stealc | 8a273e60e8679da5ff71c0b68d94ea5a167e584006b0b7e1762751a509e5038c

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26f98f79bc4395c652a8bdc88d8a72f9.exe
Size

5.7MB
MD5

26f98f79bc4395c652a8bdc88d8a72f9
SHA1

a7432b7e962695aa691165f1128843546d6db8b1
SHA256

8a273e60e8679da5ff71c0b68d94ea5a167e584006b0b7e1762751a509e5038c
SHA512

1f567eec2d775f46fb3c25fcb20636392aeccb7ff3ada9491aa90ec0f62d3dde7a84cc6da8ce03b09b095f1ccab6d83bfed0a89b114c6b5840f309a946b809ec
SSDEEP

98304:QrOAQctmvYfl6XQQHEqO6T6ZfrlnVxC7J8s6rCaezlJSBcEjSM:uQctmY6H/OnxcJQm3SBk

Score

10^/10

stealc logsdiller credential_access discovery spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

LogsDiller

http://185.219.81.135

Attributes

url_path
/7ea00b0801a6fd7e.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2888	chrome.exe
1864	chrome.exe
1908	chrome.exe
2760	chrome.exe
2392	chrome.exe
2388	chrome.exe
3008	chrome.exe
1620	chrome.exe

Loads dropped DLL 2 IoCs

pid	Process
2520	26f98f79bc4395c652a8bdc88d8a72f9.exe
2520	26f98f79bc4395c652a8bdc88d8a72f9.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26f98f79bc4395c652a8bdc88d8a72f9.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	26f98f79bc4395c652a8bdc88d8a72f9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	26f98f79bc4395c652a8bdc88d8a72f9.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2520	26f98f79bc4395c652a8bdc88d8a72f9.exe
2520	26f98f79bc4395c652a8bdc88d8a72f9.exe
2760	chrome.exe
2760	chrome.exe
2520	26f98f79bc4395c652a8bdc88d8a72f9.exe
2520	26f98f79bc4395c652a8bdc88d8a72f9.exe
1620	chrome.exe
1620	chrome.exe
2520	26f98f79bc4395c652a8bdc88d8a72f9.exe
2520	26f98f79bc4395c652a8bdc88d8a72f9.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2760	chrome.exe
1620	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2760	2520	26f98f79bc4395c652a8bdc88d8a72f9.exe	30
PID 2520 wrote to memory of 2760	2520	26f98f79bc4395c652a8bdc88d8a72f9.exe	30
PID 2520 wrote to memory of 2760	2520	26f98f79bc4395c652a8bdc88d8a72f9.exe	30
PID 2520 wrote to memory of 2760	2520	26f98f79bc4395c652a8bdc88d8a72f9.exe	30
PID 2760 wrote to memory of 2228	2760	chrome.exe	31
PID 2760 wrote to memory of 2228	2760	chrome.exe	31
PID 2760 wrote to memory of 2228	2760	chrome.exe	31
PID 2760 wrote to memory of 2856	2760	chrome.exe	32
PID 2760 wrote to memory of 2856	2760	chrome.exe	32
PID 2760 wrote to memory of 2856	2760	chrome.exe	32
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 632	2760	chrome.exe	34
PID 2760 wrote to memory of 572	2760	chrome.exe	35
PID 2760 wrote to memory of 572	2760	chrome.exe	35
PID 2760 wrote to memory of 572	2760	chrome.exe	35
PID 2760 wrote to memory of 2676	2760	chrome.exe	36
PID 2760 wrote to memory of 2676	2760	chrome.exe	36
PID 2760 wrote to memory of 2676	2760	chrome.exe	36
PID 2760 wrote to memory of 2676	2760	chrome.exe	36
PID 2760 wrote to memory of 2676	2760	chrome.exe	36
PID 2760 wrote to memory of 2676	2760	chrome.exe	36
PID 2760 wrote to memory of 2676	2760	chrome.exe	36
PID 2760 wrote to memory of 2676	2760	chrome.exe	36
PID 2760 wrote to memory of 2676	2760	chrome.exe	36
PID 2760 wrote to memory of 2676	2760	chrome.exe	36
PID 2760 wrote to memory of 2676	2760	chrome.exe	36
PID 2760 wrote to memory of 2676	2760	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\26f98f79bc4395c652a8bdc88d8a72f9.exe
"C:\Users\Admin\AppData\Local\Temp\26f98f79bc4395c652a8bdc88d8a72f9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef72c9758,0x7fef72c9768,0x7fef72c9778
    3⤵
    PID:2228
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:2856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1396,i,11600671037959636010,14660831268987885446,131072 /prefetch:2
    3⤵
    PID:632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1396,i,11600671037959636010,14660831268987885446,131072 /prefetch:8
    3⤵
    PID:572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1396,i,11600671037959636010,14660831268987885446,131072 /prefetch:8
    3⤵
    PID:2676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2200 --field-trial-handle=1396,i,11600671037959636010,14660831268987885446,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2508 --field-trial-handle=1396,i,11600671037959636010,14660831268987885446,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2536 --field-trial-handle=1396,i,11600671037959636010,14660831268987885446,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:3008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=988 --field-trial-handle=1396,i,11600671037959636010,14660831268987885446,131072 /prefetch:2
    3⤵
    PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6829758,0x7fef6829768,0x7fef6829778
    3⤵
    PID:2356
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:1600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1224,i,4474124245837142754,2311763335144655235,131072 /prefetch:2
    3⤵
    PID:2840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1224,i,4474124245837142754,2311763335144655235,131072 /prefetch:8
    3⤵
    PID:2916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1224,i,4474124245837142754,2311763335144655235,131072 /prefetch:8
    3⤵
    PID:1424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2156 --field-trial-handle=1224,i,4474124245837142754,2311763335144655235,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2548 --field-trial-handle=1224,i,4474124245837142754,2311763335144655235,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=1212 --field-trial-handle=1224,i,4474124245837142754,2311763335144655235,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1344 --field-trial-handle=1224,i,4474124245837142754,2311763335144655235,131072 /prefetch:2
    3⤵
    PID:3012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 --field-trial-handle=1224,i,4474124245837142754,2311763335144655235,131072 /prefetch:8
    3⤵
    PID:1480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2084

