cryptbot | hxxps://href[.]li/?hxxps://cdn[.]discordapp[.]com/attachments/1285506775860379794/1286022605610160178/toolkitfreeloadversion[.]zip?ex=66ec6562&is=66eb13e2&hm=a600496858ec5259d439ace15a52f46a4a3d69ebbf2ca63d38f15f0497be7380&

Analysis

max time kernel
73s
max time network
71s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
18/09/2024, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://href.li/?https://cdn.discordapp.com/attachments/1285506775860379794/1286022605610160178/toolkitfreeloadversion.zip?ex=66ec6562&is=66eb13e2&hm=a600496858ec5259d439ace15a52f46a4a3d69ebbf2ca63d38f15f0497be7380&

Score

10^/10

cryptbot credential_access discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

forcf4ht.top

analforeverlovyu.top

Attributes

url_path
/v1/upload.php

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 11 IoCs

pid	Process
2636	Set-up.exe
4196	qIGWsleMfV.exe
2152	MicrosoftToolkit.exe
2136	Microsoft Toolkit1.exe
4456	Set-up.exe
1552	MicrosoftToolkit.exe
3800	Microsoft Toolkit1.exe
4636	Microsoft Toolkit1.exe
2632	Set-up.exe
2380	MicrosoftToolkit.exe
1544	Microsoft Toolkit1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	href.li
3	href.li
4	href.li

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftToolkit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftToolkit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftToolkit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qIGWsleMfV.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	qIGWsleMfV.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	qIGWsleMfV.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2428	chrome.exe
2428	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeRestorePrivilege	1372	7zG.exe
Token: 35	1372	7zG.exe
Token: SeSecurityPrivilege	1372	7zG.exe
Token: SeSecurityPrivilege	1372	7zG.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
1372	7zG.exe
2236	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 4612	2428	chrome.exe	75
PID 2428 wrote to memory of 4612	2428	chrome.exe	75
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 1252	2428	chrome.exe	77
PID 2428 wrote to memory of 3856	2428	chrome.exe	78
PID 2428 wrote to memory of 3856	2428	chrome.exe	78
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79
PID 2428 wrote to memory of 1980	2428	chrome.exe	79

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://href.li/?https://cdn.discordapp.com/attachments/1285506775860379794/1286022605610160178/toolkitfreeloadversion.zip?ex=66ec6562&is=66eb13e2&hm=a600496858ec5259d439ace15a52f46a4a3d69ebbf2ca63d38f15f0497be7380&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff81c109758,0x7ff81c109768,0x7ff81c109778
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1840,i,15913531072812334298,13642800910576702285,131072 /prefetch:2
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=1840,i,15913531072812334298,13642800910576702285,131072 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1864 --field-trial-handle=1840,i,15913531072812334298,13642800910576702285,131072 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2824 --field-trial-handle=1840,i,15913531072812334298,13642800910576702285,131072 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2832 --field-trial-handle=1840,i,15913531072812334298,13642800910576702285,131072 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=1840,i,15913531072812334298,13642800910576702285,131072 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3824 --field-trial-handle=1840,i,15913531072812334298,13642800910576702285,131072 /prefetch:8
  2⤵
  PID:3584

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1812

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\toolkitfreeloadversion\" -spe -an -ai#7zMap23959:106:7zEvent19565
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1372

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\toolkitfreeloadversion\" -an -ai#7zMap13530:140:7zEvent28043
1⤵
- Suspicious use of FindShellTrayWindow
PID:2236

C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Set-up.exe
"C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636
- C:\Users\Admin\AppData\Local\Temp\qIGWsleMfV.exe
  "C:\Users\Admin\AppData\Local\Temp\qIGWsleMfV.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4196
- C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe
  "C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2152
- - C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Microsoft Toolkit1.exe
    "C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Microsoft Toolkit1.exe"
    3⤵
    - Executes dropped EXE
    PID:2136

C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Set-up.exe
"C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4456
- C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe
  "C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1552
- - C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Microsoft Toolkit1.exe
    "C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Microsoft Toolkit1.exe"
    3⤵
    - Executes dropped EXE
    PID:3800

C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Microsoft Toolkit1.exe
"C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Microsoft Toolkit1.exe"
1⤵
- Executes dropped EXE
PID:4636

