kutaki | 976a7fefb48c81afeaf9255f02201d65a353035b9bed7c8667de7df8b44b1421

Analysis

max time kernel
551s
max time network
550s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GETTING UP.zip
Size

2.1MB
MD5

6cac1435c08e380a10e3dae5f9d7655f
SHA1

e88b5d7e076aed33d9f32257335b64694a7e84be
SHA256

976a7fefb48c81afeaf9255f02201d65a353035b9bed7c8667de7df8b44b1421
SHA512

577ae318875e63d85f0e3d7e97337a5c32438754cd1dacf68dbe3df0ae0bacd3b35be31e4a56c99014656a5bc40e67c54efddfb3410190339fe445800f129def
SSDEEP

49152:smOkBN7cOL80efs2t6SbQHd5U0nzbOEkTV+E91RrjKDOnSULhqJmR/IK8RN:s3k3QC85sm9GzbOEu3XqDOnSULAJmR/y

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 4 IoCs

Processes:

GETTING UP.cmdGETTING UP.cmd

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqrdsefk.exe	GETTING UP.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqrdsefk.exe	GETTING UP.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gumbdgfk.exe	GETTING UP.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gumbdgfk.exe	GETTING UP.cmd

Executes dropped EXE 3 IoCs

Processes:

GETTING UP.cmdfqrdsefk.exegumbdgfk.exe

pid	Process
2096	GETTING UP.cmd
4884	fqrdsefk.exe
4300	gumbdgfk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
4392	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133334384298412754"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
3896	chrome.exe
3896	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid	Process
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exe7zG.exe7zG.exetaskkill.exechrome.exe

description	pid	Process
Token: SeBackupPrivilege	3840	vssvc.exe
Token: SeRestorePrivilege	3840	vssvc.exe
Token: SeAuditPrivilege	3840	vssvc.exe
Token: SeRestorePrivilege	992	7zG.exe
Token: 35	992	7zG.exe
Token: SeSecurityPrivilege	992	7zG.exe
Token: SeSecurityPrivilege	992	7zG.exe
Token: SeRestorePrivilege	2912	7zG.exe
Token: 35	2912	7zG.exe
Token: SeSecurityPrivilege	2912	7zG.exe
Token: SeSecurityPrivilege	2912	7zG.exe
Token: SeDebugPrivilege	4392	taskkill.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

7zG.exe7zG.exenotepad.exechrome.exe

pid	Process
992	7zG.exe
2912	7zG.exe
3216	notepad.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

chrome.exe

pid	Process
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

GETTING UP.cmdfqrdsefk.exeGETTING UP.cmdgumbdgfk.exe

pid	Process
2096	GETTING UP.cmd
2096	GETTING UP.cmd
2096	GETTING UP.cmd
4884	fqrdsefk.exe
4884	fqrdsefk.exe
4884	fqrdsefk.exe
3100	GETTING UP.cmd
3100	GETTING UP.cmd
3100	GETTING UP.cmd
4300	gumbdgfk.exe
4300	gumbdgfk.exe
4300	gumbdgfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GETTING UP.cmdGETTING UP.cmdchrome.exe