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4a665889f3436960b716c066cc9f7818

SHA1
3ba9ad9a24de57891e3a837bbfd74e16327f290b

SHA256
682fec0092076f4b284dca80067793252e2217bdf47b47a690bdb46d1a2f0483

SHA512
ad3a3a6df89587c6d4bf504bbb60602e20639875fa97b257b808306ba9de3903453ce62eddf94619e781f2aff0c0ce8cadf399a4de0863fe74794a2788d13f72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
6808c8b90b2cd35a782d023c6be1e287

SHA1
7c655a0479587e3ec94007bcc6a864c8be48c672

SHA256
9b9e2700fbc2f788cb03d51d297b09d86eb258502c65280b4d7443930f2558ee

SHA512
d2835990b222bea72b7577fcb980ee98b39051ee06a3f0fc852532bb48d8374edda3d4632181c9de8d9666e38345c0b46d42450f2402bf5e8fd3a5907c56e832

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Extension Scripts\LOG

Filesize
192B

MD5
f6328632aa33740f53397ae93a4c7350

SHA1
3276fda1e1d01ad09f69d81401e855a54e204a62

SHA256
08199df9d780286c7a444851676eca15452a60e50196bb360825d5cb7594bcf4

SHA512
807790aafb926b5a0964c04adefc7aa4015a83c30ed273cabdadfd90c428f27a323dcaac19450ad2410a1e277d3a37db70e784c637c1dfabf21b66b0d97653d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Favicons