C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Set-up.exe
"C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632
- C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe
  "C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2380
- - C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Microsoft Toolkit1.exe
    "C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Microsoft Toolkit1.exe"
    3⤵
    - Executes dropped EXE
    PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Toolkit\Settings.xml

Filesize
2KB

MD5
a97c232b9be25e5437b15e1ea7de11d6

SHA1
22b8fc8509439799e8eaebcfd28a5a78c4b14ae6

SHA256
062592bb39713abb43c09b0a1b35b45570e1581e82cd7a23ae9ad0338e01518c

SHA512
88d092336e1ed366729651100a2bf1d3c01046946fc8d75956eea5d4dc6f94e88cf31c5e0653c03f771fc5ea3e06270c60215adbae8441d504ee842262c942db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
652b68edbd682725439b82a4e90d2c81

SHA1
50893413e9ddca0bc9dce5db28b5db82f290f415

SHA256
825612fc06549e51016052cb3b6d22ee1a6cf1fb67f6c4600bf73440ee5c80e1

SHA512
de91c356959b4f6c03729ed80b8dcfcef22825175b181caf7ddc20fef25bf5597a53ac457bfdd5844890279620580f8877d181905df9a16e216b0c5ca2a2629d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
861B

MD5
acd6a5ddb8a6f737f0740f587c513924

SHA1
80d5123526bc9813bc05fd29fcc02225941cc1ca

SHA256
b20ad21ffc0a64bf96dcd74cc819dbbe4d940b89bd01e621d4ef266668f5b202

SHA512
e252bd7a2b57dd25c36fa1991f3a47f95caeec3fbca4634bf5c9e15beb401caa0d6ccdba205c8dfcfb27844824afb0250ab3c3329f36c22ee31664326bdcddab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
535B

MD5
89d600f17e7175fc42c1216912ec6200

SHA1
586912d30aa872aea2ad67f527a8fa231e4abebd

SHA256
dcc103533e3f4dd46392b3d434c512d3b0f0028a90fb97e306fec0125b417aed

SHA512
ceafa91fdd91ac54ad8c5f0452116f5df3325ed75f7e0318a77ed2fb2f53b3a60562e826231d50f7dfdfa89edabc001b47cd54d1656d3079ca8c41c1e6819469

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
06d2276c1a748cd796bacf414dbd1ecb

SHA1
978a25d30c0e542dcfcb560c4c0604bab43282c0

SHA256
7fd423be5aca21be15977dbe7f76d399fc921d7681d9029826233e1bafabab79

SHA512
d9a53adef0bfde940e407523e94638a4c1e6b3df8d4e2d5ad4abfa3d75796024976d1472b08279fb6b7fc62773f314c725adcf7721ecef9417230e3e738cdf91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ae2d0187bb5d685053761d50fab1534a

SHA1
fa62f770a1242aec68dc6c9668749a7361671cf0

SHA256
84be13f8e5b626e00ad8537f78d9eda38b5591d794db434c1716dd36430fe77e

SHA512
17a5afbcc5ebd7dc794dde547dc1875b7c2ac4cddf04ada94ad57cad984700be90c9800336b45b50af52eb8a6e97dd86aa3352a4d6b1b1bb1e9f6b40d1b42908

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3874ce2f33a58a95fb22e298cc57e2da

SHA1
58f7de9e7234c43bbdcf314bb858b9363028d4c9

SHA256
0aa8551ef19aef601bd68e8ae3bc3bb5ddef2fdae95485fed90d62a30fbc7e1b

SHA512
d2e4ebf628f600bbc6d2ea5417cc02e78f9dbdbbe58e4b7cc6b324efb45842440a30493e092d9f69b11bbf1467cad9f11e49aff0fc5dc8d236e79f90c89ed349

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
71af764e166355b1a258ba7c2e8af88f

SHA1
b9ade54d8fcb7a48f23a3ccf3ad1ab9d1da92a11

SHA256
172d9eeaca012d179a9b7f3ec7239ef5c24f003d47904d340b1c74cfb890d7c4

SHA512
80d59ece9f6f30f0603789cfc9b6496954e25bc3de7d5555690d87ef5c24c19a01aaac593b99eb3c6523ffa38886fd8c8022a9002269231eae0a3458408aeac4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
e2a0c7d60ca2614a14a60b533ad29eee