description	pid	Process	procid_target
PID 2096 wrote to memory of 5104	2096	GETTING UP.cmd	112
PID 2096 wrote to memory of 5104	2096	GETTING UP.cmd	112
PID 2096 wrote to memory of 5104	2096	GETTING UP.cmd	112
PID 2096 wrote to memory of 4884	2096	GETTING UP.cmd	114
PID 2096 wrote to memory of 4884	2096	GETTING UP.cmd	114
PID 2096 wrote to memory of 4884	2096	GETTING UP.cmd	114
PID 3100 wrote to memory of 5000	3100	GETTING UP.cmd	116
PID 3100 wrote to memory of 5000	3100	GETTING UP.cmd	116
PID 3100 wrote to memory of 5000	3100	GETTING UP.cmd	116
PID 3100 wrote to memory of 4392	3100	GETTING UP.cmd	118
PID 3100 wrote to memory of 4392	3100	GETTING UP.cmd	118
PID 3100 wrote to memory of 4392	3100	GETTING UP.cmd	118
PID 3100 wrote to memory of 4300	3100	GETTING UP.cmd	120
PID 3100 wrote to memory of 4300	3100	GETTING UP.cmd	120
PID 3100 wrote to memory of 4300	3100	GETTING UP.cmd	120
PID 3896 wrote to memory of 4132	3896	chrome.exe	123
PID 3896 wrote to memory of 4132	3896	chrome.exe	123
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 1492	3896	chrome.exe	124
PID 3896 wrote to memory of 4944	3896	chrome.exe	125
PID 3896 wrote to memory of 4944	3896	chrome.exe	125
PID 3896 wrote to memory of 5028	3896	chrome.exe	126
PID 3896 wrote to memory of 5028	3896	chrome.exe	126
PID 3896 wrote to memory of 5028	3896	chrome.exe	126
PID 3896 wrote to memory of 5028	3896	chrome.exe	126
PID 3896 wrote to memory of 5028	3896	chrome.exe	126
PID 3896 wrote to memory of 5028	3896	chrome.exe	126
PID 3896 wrote to memory of 5028	3896	chrome.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\GETTING UP.zip"
1⤵
PID:4156

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\GETTING UP\" -ad -an -ai#7zMap7258:78:7zEvent29232
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:992

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\GETTING UP\" -an -ai#7zMap18666:100:7zEvent19311
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2912

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:3216

C:\Users\Admin\Desktop\GETTING UP\GETTING UP.cmd
"C:\Users\Admin\Desktop\GETTING UP\GETTING UP.cmd"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:5104
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqrdsefk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqrdsefk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4884

C:\Users\Admin\AppData\Local\Temp\Temp1_GETTING UP.zip\GETTING UP.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp1_GETTING UP.zip\GETTING UP.cmd"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:5000
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im fqrdsefk.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gumbdgfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gumbdgfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffcb4889758,0x7ffcb4889768,0x7ffcb4889778
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:2
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4616 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5428 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3420 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3368 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:8
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:8
  2⤵
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1648 --field-trial-handle=1856,i,15847134176009167485,7469602255943101684,131072 /prefetch:8
  2⤵
  PID:2284

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
171KB

MD5
7a88e1edbba1ad7bd345eb14f1377a59

SHA1
b299cf2eacc2d17d1f2fbda9391079b6f05fb022

SHA256
3f6aa29738172f431b8e2af2e39cba0c2f91583d7bc23f988c7b7b35975bef2c

SHA512
48870540a5e7aedf4513610e23dad5d37ff48dde92909345771f7235d4526893e65d11915b46191e62dbe6e9bed4626215703fc90932bdebed356568c1557f95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
405b3362df64d0a9009bfc8019ec8889

SHA1
a5c8629bbf78fa913ee1393d924cf6230919d9f2

SHA256
b45e615ee5ab35042570cdda4bd1069fff30e647ea9704d2942fa6f8d3a0c1a1

SHA512
cc15bd0682a81985b899e2df64f32bfc6347807dcff3602330b4c9de73848b23579afa8cc9206d4614601b1c078431874e632a4bcf5d86e77dcc2b26f3fd25c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
79377efc5cfc740cd6e49073229e6577

SHA1
dd786f2c737f12d66c3dc6e67f15ada69a4acf39

SHA256
8b6cf893416e5ddd6ac4db139aa08d8148c46eec85278b473d48187c066468de

SHA512
9458c88018cf45205ba9659d271add9a650a7f161cf9a02608597d9bdb54825bf4746f22e109a03af928dbfb9c4e3b31180bb8eb6bf40a4b1c9c193df791e3c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5993ba698fc8cd7ecc82a1e1aeabf38e

SHA1
b6d44039c88a004316abfc46f174d79e9d46b9fe

SHA256
4429ef4492cf65f9512b31b53c1833b692af6ac9c1f6e3e6bb909a62a2524c73

SHA512
a70c36673df1149bfd0eacef63ea8d87498a4b1087c8f971e2fb619d9a3fee2743a87432fe11c893a5356b30736c5d00a8d641d2ae08dce11bf5c9db962cd27c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0fcddccd475a1ccb4c5c36385cf4e028