Filesize
20KB

MD5
3eea0768ded221c9a6a17752a09c969b

SHA1
d17d8086ed76ec503f06ddd0ac03d915aec5cdc7

SHA256
6923fd51e36b8fe40d6d3dd132941c5a693b02f6ae4d4d22b32b5fedd0e7b512

SHA512
fb5c51adf5a5095a81532e3634f48f5aedb56b7724221f1bf1ccb626cab40f87a3b07a66158179e460f1d0e14eeb48f0283b5df6471dd7a6297af6e8f3efb1f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\History

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\LOG

Filesize
204B

MD5
eb04c8e69d55d961a6445667f6b1223e

SHA1
0dc4805a552a718aa5c0d568d4d875adc463cb27

SHA256
94698bed45bab70c1b244b63f8816bbc49b43ae50e7e2a2468e7ecf65feb415d

SHA512
c50705741f52459a1d1a0f9169b3f0a8a4210fad0978b208a2a26405695671f71fd984318534b2cce83af8136d105b3833741ba6a891874e302c283536740476

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\LOG

Filesize
192B

MD5
4d913e8ffcf58b66bb7970745813ef2b

SHA1
f86201b30c6819eac6e41c437d5d935a31669571

SHA256
189c46d6df704d2bd9ed87f35d961cca2723d7798b5afc0fbc0855e87d16d913

SHA512
8c64625b05f09ba7a4bd49afccb7aac997f71c5856c57fa4a78d46508df7e11468b016ef8bdbde989c85d15bee2005247537d93520b2cef24c09892cc508d273

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Visited Links

Filesize
128KB

MD5
8339fc488dd21030f6c14906b64d4433

SHA1
4969963507cf6ef6054303d249f52570d16a2cf1

SHA256
302bd81b53c590e109d416a5fbe057cb37c37782acbc55c14406560149f4f2b5

SHA512
3ac309bebb554d74c9c39e94bf09418d650869d39a2c4521245ce1fea359654dbc9596c4556c14cd847238095b9ddb9034e35b9bb2f9715e299f3801bfb7511c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Web Data

Filesize
92KB

MD5
964927b5a7f06fc9b11448ef20bd1339

SHA1
7db022c425a6dd66c475a95710772316716b0f19

SHA256
c510e63ea8e203655c381d4a2d5450eef794f4869fb1e6649acacfc01bc24a5d

SHA512
c091bdb0846551ca3cda7bcf86ce85f35b152d1763ffa1ab5a9567609e3b985430c9f147b05900d96ac070b2c04b8fdac099f5d50b6a29ce09fc831ac7093c69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Affiliation Database

Filesize
32KB

MD5
69e3a8ecda716584cbd765e6a3ab429e

SHA1
f0897f3fa98f6e4863b84f007092ab843a645803

SHA256
e0c9f1494a417f356b611ec769b975a4552c4065b0bc2181954fcbb4b3dfa487

SHA512
bb78069c17196da2ce8546046d2c9d9f3796f39b9868b749ecada89445da7a03c9b54a00fcf34a23eb0514c871e026ac368795d2891bbf37e1dc5046c29beaaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
7f8750aae0acf473f0d34f17f58041aa

SHA1
ef2e975c6f4708916874e8e4c095cc8ffa076804

SHA256
295a551b63c859699992f6aadafacd110eb74c368e6dc3df7d8cc82af6444ca4

SHA512
e9c91585e4ac887354518089bc716cdf6c6e7291b77bf83a0670563a1fd0c42fe6bdc3dd60c80db129ddb5db274d9951bba3c3c35459b10c26705353293429bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
fb7bfaaf714debab44794d5cb6f770b8

SHA1
1ff1eee99bb220a658bfdfd70ae62a3afacf245c

SHA256
08d69194de38676cbc30087e749312c6eab2b57220830526ab74ee3f642167ea

SHA512
35a4a4cd0edd575e9d126bddccf7dd22803f231f4337622219c5bb55da3b28558a6c5b705dc71edafe425f2e584afe4b3d5ecf8eb726496e9ddff08922628d9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\000003.log

