cryptbot | hxxps://href[.]li/?hxxps://cdn[.]discordapp[.]com/attachments/1287507042008825951/1288170229238726666/LaTeTSeTuPPASoPeN9192[.]zip?ex=66f43583&is=66f2e403&hm=a49e858b1c90301f6857c02a11a58b91256baaf8b161432e4cca983b959ff880&

Analysis

max time kernel
78s
max time network
80s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25-09-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://href.li/?https://cdn.discordapp.com/attachments/1287507042008825951/1288170229238726666/LaTeTSeTuPPASoPeN9192.zip?ex=66f43583&is=66f2e403&hm=a49e858b1c90301f6857c02a11a58b91256baaf8b161432e4cca983b959ff880&

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

twovdf2vt.top

analforeverlovyu.top

Attributes

url_path
/v1/upload.php

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Executes dropped EXE 5 IoCs

pid	Process
2760	Set-up.exe
3604	Set-up.exe
3712	Set-up.exe
3164	service123.exe
2812	service123.exe

Loads dropped DLL 2 IoCs

pid	Process
3164	service123.exe
2812	service123.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	href.li
3	href.li

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Set-up.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Set-up.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4236	chrome.exe
4236	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeRestorePrivilege	1572	7zG.exe
Token: 35	1572	7zG.exe
Token: SeSecurityPrivilege	1572	7zG.exe
Token: SeSecurityPrivilege	1572	7zG.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeRestorePrivilege	4340	7zG.exe
Token: 35	4340	7zG.exe
Token: SeSecurityPrivilege	4340	7zG.exe
Token: SeSecurityPrivilege	4340	7zG.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
1572	7zG.exe
4340	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 3156	4236	chrome.exe	72
PID 4236 wrote to memory of 3156	4236	chrome.exe	72
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 4724	4236	chrome.exe	74
PID 4236 wrote to memory of 3812	4236	chrome.exe	75
PID 4236 wrote to memory of 3812	4236	chrome.exe	75
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76
PID 4236 wrote to memory of 4756	4236	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://href.li/?https://cdn.discordapp.com/attachments/1287507042008825951/1288170229238726666/LaTeTSeTuPPASoPeN9192.zip?ex=66f43583&is=66f2e403&hm=a49e858b1c90301f6857c02a11a58b91256baaf8b161432e4cca983b959ff880&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffe3e89758,0x7fffe3e89768,0x7fffe3e89778
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1848,i,8451284134025270423,16438446464991434059,131072 /prefetch:2
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=1848,i,8451284134025270423,16438446464991434059,131072 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2000 --field-trial-handle=1848,i,8451284134025270423,16438446464991434059,131072 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=1848,i,8451284134025270423,16438446464991434059,131072 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2856 --field-trial-handle=1848,i,8451284134025270423,16438446464991434059,131072 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4380 --field-trial-handle=1848,i,8451284134025270423,16438446464991434059,131072 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1848,i,8451284134025270423,16438446464991434059,131072 /prefetch:8
  2⤵
  PID:3220

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3704

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3540

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\LaTeTSeTuPPASoPeN9192\" -spe -an -ai#7zMap25501:104:7zEvent3751
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1572

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\LaTeTSeTuPPASoPeN9192\⚝(LaTe$T⋯SeTuP⌗PA$S↳oPeN↳9192)⚝\" -an -ai#7zMap25696:232:7zEvent3317
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4340

C:\Users\Admin\Downloads\LaTeTSeTuPPASoPeN9192\⚝(LaTe$T⋯SeTuP⌗PA$S↳oPeN↳9192)⚝\Set-up.exe
"C:\Users\Admin\Downloads\LaTeTSeTuPPASoPeN9192\⚝(LaTe$T⋯SeTuP⌗PA$S↳oPeN↳9192)⚝\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2760
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  "C:\Users\Admin\AppData\Local\Temp\service123.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3164
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4400

C:\Users\Admin\Downloads\LaTeTSeTuPPASoPeN9192\⚝(LaTe$T⋯SeTuP⌗PA$S↳oPeN↳9192)⚝\Set-up.exe
"C:\Users\Admin\Downloads\LaTeTSeTuPPASoPeN9192\⚝(LaTe$T⋯SeTuP⌗PA$S↳oPeN↳9192)⚝\Set-up.exe"
1⤵
- Executes dropped EXE
PID:3604

C:\Users\Admin\Downloads\LaTeTSeTuPPASoPeN9192\⚝(LaTe$T⋯SeTuP⌗PA$S↳oPeN↳9192)⚝\Set-up.exe
"C:\Users\Admin\Downloads\LaTeTSeTuPPASoPeN9192\⚝(LaTe$T⋯SeTuP⌗PA$S↳oPeN↳9192)⚝\Set-up.exe"
1⤵
- Executes dropped EXE
PID:3712

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
8b707645d88d41cd7a38069ea1e40433

SHA1
1e66b90ac6ec9867cd4871a9ad1e8512089804b5

SHA256
5731c8713e10eebb89d853578244f12b1fb1a311b299b311a80c2540b3c3f57f

SHA512
7c3c19b599d6b59e6e50352bedeea0896e862d7deb71f2b0c3777ef025ffc6492adf6ebde11c8dc7bd95dc1546fd5c98024537043f26d85e75fa1d01369ad239

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
743B

MD5
46f4591559ae02940ac18583d2f7afd8

SHA1
b3b8ca6f4392b51cb123ff9e5060348d85faf647

SHA256
3a3f2158724d005b1e058ab45564d329b977d0a14c42ebe2a1efbefc0f133f46

SHA512
d204129a56795dbe7c8994de1a25b4839ce78435485f1ecd398718cc82f460a4ff8f04a7164aa400e17b5fea2003bba6d3c30dfbfa8ff5fc8cf79684357c1fe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
8e848dda7464787973a35e288d710071

