cryptbot | hxxps://mega[.]nz/file/wB5XkCSZ#B76Gq-d2_lVCan0XNuJojVKlZ5YqJ-2g9zoikPwZwhQ

Analysis

max time kernel
78s
max time network
77s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-10-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/wB5XkCSZ#B76Gq-d2_lVCan0XNuJojVKlZ5YqJ-2g9zoikPwZwhQ

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Detects CryptBot payload 1 IoCs

CryptBot is a C++ stealer distributed widely in bundle with other software.

spyware stealer

Processes:

resource	yara_rule
behavioral1/memory/2408-448-0x0000000069CC0000-0x000000006A37B000-memory.dmp	family_cryptbot_v3

Executes dropped EXE 3 IoCs

Processes:

Set-up.exeSet-up.exeSet-up.exe

pid	Process
2408	Set-up.exe
5064	Set-up.exe
2960	Set-up.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Set-up.exeSet-up.exeSet-up.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Set-up.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Set-up.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Set-up.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133741995659009816"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
1580	chrome.exe
1580	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid	Process
1580	chrome.exe
1580	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE7zG.exe

description	pid	Process
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: 33	4260	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4260	AUDIODG.EXE
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeRestorePrivilege	860	7zG.exe
Token: 35	860	7zG.exe
Token: SeSecurityPrivilege	860	7zG.exe
Token: SeSecurityPrivilege	860	7zG.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe7zG.exe

pid	Process
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
860	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid	Process
1732	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 1580 wrote to memory of 4152	1580	chrome.exe	72
PID 1580 wrote to memory of 4152	1580	chrome.exe	72
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 208	1580	chrome.exe	74
PID 1580 wrote to memory of 4380	1580	chrome.exe	75
PID 1580 wrote to memory of 4380	1580	chrome.exe	75
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76
PID 1580 wrote to memory of 5052	1580	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/wB5XkCSZ#B76Gq-d2_lVCan0XNuJojVKlZ5YqJ-2g9zoikPwZwhQ
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffdc6339758,0x7ffdc6339768,0x7ffdc6339778
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1852,i,13472938096648175695,1673515768834372888,131072 /prefetch:2
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1852,i,13472938096648175695,1673515768834372888,131072 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1852,i,13472938096648175695,1673515768834372888,131072 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2816 --field-trial-handle=1852,i,13472938096648175695,1673515768834372888,131072 /prefetch:1
  2⤵
  PID:196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2824 --field-trial-handle=1852,i,13472938096648175695,1673515768834372888,131072 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1852,i,13472938096648175695,1673515768834372888,131072 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1852,i,13472938096648175695,1673515768834372888,131072 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4944 --field-trial-handle=1852,i,13472938096648175695,1673515768834372888,131072 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1852,i,13472938096648175695,1673515768834372888,131072 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 --field-trial-handle=1852,i,13472938096648175695,1673515768834372888,131072 /prefetch:8
  2⤵
  PID:3268

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:768

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\❅LaTesT▲SeTuP❀pAsS🟉oPeN✿9192❅\" -spe -an -ai#7zMap7418:122:7zEvent16556
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:860

C:\Users\Admin\Downloads\❅LaTesT▲SeTuP❀pAsS🟉oPeN✿9192❅\Set-up.exe
"C:\Users\Admin\Downloads\❅LaTesT▲SeTuP❀pAsS🟉oPeN✿9192❅\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2408

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\❅LaTesT▲SeTuP❀pAsS🟉oPeN✿9192❅\Pass-Keys.txt
1⤵
PID:312

C:\Users\Admin\Downloads\❅LaTesT▲SeTuP❀pAsS🟉oPeN✿9192❅\Set-up.exe
"C:\Users\Admin\Downloads\❅LaTesT▲SeTuP❀pAsS🟉oPeN✿9192❅\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5064

C:\Users\Admin\Downloads\❅LaTesT▲SeTuP❀pAsS🟉oPeN✿9192❅\Set-up.exe
"C:\Users\Admin\Downloads\❅LaTesT▲SeTuP❀pAsS🟉oPeN✿9192❅\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
89b0e528cadb0ea8fe1bef24e8d54550