SHA1
d7fbaa43fe9d7eab05f709b76674daf70581447c

SHA256
7dabe5c08042f2307c4c7a66360d23c73162b89c4b74fcb84b0f6b09c6cabc79

SHA512
37bd4c28b53dac943b34a01aca908227e639263c4f90775506e329cb32b32ebb3056d8404eca6e7429daf6f800b826bcd7f70d1f4bd4ea913510bec216bc1986

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe

Filesize
13.5MB

MD5
008c96c28b4d4102ccb81ad3f43c5382

SHA1
2ca6124f6b6ef50e52bb20577bea7868a1d2d294

SHA256
bd319b39ef0bace0f893d310289c4a6abda05a773f91838a0c337fa24244ebf1

SHA512
28f5b436f82d5d60bee3bcf8ee450a0f122343064de5613a6b1417896070efc6ba6ae34eb2240e5a4074e87a8ba03f7ee82a50a1bf1f391fc790932081195141

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIGWsleMfV.exe

Filesize
6.4MB

MD5
cbd961df9748818153bf0af90ab53502

SHA1
72ccfa595bfeb2a1c532442090dab66fac43e5d7

SHA256
4193aa1acdf2e962d414b50b6ce574c030fb8d82805e3d6b7b81d0241b4ac4a4

SHA512
ef271868c4266f14efe4aa519299cc0b5fe432203b6121160319e04fd32738af732248b8bb79d9b20c13f5c0fdf437e5c539e6cac550c5267d462f6138203025

Download Submit
C:\Users\Admin\Downloads\toolkitfreeloadversion.zip.crdownload

Filesize
22.8MB

MD5
7742490544af2eacb8fdc01c052222ac

SHA1
f0bb905f6bff2ad4c9cd14866808f20ad322ad6f

SHA256
32905d18b7f5e90a81d03e9f4d2a34df31ac1ca37d3f2497928231ac30b539c4

SHA512
760c4820f7b8319456b42e9e568d3c499755655fe2940dcc807aa932a2e30fb55aec49ada3abc6efcc1e59e9e20029b1b70bdb542ec1a3191c8f26745316d293

Download Submit
C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit.rar

Filesize
22.8MB

MD5
3e8328df86c434dc171769f9c5c49267

SHA1
f7ebde78b7863b894e7e17c3ddeb5f3b54d7ea02

SHA256
21d2cc93a6c166e6251941a4f0cdbd369c980ee58d73c1b1a3601f65dfc71e6a

SHA512
7d221789c5e20287dd1be0a1901c847a14689eed0cdd32b6088260360d74b4f4898b5a4833c93928089f75106621b4b69818f4bdebd52f17626c18dc165ca6a0

Download Submit
C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Microsoft Toolkit1.exe

Filesize
14.0MB

MD5
c8d1768749bebcd640ec4f1fcdefa672

SHA1
92ad8c40f7182c510f76c75ecf87629d44c3c868

SHA256
41d03420c1c23458eca45dbcdb8236dd39f0b28e2ac2bfb61f951f31c9a5b279

SHA512
4fb64770a4bf0721e26a382fd7f36196f0b0fe2d2f8e7b106cccc7fa8d6118c1771ff939d8aa702dd654f9c638b5a67c8a7123652806cab58ff538e61c30c253

Download Submit
C:\Users\Admin\Downloads\toolkitfreeloadversion\МicrоsоftTооlkit\Set-up.exe

Filesize
16.8MB

MD5
45e1d56b17e83e5ce6ce461bcdeac188

SHA1
fd236d15f293ba2b75ac99ac6df3bbcb28c0fda2

SHA256
8576fcaf089a934d659ec5c4875ddb136bc7d63292c91a3dce5bda5784038f65

SHA512
e4b45f9d529b877ad2a8d1e6c4c7be39c4d7a97353295d123e9b0ca442207ddbcb0fad124b5bfec5db5e832c739532ff09787b120b60f3a568ccabd03c2c7570

Download Submit
memory/2136-261-0x0000000000510000-0x000000000130A000-memory.dmp

Filesize
14.0MB

Download
memory/2636-267-0x0000000000BE0000-0x0000000001CA8000-memory.dmp

Filesize
16.8MB

Download
memory/4196-287-0x0000000000400000-0x000000000106D000-memory.dmp

Filesize
12.4MB

Download
memory/4196-306-0x0000000000400000-0x000000000106D000-memory.dmp

Filesize
12.4MB

Download
memory/4456-305-0x0000000000BE0000-0x0000000001CA8000-memory.dmp

Filesize
16.8MB

Download