lokibot | hxxp://196[.]251[.]92[.]64/crypt/Devil[.]exe

Analysis

max time kernel
95s
max time network
96s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-02-2025 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://196.251.92.64/crypt/Devil.exe

Score

10^/10

lokibot collection discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

https://rottot.shop/Devil/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot

Downloads MZ/PE file 1 IoCs

flow	pid	Process
2	3172	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
4788	Devil.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Devil.exe
Key opened	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Devil.exe
Key opened	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Devil.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Devil.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133844092906642580"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4884	chrome.exe
4884	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4884	chrome.exe
4884	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeDebugPrivilege	4788	Devil.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 844	4884	chrome.exe	79
PID 4884 wrote to memory of 844	4884	chrome.exe	79
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 964	4884	chrome.exe	80
PID 4884 wrote to memory of 3172	4884	chrome.exe	81
PID 4884 wrote to memory of 3172	4884	chrome.exe	81
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82
PID 4884 wrote to memory of 4612	4884	chrome.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Devil.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Devil.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://196.251.92.64/crypt/Devil.exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7fff04eccc40,0x7fff04eccc4c,0x7fff04eccc58
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,17871891111427538210,2273503478071895646,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1972 /prefetch:2
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,17871891111427538210,2273503478071895646,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,17871891111427538210,2273503478071895646,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2360 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,17871891111427538210,2273503478071895646,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,17871891111427538210,2273503478071895646,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,17871891111427538210,2273503478071895646,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5092,i,17871891111427538210,2273503478071895646,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5112,i,17871891111427538210,2273503478071895646,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5416,i,17871891111427538210,2273503478071895646,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5432,i,17871891111427538210,2273503478071895646,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5604,i,17871891111427538210,2273503478071895646,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4540,i,17871891111427538210,2273503478071895646,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:1096

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1956

C:\Users\Admin\Downloads\Devil.exe
"C:\Users\Admin\Downloads\Devil.exe"
1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\71bc338b-ba82-407a-8d43-c688048e0c8b.tmp

Filesize
8KB

MD5
6ba59f9fae5d690e4a6249d83b59894e

SHA1
2683cf3906fd6f35bfca38d49f82b74243c3c99d

SHA256
68c5e4a1f7fa28a2c19ce8d07e828af62f332ce6495bd6db7da55a96d6d7d26b

SHA512
00b7e1a0bf598b059fb42616e179e0f7ab3b140e5eb19d6f7029fbc329e057329a16be78e3b8015594180966677d4c05bf409de74c99730fc2be16b997f3d433

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
104KB

MD5
eb6beba0181a014ac8c0ec040cb1121a

SHA1
52805384c7cd1b73944525c480792a3d0319b116

SHA256
f87b4e7c69ce161743f4b9b0001d7376e163d615ce477c390f63cadf09ffc5d4

SHA512
0afb9a7d180fe017520afb39e954821f77c8b6e2e11bbf73402dcdade231d07f3b755f40606252c917b51a0f5f32d499b96b30e7f2f617c50e709eae4cd80ae4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
25a9d129d908d1153760ec344978eca0

SHA1
397242bc3ef06045f28a6164b1dfe6cd446ad316

SHA256
43c3185949d6894fefe8c0a05e2ff1893961f8992a7d568bb827118084a48b20

SHA512
e1f0d7b3bf1497f6e144166fa7d32ed75a98faee5e3f48e0dcca023d3b9470d019d936d48770ae4825807e239981294c29a9fc9bc2b2f05674b11b5fda157ee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
36987b11a800470706707edb826fb342

SHA1
e1ed36aa4012bd3e371e857d17b1888fb644a9ba

SHA256
d830481e786a2fc8ecdb1331455fb5d84a006560ea557b47923d3d1ad49a5f9e

SHA512
5f62e682d92f2ee7b36ea93b95252f11d050a3a21900a54ac70c7284be9f840ae954a18f5c2b295f2ade389ababc7476573a6d48ec42c8bf2f332971988d20f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
24f933dd165b79507b112ae738ae7faa

SHA1
499984609df256ad30b8a43482f2e8974367779a

SHA256
524b46895d91dcacb1a11fbad6ba594e38094c1fe51c79e57652437189ca355b

SHA512
d0ed5a0e75465472470293e75cadb1f9594c135c154a96ca8aba2df10bbedd729f0a1c9e7ac1e02511d9a9579db7ea5a8a596797d0b69f3c4837e794713dd099

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
973743aafd27f5642f9803638d6bb264

SHA1
cdf20a84f65c79156299711b5d596a641c518427

SHA256
3e864f2c81f44b7aabc5bd273fc130acbd6438689c1d80dc4d5ae44c5e69b2d5

SHA512
7882a6a3ada34a848ef99365cc073bd7d370618c5ab8025e5d8ef63a04e6f5b56cb179b6e0d96b53859fdd5fda328d6db6cda87b9d09eed38727bde0ebd2637d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
265fb6d9730a7535b9a624ffe962b84a

SHA1
61e64b5ab0b13e349789cdb52ece05fa6c95aa8b

SHA256
a344ba1d048dfed20e6e0db1395a631e1ffbb056a4b86a7a380cc4a2fb20ed66

SHA512
97b6e92d40501defee15102a706e7a4da2dea100af8de1df01cdce83a35e492f907666e63209da33cf3eaecca9dbb0fecf1793fc96557bc30ad610cca3924f6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
afa5569a2b6437de673baac33cda0c93

SHA1
bd4fdd90053dffb5d8834cc3d5a54090474d26ec

SHA256
c97b347ed9fb95afb60cf06e682cefb3ba08a9867aae3bf0120e9b383df76886

SHA512
ee53b8dc56d86b863d7ad4bcf483cc9195919353efebcafd59c0ee41b7771c1f007ed6f11bc49791c886b6d9ecafd808d23193137bedd3237eb79a1647822d56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-983685854-559653692-675906587-1000\0f5007522459c86e95ffcc62f32308f1_55896980-5775-474a-9727-e26a5262bb57

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-983685854-559653692-675906587-1000\0f5007522459c86e95ffcc62f32308f1_55896980-5775-474a-9727-e26a5262bb57

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
memory/4788-101-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download