SHA1
bc8740d7365ec03cf2cb95642853bd961279f4fc

SHA256
1cf07aa4f9ef44b9926d62bcad38f136a0b71a81000f6739525220f6c271e6ae

SHA512
afb95bf9bb56138037b0107a8d7acdb0a751f2726e508af835fb2262ea995cae2e9d3e9636c89f4db6b80d1672b6fb7f30691228e6a514ed3ffbca9d16603a5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
f1c6a5909ef9dd1909de1d8dc6a6575c

SHA1
022ca474d039d58caff7da44a643d86f66c0ccb4

SHA256
e6c0f94e348e6fbb2127208ba2d30362927f5d97877afc9cb79eac891de81b1e

SHA512
5e8d19ba53bb65003b576275ee858f248e03e04e03bee1520a1d6327dcf6f07224d158721b2e39dc0f16e5a5c2a713424643276937d688732ae8476b37ca04c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
769B

MD5
2740260326e9080020d6d48c501b6172

SHA1
6e33180d264a94967d7c8cdd096e717d222b14f9

SHA256
68f58988c6d76111de8fb7dfe86d1053602fa3a5dceab7ada34942f495cf957d

SHA512
99ea3caacbaffadaca877081828efec3149502f878f6dc91c7099538455c936e7b2ea9037705bcf68e712fe92f76a595dba539230505ebe9e71f64026089f7b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
ed13b66812b0de47b69ff037a035dfdb

SHA1
af249e0c2f0c3a43f2beededdc49bae60b2b1943

SHA256
5ebfb3b8c66bf25a390f503c28ffd88aa37b928a225ce07cdddccd1c23e60904

SHA512
379990f482092d902d437df8d4bda82f2b43950a0ec457440ef5875da2b84ecbb62f0b2607701278b57d171545cceeccb732ade57997830907e7bab5d79b3c00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b8b1c22f7fd251c4ea1c5711e4e0ee53

SHA1
35686010aa7c1ae09b20d1eaebeaaff74db10c68

SHA256
f9e7cc4232b6c2d96705c27657de7def105943812b0fcad2c6c3b2306bfbb396

SHA512
a004cbe52f18164d5fde8e7519a35d84a9f4578ce92d27662fae4c37f2ca08a4caba224c047977b417054975a2334f883305f02bb6d4ff04d68424c85f8cef54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3e45ed824b888f5c254230c56998b2dc

SHA1
c594bd8198cc8303e7ce45e3fb44b7f897f8c62e

SHA256
f9a497cff48a32f224e9d5a568fa323f6b1c205975b48f1e7b5a818d166764e0

SHA512
5e6011e3f3c4295286236c12bcd45160a04246df1bc951d49298b91f83f5b633977b652f1efd5e908f99e1ea64ecc566d3d553e9b2707ba1cba8dfef10f10f90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1f70e095eb363a361aa12e15f2399c3b

SHA1
f7ced1e6b34a9317804ed13625125637212668c9

SHA256
fb0766274f5179bc93c34ca957b08e09e12504583ef8f6777a255ffbd4eb2d1e

SHA512
689a2b9db11587c084d1c1a288868b71c5c354802731fbbeacecf98892c4b925733bd49037a4e15473835c8eaac5994bcba303ca50524158eeb21c2a858da276

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ff0d98051cc97088cd013e15db09ef0e

SHA1
b79bd6d8c38051b077684f084b5b2a05118c8ca3

SHA256
d7cd3faf5aa79a8ec92314887ca7918b46f813bfc3e9417c4b6df35d2262f326

SHA512
714786d0bd84fe98619a81b66ad707775815163d345d94066a8dcd6adaac663d9a7e199ba244613b3b158d8ccfd04328d2a995b29d2c6971432e4e4e862334d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
70ec7fc178e99106e9ed9377120c235b

SHA1
64c6a711f80cd7d9a4cdbbf02e615fb924c92310

SHA256
0e3aa271e47c334e684fa1b0a7acf6d9262c8253364bcc93a935678e8d0171a3

SHA512
67d3d5a975702422d19f518b9d6785a10947008aa2935d471055c7fe7e80cab2e02af661b2051015cbe3a00d36aa91703eb520422dd3c14b0f05a6309fbfdbf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cfd3.TMP