SHA1
fb49c44784bef4ba92e182c38cab7959e92515f6

SHA256
f5139aa6e84b0a4a2ae437a4bdcd619588afbe8b2f5729bd7674507608095b7b

SHA512
14dc7c2183ab7364e48e584065d4e5232d1432b92349516528ecd13771149fd39289ba6be4541550212b1a1d61da61fbb7fb811a69fbc0139dc8e8b2e6e9c119

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3e9f3aa9973d9fba258768e066a87ebf

SHA1
162c2433454fd20a7165838ea59dabb7555dd990

SHA256
b2f2a333cf53c728a05a86d3c4108438c28ec98fe108d3dd56333f07780cc35b

SHA512
68026df45c26fff31dab700dc0e499ed6e5cb5710cd1fdf3d17a1f92482461c1ee8f9691c4d30072914042a2819e25e6a6bde568a93511d4a89c74bdbd91f8bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
30ad79ca0c806a3e03359e59391140ba

SHA1
0b6c0cfefb34c22b6a00a6588370a0673f27c7ce

SHA256
ee57368dd4135b0aeff69947a817917b3aeda92b0e1382c41c9c7c333777e6c7

SHA512
88a3842dd30b0345d88c2fbfcd629c8e02621b1bf43f96e87ce494a0fabaec1d98a027287850185ae75e6d219d99a2839c798bcc3cd518f3273113c7b4181a2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
271e9876adf7a2015b12cb70fb756bf0

SHA1
1c61a6e0722b8fff1aa37f72b806e6c2c56ce24a

SHA256
3f1fea47888ec28dc8e38daffa89d2a2b4028d4605a7805bfccbe1945819975a

SHA512
353d6f202ffb1e6cc9b29468e063d08420a6c07cd41b9b5e624569fb44151f16236bf72115184b3b8a429597d8084ccd18c1aacb80a3922786e92a7af62ac5d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
b5a6cc2cec702ef9f22156b3a758b766

SHA1
f929259a83a472024096dff44f410f2c5145923d

SHA256
c42b12db75a44d7fae1c25b965f0645f6a15206523890aea2577209e7ebe9eb6

SHA512
6aaf533bbc308cd009c6240c251ed45000a07a496a5adb9570f9ca641ab957db520bebf436b7b75d2471b08b180f0a44cc3fde5c637950105fcbec1d883da69a

Download Submit
C:\Users\Admin\Downloads\LaTeTSeTuPPASoPeN9192.zip.crdownload

Filesize
21.7MB

MD5
31e28a3e0f891f389459cec4c3742946

SHA1
c2fedc486cf89bb3a76978bdec62b61051d56222

SHA256
39475f89c4a23b90cc7f881c8b572f00ff8059548ce9c816e95cca35707407e8

SHA512
89c93d051c7a692490fe0829ac1b6b1983a1d626a5b2d29681865e87d6f15848cb38263563ebf03fc1d47582ba7d2caedb697d1a2c5f9fa880a7614e8e521276

Download Submit
C:\Users\Admin\Downloads\LaTeTSeTuPPASoPeN9192\⚝(LaTe$T⋯SeTuP⌗PA$S↳oPeN↳9192)⚝\Set-up.exe

Filesize
6.3MB

MD5
2b8273e4d4a8977999954246f1bfb394

SHA1
fe71c1fe7224ffe4d4c78d68aa26f2fd02accaa4

SHA256
78d5ade6368d17de8ccf896f4fb0366b2b00a066fc85fc38f3424483331d3472

SHA512
e78086b42d174cfe88d527ea31d244a1bc78d05f44381c221719516c04813dd8fd13569e1cc5eca0c05827a28b79c5c2774a988e25bb831c7ca60cbe901a821e

Download Submit
C:\Users\Admin\Downloads\LaTeTSeTuPPASoPeN9192\⚝(LaTe$T⋯SeTuP⌗PA$S↳oPeN↳9192)⚝\⚝(LaTe$T⋯SeTuP⌗PA$S↳oPeN↳9192)⚝.rar

Filesize
21.7MB

MD5
e35c54549e4fb7118aca49634b6d9af9

SHA1
425bc0e1f25a19f2b2e0f89f37f1e00cf90e487c

SHA256
d9c768d91e7a9f61063a2370255560e3b6e10fd782a069c54bf38af98977387e

SHA512
a5f69448ae81b5b51b79a3dcf27d2448be891ee2a229f25b2781963a91ad821fac3a64c0f4d64d28d3b61a04e0ae1e8a2b10be54fddbcfd451416d60619e557a

Download Submit
memory/2760-257-0x0000000000400000-0x0000000001068000-memory.dmp

Filesize
12.4MB

Download
memory/2760-264-0x0000000000400000-0x0000000001068000-memory.dmp

Filesize
12.4MB

Download
memory/2760-275-0x0000000000400000-0x0000000001068000-memory.dmp

Filesize
12.4MB

Download
memory/2812-293-0x00000000013A0000-0x00000000013B1000-memory.dmp

Filesize
68KB

Download
memory/3164-294-0x00000000013A0000-0x00000000013B1000-memory.dmp

Filesize
68KB

Download
memory/3164-295-0x0000000073A40000-0x0000000073B7C000-memory.dmp

Filesize
1.2MB

Download
memory/3604-259-0x0000000000400000-0x0000000001068000-memory.dmp

Filesize
12.4MB

Download
memory/3712-263-0x0000000000400000-0x0000000001068000-memory.dmp

Filesize
12.4MB

Download