SHA1
57a0bb6e2f394a3ca7f20528a6daad75cf5b1477

SHA256
38af9c3ab34cf83f7468e255734026f8928946afa2726a7abef50fe794abb8cd

SHA512
543dd2786af8241070084cf6c6210a478092fa5616e8fcc815c6033e492ce416d955df32723c8124b85b8de931ecec3516dec7f70c2df3c96b327ea6b1e847ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
28313f8018f34f66cb4557f483653e87

SHA1
83a874db55f3e75fc70fc8aec7388c906b3544a4

SHA256
223a2872a191fe0667960bb4eca0cdfb43b25657519918068323f4158ec63c66

SHA512
bc1c6d591ebac38998fac859126543c6c131c4de22f20ddc984808cbbf535d275b9afaace2506a5192b5a4e0f7756fdda9ab4e22f66d2fad3487f2fc2de009b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe604f4d.TMP

Filesize
48B

MD5
8e63b54eb4389244af552203bb2f4eca

SHA1
1e058140c4af95f149e758278c564d5a86d7c581

SHA256
a60c45831eaa1940a4fc114d5d84b04e339e0fb5f352110139d2518d6e436243

SHA512
907da0e6370ecf5c5b224824670ff1e992dca0f17b62153fd2df4bcf18a18af517328060e418157f24af1aa8163ebe73f2eb027990fa6c014b618588db00c967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
172KB

MD5
b036be7b91fb49049fccf5c3735965a7

SHA1
0bd54201697804eb4757c31619dff56791204bfe

SHA256
309ede931953e5577328cf1631c1e6ba390fe32f51be66b21131293bc49028af

SHA512
66da8192c59223ca73234c133ce2f592ee2725df7a62c7eab6ab0e598180779888343d37a433cf7fa2e02528250f85ff80025eb77b7b37cc14c9276a462e8ae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
5751c4c7a969e5950d88544f55821aa7

SHA1
d97c51ce713f24081c5cdfc65f7d706d65a05a40

SHA256
9a2434d9ca7283400d22712fa81d7abe5d4cd47724f8a651e5bb868eee0c9846

SHA512
1aff6c9ba09530897e8900860da968b9f95b5ffaa9c5564fe1494e306a70e75592b3597a7f5593bf021a7eea6a8b5f2adc04d37fba20674675a4f9ebe59c01b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
99KB

MD5
b0549d3ebe5b79f78ad735c9e36d5045

SHA1
52ecd214aab2f77717739f95d90a023eb182d737

SHA256
f4ec670c6e9f417355d98939e98330df4befbb9659af1b8cd6a8f2b46ce1745a

SHA512
dcc84f4a6f6351abdf54b94dc99089b6d11369c7441beb5744b65be763c3adf14cd70d9a76c95dbbb40fbdaa1a69359c2bf20f68fc96982d8f1f6b1a71571281

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe6039c1.TMP

Filesize
98KB

MD5
88dbef6587ae0d6f8032ce825ce69e4f

SHA1
68572394ef3e8e64d6a28eb5218c23781ccc4f3f

SHA256
e12bba7c7d371839be76280fe282a326f1beb3a41206d98a44cd1d374b09b830

SHA512
bd063023f8ae3c88f5058be1d315f275f3b9f24c6ab144efa42f1395fbed49219f6df06196ea25b0cc9db73afa68b6bf834ffba9260909888125276cf34aff63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqrdsefk.exe

Filesize
2.3MB

MD5
b9c876b131b9916df5a95e017e276fbf

SHA1
5026ca0ba6b4301cf0353e737f60cac921c5190f

SHA256
73077188c541952e4cee319a28243793d2bad1d8f1669e5d744bb55733a1ef31

SHA512
88c33d30c445ac218bffdd8e282a8d04685dade95ab2c912f41b6c41b97ef308e2efa4fd17d257946b824d3bb510432f0553765abdb57b07d716d6dc29c9db7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqrdsefk.exe

