aa7f9ab55ac7ff94a6a3951b6a0f607f02b3488fc9f00558a8d84e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe

Filesize
5.8MB

MD5
8f447625f3718a375b4c58f1acea60a8

SHA1
56c680fdffe9167b517b85b3159dd88df609f92d

SHA256
23e3f58c7b4c80e7c43e81f8a7c09577e990a718c8d93af1965e7e62f8a1603b

SHA512
b916875ff526c0c5d05daf8f6958148d5e64f136a691f7b633bf7d0820c455a6efa44f0d566e5142172558d7bb87555d63c4821bf14ba378a855b2377e1aad28

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtrPhUIRdE.exe

Filesize
6.3MB

MD5
10d923a54a5906100eeda2d03f4532cd

SHA1
253fb115f175e8eaceff4445358c45d0d1730054

SHA256
66cd2e1d70fca5bcdf23d3a82663511f45f45181a156d22ad7bad57dd2829771

SHA512
fd16c8fc03ed97ea87b42f0161d6cbc97043dacc8f6e409dcb87b960570c6404ceeaca189e0ea26c80f26c98d4361d51d899f3993523bc9ecf713771236528f6

Download Submit
C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit.rar

Filesize
22.8MB

MD5
3ac34d5d6b24d7b127d8e641fce3699c

SHA1
614f21056399f327a7e36bdfb9789c6cb41af47c

SHA256
94cf8f466968d31c7f2dd7e0964c852e4b6c63806be00027bfc2e492d2691301

SHA512
6346fefc65f6bea10e0da85219ac7dfd015a44520bd730c025e51172856c6e155648d57ee50b95d6db7e7ad5442ecd9216eef91dce52b50cc4a0433792428d46

Download Submit
C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit\Microsoft Toolkit1.exe

Filesize
14.0MB

MD5
c8d1768749bebcd640ec4f1fcdefa672

SHA1
92ad8c40f7182c510f76c75ecf87629d44c3c868

SHA256
41d03420c1c23458eca45dbcdb8236dd39f0b28e2ac2bfb61f951f31c9a5b279

SHA512
4fb64770a4bf0721e26a382fd7f36196f0b0fe2d2f8e7b106cccc7fa8d6118c1771ff939d8aa702dd654f9c638b5a67c8a7123652806cab58ff538e61c30c253

Download Submit
C:\Users\Admin\Downloads\freeloadingversion-toolkit\МicrоsоftTооlkit\Set-up.exe

Filesize
15.9MB

MD5
204f1c7adce5976cca97d6e67502b539

SHA1
0667ec560ac96cf66d9df58448238522ce185c38

SHA256
0f08589bb10e1639db1af77cb1d19c811410167a574111a9aec05bbad6cc3b82

SHA512
a293b454594504821268e608a3a5724e1e1c7f13c874069720e86f7b6725208d23fdc6a17cc0888ed8b90d1b770ac49b0d13c79f1439c077e2c293290140d10c

Download Submit
memory/2068-320-0x0000000000B00000-0x00000000018FA000-memory.dmp

Filesize
14.0MB

Download
memory/2636-316-0x0000000000130000-0x0000000001117000-memory.dmp

Filesize
15.9MB

Download
memory/2636-420-0x0000000000130000-0x0000000001117000-memory.dmp

Filesize
15.9MB

Download
memory/2736-361-0x0000000000400000-0x000000000106B000-memory.dmp

Filesize
12.4MB

Download
memory/2736-419-0x0000000000400000-0x000000000106B000-memory.dmp

Filesize
12.4MB

Download
memory/2736-327-0x0000000000400000-0x000000000106B000-memory.dmp

Filesize
12.4MB

Download
memory/2920-410-0x0000000000130000-0x0000000001117000-memory.dmp

Filesize
15.9MB

Download
memory/3156-414-0x0000000000130000-0x0000000001117000-memory.dmp

Filesize
15.9MB

Download
memory/3724-367-0x000000001F550000-0x000000002060C000-memory.dmp

Filesize
16.7MB

Download
memory/4036-423-0x0000000001230000-0x0000000001241000-memory.dmp

Filesize
68KB

Download
memory/4036-424-0x0000000072E40000-0x0000000072F7C000-memory.dmp

Filesize
1.2MB

Download