Filesize
76B

MD5
cc4a8cff19abf3dd35d63cff1503aa5f

SHA1
52af41b0d9c78afcc8e308db846c2b52a636be38

SHA256
cc5dacf370f324b77b50dddf5d995fd3c7b7a587cb2f55ac9f24c929d0cd531a

SHA512
0e9559cda992aa2174a7465745884f73b96755008384d21a0685941acf099c89c8203b13551de72a87b8e23cdaae3fa513bc700b38e1bf3b9026955d97920320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\LOG

Filesize
193B

MD5
7bbb521884d8dae80c61ed98d0be3b91

SHA1
cffaf3df03414497cf4f6cad89ffc334dfab5c3b

SHA256
c804d9005af64052b6a0af61f73a3a164afe8f0e0277596a1b780035466e97c6

SHA512
0a14f2ad0cd4e9b4c1afa4fab3bac87e96953fcb793b6136ec0d72c7a5215dcde46d58d3900c89cd9ba5a9f03daa7a4e1d546d416312cdd595812cd31ccb0764

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\MANIFEST-000002

Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Login Data

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\LOG

Filesize
205B

MD5
f3359e49d1d5b396eb61be26d7492b79

SHA1
0ba8e6e7c1adde95fb33eee5fbb6aed632eed1c1

SHA256
50b86f249fab921bb40bab04b936b5f96b9e1c3474a3b263c5c9fcff553e7c6d

SHA512
1fda49025eaf8bfe971c494db23ffb4c629eb3c2f9819b5924da1d249b21726efeec86ef047d89a9fae222e68e9142f2505f91390eb398d9403202f9c92d02ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\CURRENT~RFf767e54.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\LOG

Filesize
193B

MD5
13d903b4cf572aa83569c52ccd9827df

SHA1
f8b1fede1cecc133db3bbadd39b331d548181cb8

SHA256
ea1c294ab2e62b433b2353edc9002d4c12d3edb05318adb991545181dbe7e708

SHA512
22b1328a02bd4a0da34b3e4d7c2693043c8034d94d547150f215148ac326b22b426b853ed3652cbad4f19106bfac89900f120747529ad045bc209f715ac8877c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Visited Links

Filesize
128KB

MD5
fd60ff0b8a8a3ad8f994ce687e26cc37

SHA1
b3aa4b014b568fc8e3c098b588030d994d4dc6de

SHA256
e924303cafd0793157a62818d5ca4de53a98bc745357d136abd1cb04c5340fba

SHA512
3b06861b53ca31dda87f7ccb8258fa03edca6048353a031770ef9df624a3d3749e4b5bfcb70bdbcac618d7c0ea6936f74500626eea4d1081734e4dfeef2fbb18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\000003.log

Filesize
126B

MD5
75fd43d5022bdd2d2627d6944561b2f6

SHA1
a23b313546c837e097f8900b207b9aebcf67acee

SHA256
3363fa9a21dc4db7dc25aa12fa1e9f4c42cf3d07a21814dc37e2a587462564a4

SHA512
624e947801c3c24ea5eac7b6c193dbffe2774b0c090ab37c9862ec9a8e366aca0c00dcf5ef63c77de40eb5d2af248a24e0f70a8395ba9671c33023a88fcc8a29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\LOG

Filesize
200B

MD5
640bfe5427874a47da5b5e2215de7eef

SHA1
877678454e01156c8b0b09b878754fc6feb7cbb6

SHA256
2c44089226ee617559317c883129cdb5fa40941833cebd8be23196684b54547e

SHA512
b5605d8b89238acfc163e5a044b638c388fd5c2cd359ca498584325d3a4dd836d36a8ad9eb19ee2551e9c0065d8a85452f1942f941028314fe68618f759d163d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/2520-1-0x0000000001020000-0x0000000001AEF000-memory.dmp

Filesize
10.8MB

Download
memory/2520-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download