Filesize
2.3MB

MD5
b9c876b131b9916df5a95e017e276fbf

SHA1
5026ca0ba6b4301cf0353e737f60cac921c5190f

SHA256
73077188c541952e4cee319a28243793d2bad1d8f1669e5d744bb55733a1ef31

SHA512
88c33d30c445ac218bffdd8e282a8d04685dade95ab2c912f41b6c41b97ef308e2efa4fd17d257946b824d3bb510432f0553765abdb57b07d716d6dc29c9db7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqrdsefk.exe

Filesize
2.3MB

MD5
b9c876b131b9916df5a95e017e276fbf

SHA1
5026ca0ba6b4301cf0353e737f60cac921c5190f

SHA256
73077188c541952e4cee319a28243793d2bad1d8f1669e5d744bb55733a1ef31

SHA512
88c33d30c445ac218bffdd8e282a8d04685dade95ab2c912f41b6c41b97ef308e2efa4fd17d257946b824d3bb510432f0553765abdb57b07d716d6dc29c9db7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gumbdgfk.exe

Filesize
2.3MB

MD5
b9c876b131b9916df5a95e017e276fbf

SHA1
5026ca0ba6b4301cf0353e737f60cac921c5190f

SHA256
73077188c541952e4cee319a28243793d2bad1d8f1669e5d744bb55733a1ef31

SHA512
88c33d30c445ac218bffdd8e282a8d04685dade95ab2c912f41b6c41b97ef308e2efa4fd17d257946b824d3bb510432f0553765abdb57b07d716d6dc29c9db7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gumbdgfk.exe

Filesize
2.3MB

MD5
b9c876b131b9916df5a95e017e276fbf

SHA1
5026ca0ba6b4301cf0353e737f60cac921c5190f

SHA256
73077188c541952e4cee319a28243793d2bad1d8f1669e5d744bb55733a1ef31

SHA512
88c33d30c445ac218bffdd8e282a8d04685dade95ab2c912f41b6c41b97ef308e2efa4fd17d257946b824d3bb510432f0553765abdb57b07d716d6dc29c9db7c

Download Submit
C:\Users\Admin\Desktop\GETTING UP\GETTING UP.cmd

Filesize
2.3MB

MD5
b9c876b131b9916df5a95e017e276fbf

SHA1
5026ca0ba6b4301cf0353e737f60cac921c5190f

SHA256
73077188c541952e4cee319a28243793d2bad1d8f1669e5d744bb55733a1ef31

SHA512
88c33d30c445ac218bffdd8e282a8d04685dade95ab2c912f41b6c41b97ef308e2efa4fd17d257946b824d3bb510432f0553765abdb57b07d716d6dc29c9db7c

Download Submit
C:\Users\Admin\Desktop\GETTING UP\GETTING UP.cmd

Filesize
2.3MB

MD5
b9c876b131b9916df5a95e017e276fbf

SHA1
5026ca0ba6b4301cf0353e737f60cac921c5190f

SHA256
73077188c541952e4cee319a28243793d2bad1d8f1669e5d744bb55733a1ef31

SHA512
88c33d30c445ac218bffdd8e282a8d04685dade95ab2c912f41b6c41b97ef308e2efa4fd17d257946b824d3bb510432f0553765abdb57b07d716d6dc29c9db7c

Download Submit
C:\Users\Admin\Desktop\GETTING UP\GETTING UP.zip

Filesize
2.1MB

MD5
ac2be39b165682e3267b5f8473b2685f

SHA1
10743747b414728652583c0c3cfaf66105bda852

SHA256
ee1ee41fc17214dda065a0cee7d6651bd8db9608200f70d02058c47d697c6a7a

SHA512
3eb0c2b897359b0aac02679b123e947fd7c9f95ee25621356f0181385b5b172dfb7b47afb83b1630053dd2b631a90de446b6dcf9ce07fcfe73c47c5ea0e1c126

Download Submit
\??\pipe\crashpad_3896_LZALKOSXEUSAHIUF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit