kutaki | hxxp://trendsaajkal[.]com/wp-includes/images/wuay

General

Target

http://trendsaajkal.com/wp-includes/images/wuay

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

C2

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

ePayment_Credit.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xigoxbfk.exe	ePayment_Credit.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xigoxbfk.exe	ePayment_Credit.bat

Executes dropped EXE 1 IoCs

Processes:

xigoxbfk.exe

pid process

3700 xigoxbfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3700	xigoxbfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133336951492305727"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

420 chrome.exe
420 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

420 chrome.exe
420 chrome.exe
420 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe
Token: SeShutdownPrivilege	420	chrome.exe
Token: SeCreatePagefilePrivilege	420	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe
420	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

ePayment_Credit.batxigoxbfk.exe

pid process

2612 ePayment_Credit.bat
2612 ePayment_Credit.bat
2612 ePayment_Credit.bat
3700 xigoxbfk.exe
3700 xigoxbfk.exe
3700 xigoxbfk.exe

pid	process
2612	ePayment_Credit.bat
2612	ePayment_Credit.bat
2612	ePayment_Credit.bat
3700	xigoxbfk.exe
3700	xigoxbfk.exe
3700	xigoxbfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 420 wrote to memory of 5044	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 5044	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 4772	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 1492	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 1492	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe
PID 420 wrote to memory of 3476	420	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://trendsaajkal.com/wp-includes/images/wuay
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94ea49758,0x7ff94ea49768,0x7ff94ea49778
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1888,i,12620683750200832450,8890422598906705446,131072 /prefetch:2
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1888,i,12620683750200832450,8890422598906705446,131072 /prefetch:8
2⤵
PID:1492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1888,i,12620683750200832450,8890422598906705446,131072 /prefetch:8
2⤵
PID:3476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2712 --field-trial-handle=1888,i,12620683750200832450,8890422598906705446,131072 /prefetch:1
2⤵
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2720 --field-trial-handle=1888,i,12620683750200832450,8890422598906705446,131072 /prefetch:1
2⤵
PID:412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3024 --field-trial-handle=1888,i,12620683750200832450,8890422598906705446,131072 /prefetch:1
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5276 --field-trial-handle=1888,i,12620683750200832450,8890422598906705446,131072 /prefetch:8
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=1888,i,12620683750200832450,8890422598906705446,131072 /prefetch:8
2⤵
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=1888,i,12620683750200832450,8890422598906705446,131072 /prefetch:8
2⤵
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 --field-trial-handle=1888,i,12620683750200832450,8890422598906705446,131072 /prefetch:8
2⤵
PID:1524

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:444

C:\Users\Admin\Downloads\ePayment_Credit\ePayment_Credit.bat
"C:\Users\Admin\Downloads\ePayment_Credit\ePayment_Credit.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
2⤵
PID:4400

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xigoxbfk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xigoxbfk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\4f9641b5-ac2a-4ec2-857e-708d8d216b37.tmp
Filesize
1KB

MD5
298553a0980133f591085180585b6eba

SHA1
7a1682e0ef5e931282e50930e2942a623a97ddbf

SHA256
86bccf931fe3b782744857c49fc643ce18f4f146874b6cf909a376228adea08e

SHA512
93d588493f5cd07011a7dc83162dc83e78fc7aa782ab940d009c95b54280f66887743c9191dfbc09d76a01b3119b27927303f5bc671a97a5e111cd623cfe8d03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
0feaaf7e8531a63051857b502b656239

SHA1
81e2c32b9b8b64b01101a6cd3a28b545f6f4c4aa

SHA256
4dc3704dc00e46613aa84a4de8dd350c214061db141e9700d10879e2cc3dc8ef

SHA512
f791e9d09f66abe2593f908c6a660f3ab8fde5e6d7ccafd3159272bdbdc843379e0c4f63945b0767459dfc7675565481d0d9dc6497a9e7e1a4fc2780a01e84d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
dd396a2d4b53165efd0f1778ba3c9b2b

SHA1
bfd54848525e6149301d2e8fbd8dfdb811b01d55

SHA256
50f26dfcbc15f09daff75f784aff2523e9c87b2905ba784669a3cb568ee40e5b

SHA512
eb72fabfb520358c164c58a4749ba0760042a628836b32d5dca4b103f402f452a6157ea72e2d36852520443ab2122816158b2e1190de1e61f94d5171c63742a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
7eff080185899314f394e88a53f4921e

SHA1
a0488b205cfafc28779e6a026ec7914ca17ca976

SHA256
4820aed94c87bf47969eb1a4328a33d0286162e39f9464a2c3255c88ae9fb037

SHA512
e462739ca54d1622b9d327f5eb984d7240ba714aa6a49f76e22d81569b640632332271f4137062175d6bd937bb5f9103c335c4236d89e5792819e7b11f5ca001

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
173KB

MD5
7b2a66661ecc820415f13efdab89f96d

SHA1
68c449f0ccb9b23c9c91c6fbc3525f16ccdf1db5

SHA256
6ece141279cd2a44be5cac4c10dec044c527d191f5141b5e18e6df1d13716a13

SHA512
ab85ac352a3f8288becc245a82e5a71c462efa8755a8ce7688308aac980728a238ffa61c2848bea19733a606c48b8a3bdd36401b28e7c1c94be09cc8988ffd79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xigoxbfk.exe
Filesize
456KB

MD5
72bf294c8d6149dd8c0f2e21c18633b9

SHA1
f5a684be69f52504380be717a2c8d7b38e132199

SHA256
9ee64b15b7acf67c7f2a5a88971c2665d960876dd17323dc3425d5daf52c3d88

SHA512
581316006cf3f1e2fa10e1ac83c0f39433ae4e93a1945c53b03e14351fd6451648f004008f6bde3dc53f955e873b46efda22a66348870fab63f0da6f337a9350

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xigoxbfk.exe
Filesize
456KB

MD5
72bf294c8d6149dd8c0f2e21c18633b9

SHA1
f5a684be69f52504380be717a2c8d7b38e132199

SHA256
9ee64b15b7acf67c7f2a5a88971c2665d960876dd17323dc3425d5daf52c3d88

SHA512
581316006cf3f1e2fa10e1ac83c0f39433ae4e93a1945c53b03e14351fd6451648f004008f6bde3dc53f955e873b46efda22a66348870fab63f0da6f337a9350

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads