96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039.exe
Size

3.5MB
MD5

3ab09fd4977881bb3feda3eb77aa90d0
SHA1

c06f8fab819156031f161a7293bffb332b54088c
SHA256

96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039
SHA512

94abc383a6055e4b4cdbcda2159121f6a1ea60bcdb1f9093f888cd5524496d6bbfbab7856a75af69f5a44a1f16f2e99fe135d02e1cb312139a2e5040e2195b46
SSDEEP

98304:3ARDn/dWDrr65Ye8JLjasnBr1VxcJWlg4qDMApqx:3A5/dW25nXaBRVxcJWlbqDDIx

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files (x86)\chrome_installer.log	96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039.exe
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133766444220051609"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4084	chrome.exe
4084	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe
Token: SeShutdownPrivilege	4084	chrome.exe
Token: SeCreatePagefilePrivilege	4084	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
3124	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 1720	4212	96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039.exe	81
PID 4212 wrote to memory of 1720	4212	96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039.exe	81
PID 4212 wrote to memory of 1720	4212	96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039.exe	81
PID 4212 wrote to memory of 4084	4212	96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039.exe	82
PID 4212 wrote to memory of 4084	4212	96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039.exe	82
PID 4084 wrote to memory of 4684	4084	chrome.exe	83
PID 4084 wrote to memory of 4684	4084	chrome.exe	83
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 4520	4084	chrome.exe	84
PID 4084 wrote to memory of 2208	4084	chrome.exe	85
PID 4084 wrote to memory of 2208	4084	chrome.exe	85
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86
PID 4084 wrote to memory of 928	4084	chrome.exe	86

C:\Users\Admin\AppData\Local\Temp\96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039.exe
"C:\Users\Admin\AppData\Local\Temp\96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Users\Admin\AppData\Local\Temp\96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039.exe
  C:\Users\Admin\AppData\Local\Temp\96e55f7efe292751461b772b3e484b07dee1ccbc1fc6591c90c4727590df9039.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=128.0.6613.113 --initial-client-data=0x2b4,0x2b8,0x2bc,0x284,0x2c0,0x11ff238,0x11ff244,0x11ff250
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe5c57cc40,0x7ffe5c57cc4c,0x7ffe5c57cc58
    3⤵
    PID:4684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,11884114228258576120,5371288335064843253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:2
    3⤵
    PID:4520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1824,i,11884114228258576120,5371288335064843253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2052 /prefetch:3
    3⤵
    PID:2208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,11884114228258576120,5371288335064843253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2284 /prefetch:8
    3⤵
    PID:928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,11884114228258576120,5371288335064843253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:1
    3⤵
    PID:2260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,11884114228258576120,5371288335064843253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
    3⤵
    PID:4884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,11884114228258576120,5371288335064843253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3820 /prefetch:1
    3⤵
    PID:4972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,11884114228258576120,5371288335064843253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
    3⤵
    PID:3964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,11884114228258576120,5371288335064843253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
    3⤵
    PID:4432
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:3960
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff7b92b4698,0x7ff7b92b46a4,0x7ff7b92b46b0
      4⤵
      Drops file in Program Files directory
      PID:3900
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:3124
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff7b92b4698,0x7ff7b92b46a4,0x7ff7b92b46b0
        5⤵
        Drops file in Program Files directory
        
        PID:2460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3712,i,11884114228258576120,5371288335064843253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3708 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2012

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
268950ab73d1854104eeb4f6d4793128

SHA1
757d3749ea559786c560d5b973561f2f997e50f6

SHA256
c9abc4c8dec9b51d2ec8d156bddce7e9c6d71ba3fa70e9fa0dc3beb20d99a8b1

SHA512
90884d54c91b90d1d9cea23ecea2cf0e3e78f6303c7106b0d1350132025d7b031a3dfef5445fc0ad71094993ed31f4de4c9194c9573b3fe4e1216294b847fa14

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\6802e01c-2ce1-400d-97ab-d204bc4ae345.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
980ebd34ef8cdfa9900dba4fe367d2f7

SHA1
35955645e6324fce99a971a5a80ecae0fc21d971

SHA256
d5384308d29f2f9478f0d1354e9f94053300496f3b7cd2f88f5f8d00dbe1482e

SHA512
470cce060f4dcca34b26c8c3b2d3d4024c12fb4631ed8251e942e7e992149a422f30526b27f9f55c13d5d9581f022d3b18439893c6b0455180ae70c0fb24430a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4b446e11e225d9f2646ad776cb67e93a

SHA1
b2786cca4f74d3f2cada1ca8fb37a90caf24c510

SHA256
abe4eca6754f71883f86d02516fc9c501763199dee1463255625aa4f34b641a2

SHA512
f0ed725cc7df050faae326433c5b268072388958561723ddd3a851a445b4c17d7de358e0f56c3294fd9ed946274131f0e6682af49e92ce1df385f3c185661848

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
82ba92f3be60b6a9a3dad8a470fa5fd1

SHA1
245d292c5db35c00aaa847feecbae6631170ef93

SHA256
8bb2f38e48f68ab858e7894b37eca0a84db6116ea1f7a7b7fd5d93b1539c9608

SHA512
c5f25eb2fa24d7da0f0848ce7d06106a1058a02d5ef0b0e21890ddd1c9243e86e0634022a039d17613a7887481bdc0d32de4230fe35f0666ba16714a1bc9b81e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d01ab9033421840c6a6239400b0746de

SHA1
cd73eb5628db8be29142826520211ca7195b5a7a

SHA256
7ae63159d4cdece41322fbb4d381060622d97d7d0dea1cdd1f59c89968f8f66e

SHA512
9575998a1962707ed44f7b5cf387f5c74241038d1a872b2925e1a35a3273f9d9c0990939723f7b1e182ccb30fd29fb7206a7b6e7d878856280925d23cb6c952f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a18eef71bb03223b8f0914cea0a0114b

SHA1
c9c576075feb7ef37fdeb82045d15924e32c0a12

SHA256
cb885b6bbf8749aefc840bc53370a44addd95964b34f80c706fb09ef3f038464

SHA512
77c3f0a955990f4e3d11863fd2fecc253719aac6f67089651057a1576bc26b0d7dd5e8ad9cb3a4ab1ce37b956f8d7b77202738079ccf95013b27aedd24ae5e91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8a5de7eacfd8e69371ce5ec732ac57ab

SHA1
4dd24b2c09b262c187526cb988e9de4795cf55f4

SHA256
e026e25bbce3a2b576ceb0accd6a8753b4aa2eb686a56592638b8e1457ca08ed

SHA512
e442c47693c82b4416740fb69159a359e3d11d224461a5f42bb0cc94f4db787acb5a86245cbd5e76794214031c6464e0dc8c0948100997e1f38d3047ce7780e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cea945c114f4e275a62b8a002d16c902

SHA1
216166b5b00ca99d4a8f89bba1d862bcaf9ccaf8

SHA256
e40312b93f887fcdc6e8b831837bf0877def025197885be524665428abb8f29d

SHA512
8f5bf88fb4dae6c144f43594cf4cc8aa20fce784006795084e177fce891739346b5b976585ed60e8b066cf9e247571d0d23282eba48758bdc31ba62525bfd730

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d9401b575074cf4472ab349348b624bb

SHA1
f610766b7bff74f034767ca1af5ecd1a7ca1d4bc

SHA256
25af2fb16aa4075f01f92e7af063d0b9aec5d13522c6b56687101074d50fafab

SHA512
9a49e4293f20b3fa0a3307c7df8a14e15fafb8a7a08484f234b3bed82aca42fdde81566829ed39b41308c63f5761cfcf97f1d647ae7ef88ec9b55c0fbc65bede

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bc8c713826b9001f7eb4774322e5fbcd

SHA1
1afab58318634d66fefbf5a26248fa3eaca61baf

SHA256
d35b841a587e94eb92b0d59a0ed5d7764238afd5d6be95b88e3ab2f1722a9207

SHA512
9462bfa9ee2bb22f73864243fc589dedfd3165980f838ca99213d5ef4db74b43a192d26db467317de2c98c3e2de0f63fc08f28f9f896d4072c286c134f741fbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5b940f.TMP

Filesize
1KB

MD5
0d4b3eeb6b4343ffcc5a9aa997f52bf4

SHA1
28c9da82e5539ed572b6fec079b554fa8aec4ea1

SHA256
6fdef3a9e405c12f661f27b154905fba6a07360e4637f2a26766121eea57461b

SHA512
1067628201faab52f28d364cf83650f2368d9921c4459a8d388a863a15e15e850a9a61ec0d36158b9f4d590ce93bf8619a6ba2dda94786f6d6527fa824775aa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b0edace9a4aa9a52d50a95ef46d51de4

SHA1
99845e10fcefe25ba1c623cd28d3084f27ea5bd0

SHA256
cb8e88b0860b215370a6a6bcbe3e522715b582aec1866e33b392f9fa090f784a

SHA512
76ca5fe7daf3b9f236a7ce312184f9c8d0a8465b5ca2ac8822968e593958f82d0777b8706e8537faf1f98655a30ff163d1cf14413d96655bf7db2dcdbe06a430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
9fde47ff19ec08c716a955eb723d9d0e

SHA1
73527b03ddb1b2eab8bed7573399977dead9fd05

SHA256
e721e143a3662c32ffadbf6b246b78bd5abb212fde9af155ae4016e225d214e3

SHA512
10668bf565969b83187ca9e89ff3be38a405104fbeec2deb8178cb9487bb6aa4021403edfd667fc3fca68bb95817c6ee9e66b562c7ad7a1fbfcba8753a5c8e29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
7fc0279edba861f8f430a4b2c55ad503

SHA1
c62fb04e10d9e636f114f3c2ae9b0122d71f307a

SHA256
52fa009758ad1db61fa56a9b58d693644c70cb1fcd732fa8d944f5b1ce962142

SHA512
b2560304a5a7e80f6b746bcecdfcf754d9581129f16170a0f4c9bc6fe4e83d828dc6f30e51f5d9f9d2c9fd08a12e8bd9f61a8aed39976b1b64f7335411ca5c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
cf8263f3ed2de1ad7881211e5d8a1f3d

SHA1
2567984d9a98befbf35be6c5411d7a937a82b7cc

SHA256
9610bf87e5a3409a9c4916fe577805143f78a360fb35d672bb9b7edc7038b915

SHA512
552b7dd99d5130edfaf36cbe63e240a70a4f83d9ef51ca54d27feab4a378d51b0cb278068cd1432bb865975acddfaf723a0d0fabac8457972c9e6e940e108c34

Download Submit