Filesize
48B

MD5
2efd37f9db59957cce65094e228a6799

SHA1
1b6765abe8337feed9b4fd9db2640716078ad137

SHA256
13fedefbcc22b0319ae94cff6aaeb7884cc3fe5c883917df5b4af6479048d311

SHA512
811c8450142ba03563be5297e6b0938e5a60ca4bb4b7e97bdf0a521a3c15d7aba25d742609441365ed5a905dc5f72c478bc9ab8d1202ca6cde31e5aab17c2b7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
802672025071b3409ee30fb4f97b0577

SHA1
564864cdb59bd3185374d76401eb7c685371c497

SHA256
88397033189d11193376333c8a5ade8c51ab9dba9bff95464f2b4b6dbb834eef

SHA512
b6c221e2acb9e7a75ce4316706aa321ed32723d725a63bf610d1dd5b27be316dc9bbadc4405362af954e0cb4abe1b9c3315c4174b8b0c8fb8612281d7b21d7a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
3062ad57b9f3398366addfbb0c980b23

SHA1
4f963c410ed59b967345aef82afe50c9b8aa9b1a

SHA256
00b313eb616580882b419f9f07be4861f813b7d4fd82b5cc341dfa29cca3047e

SHA512
543cf276b1988985452475c9de37a6075ad2ba5c5f15773cd25cec1481ae5198e09bed948c9365381e06bed798d73be5eb559f2794c703352a889c9349a4ad34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e55f.TMP

Filesize
98KB

MD5
c8aa5e87459d0774c521ee28dd834d36

SHA1
3ea717c9c3e70763c13d8a1c93b2dcf9a4d965b7

SHA256
f115d1334e1dea72290c908829dc4fea4e92b6e5b7611db83da623f5af6cca9a

SHA512
02c61e628524819d3377f4d73e56299ce6d5e943f624d2e2de042b59745903e15db2c57ada47acd3aa3f5f3ab685332c59a68ca398edf3cd038e87d783ffa7a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\❅LaTesT▲SeTuP❀pAsS🟉oPeN✿9192❅.rar

Filesize
20.9MB

MD5
93ddd60309d7098355db0ce21de9ece3

SHA1
b1be970de5bea4e5ad36db700a74ffbbc76886d5

SHA256
7213ac4089c99df4e9bcd148e265c9ab1acb8561fb9c8e33430c2c323a58199c

SHA512
0617d89abb70b96aebafa745329cd5a660e8151e40ac7171ed8e69ca1bf6f522bd94684551fa78b8af2074b58f32aa9a566958bc1f1e0c60a8fb2846fe2e8eea

Download Submit
C:\Users\Admin\Downloads\❅LaTesT▲SeTuP❀pAsS🟉oPeN✿9192❅\Pass-Keys.txt

Filesize
27B

MD5
61564fea1928a8f3bedda31015d879f8

SHA1
bf108e8493d1be76753c1d4322158e544809df40

SHA256
ce202926c8559819009b4a65ac3fed79ff92f880e22c714a188500c47e48d1e4

SHA512
3d14d7e775dc25cee87242784ed04cf2278ae14b52d9b1f718951d5990e7e2fd55b704ac8366d593a2911575208853366d8c9a713dd18f273c385cc4721b35ca

Download Submit
C:\Users\Admin\Downloads\❅LaTesT▲SeTuP❀pAsS🟉oPeN✿9192❅\Set-up.exe

Filesize
7.0MB

MD5
15e5bd1af820c3162f6eb2713f75e9cc

SHA1
03cca06c7312b4d408101196ad4c028bac9974f7

SHA256
179700e684b7764c9a100bc22b758496d806aefee669e417f50bd720f7430c8e

SHA512
a4b4d49f6404041076019fd98682477524420fc7e2ca9ba1ce8f431db07a46370212b68ed89dbbacfb1481847966207de7974f46b4c4db6557c549ac70f17c19

Download Submit
\??\pipe\crashpad_1580_FPOPIJQOYVZBBEKX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2408-466-0x0000000000930000-0x0000000001038000-memory.dmp

Filesize
7.0MB

Download
memory/2408-448-0x0000000069CC0000-0x000000006A37B000-memory.dmp

Filesize
6.7MB

Download
memory/2960-489-0x0000000000930000-0x0000000001038000-memory.dmp

Filesize
7.0MB

Download
memory/5064-478-0x0000000000930000-0x0000000001038000-memory.dmp

Filesize
7.0MB

Download