kutaki | hxxps://mygamecity[.]in/DOM-04-INV-1616

Analysis

max time kernel
987s
max time network
965s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mygamecity.in/DOM-04-INV-1616

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

DOM-04-INV-1616.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xrkpqnfk.exe	DOM-04-INV-1616.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xrkpqnfk.exe	DOM-04-INV-1616.bat

Executes dropped EXE 1 IoCs

Processes:

xrkpqnfk.exe

pid process

4516 xrkpqnfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4516	xrkpqnfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133546027309216351"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3192 chrome.exe
3192 chrome.exe
3856 chrome.exe
3856 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3192 chrome.exe
3192 chrome.exe
3192 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

DOM-04-INV-1616.batxrkpqnfk.exe

pid process

400 DOM-04-INV-1616.bat
400 DOM-04-INV-1616.bat
400 DOM-04-INV-1616.bat
4516 xrkpqnfk.exe
4516 xrkpqnfk.exe
4516 xrkpqnfk.exe

pid	process
400	DOM-04-INV-1616.bat
400	DOM-04-INV-1616.bat
400	DOM-04-INV-1616.bat
4516	xrkpqnfk.exe
4516	xrkpqnfk.exe
4516	xrkpqnfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3192 wrote to memory of 1564	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1564	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 1432	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 3648	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 3648	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe
PID 3192 wrote to memory of 972	3192	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mygamecity.in/DOM-04-INV-1616
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc788a9758,0x7ffc788a9768,0x7ffc788a9778
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1620,i,10795753871670141543,14080957224702778499,131072 /prefetch:2
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1620,i,10795753871670141543,14080957224702778499,131072 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1620,i,10795753871670141543,14080957224702778499,131072 /prefetch:8
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2904 --field-trial-handle=1620,i,10795753871670141543,14080957224702778499,131072 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2920 --field-trial-handle=1620,i,10795753871670141543,14080957224702778499,131072 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4672 --field-trial-handle=1620,i,10795753871670141543,14080957224702778499,131072 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=1620,i,10795753871670141543,14080957224702778499,131072 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 --field-trial-handle=1620,i,10795753871670141543,14080957224702778499,131072 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 --field-trial-handle=1620,i,10795753871670141543,14080957224702778499,131072 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 --field-trial-handle=1620,i,10795753871670141543,14080957224702778499,131072 /prefetch:8
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2676 --field-trial-handle=1620,i,10795753871670141543,14080957224702778499,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1068

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\DOM-04-INV-1616\DOM-04-INV-1616.bat
1⤵
PID:1692

C:\Users\Admin\Downloads\DOM-04-INV-1616\DOM-04-INV-1616.bat
"C:\Users\Admin\Downloads\DOM-04-INV-1616\DOM-04-INV-1616.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3256
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xrkpqnfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xrkpqnfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4516

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
5bbc005cfc5ae9ca2f2f15d72f14a192

SHA1
76890a418adbee32d4502e2a7cfb833cafceeabc

SHA256
b92c542f1ca341805bb2ffd55f0d03dc673c82df26352b6e77256ef5c0c276c7

SHA512
d251dea7182c6ce8f79f26e8d5f6567149a5ee523c3df83cc8bec9781c22f1951db1ffd05afe142bc7b0bfbb2837ebea9e69022c278208871e6c4fe55bd6c925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4bf8f9defcd6c27d5d4a9c9516c5f380

SHA1
9d9a0901da105d7a57b18070d7b4b24239b2f647

SHA256
f3e811edbc63e3a90456cd332cf5f13653e977766fa2c10b5544b288c0c5b077

SHA512
69a963fdc759f55e4b63f6a1ffd9db24ba8289bbed64f0d0aff8a7e2b013fc87fe84110bc2ae80d295e5feb0f1360633f2613f349ea19b8115e0b093b962924e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6809229fd6db5b63a53ca605d4aa6191

SHA1
6fb44b971912d5e113feefa1e96a52781b2a9a95

SHA256
5a0982530aee5bade5463ac167ea41e225bcb1159358b2909e43c11bc37459ee

SHA512
948b28f02105fcade761a8c84d239ba283efdf3c4b7a78fc6870bfad5665a7d302a72394b0734cb4c04b367ffb6be4f85f0565b9806e786b5b8c017c49c0b806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b9c0f37078345db53afb3501c7118b60

SHA1
84a5137430b91c053e7575cc2e5cf0548438d902

SHA256
478d54cceebfa304ecb8030b61e685dbcce43515b570cb01514bc657ae4d4021

SHA512
3e410ca1964530ccb182f152d23f42a5a29639a14c2701263d4c2bd340f5d8eb683955eeaad36f50fdc309c1031fef2f24bec16da1b8f405c00331d48220ae20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9ceb1cff78bd031d32a79d5c874d32dc

SHA1
e837783809934a7c3ea1dafed58fbc0d3d50ba71

SHA256
bbd5a74e76e57c6140f822aa4b46f3e810aa2465788cce45faf4b69fa542ca73

SHA512
d6d025d89e3ab9f9fe37b1e0565c49dbcaabf950ca4d57c2ec75be935b41bf47ca8a8dff30aac75c3a1574b33b79f4cfed3f46d9c7f186d67850c6500e9c01a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
152e186909c8d857298dffe19de3f89a

SHA1
88a74906e448f3a771a5ca9ac4431cdc3f78d23b

SHA256
9f75b090d15c891eb0750aa71531490da82089b8636ccd21e65583129ea63a6c

SHA512
e38980ce8a53a92d3de47461dbe45b5afee8c57358777ab7e313ebde8523faf7e05bb8f0438c848524e2b88fdd8698abdf4d0f273f045de2700f4aeb47b2ecf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ac2f99d67603a2bff5df03ae4ba4ad1e

SHA1
8277aadb76426c9ca159363b366c6e2340ba216c

SHA256
6f0db5d57310a8720b111c4b2847af4d0bac455376a219c185b7b2a91cd55290

SHA512
02394b4ec6da5838bebb15d899e7a2ebed9c102ae2422b53be4a2b376d404a02228b3b0e437a9925689d18995d00786cb6d5eac2291b6ec9c0d387b23797ec82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e7c8e6bbddcfec9411da345caa45cd53

SHA1
6ac2b92bd58d51d811c6f181e4926cf7a47593b2

SHA256
cf491c1567be34e94d5b993426dfc6e65c4dfc3eca44ff816679d424b7265158

SHA512
4bb281c1b642d104e9abc8c8b3d5a89d81a6b3c3819abaf831436daf9236db137ecf22ba9043eeea5f6a248a128e74cf7136d8f81b6b4fc9f5134b5efa41a6a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
def6d836bce48d4edd277070c4b050b2

SHA1
52427232ecba12701648f551a1089e920e58e64d

SHA256
5e8aef13b29d041247315f5a161caf82d0e1922f06073318793df816e6f5ef21

SHA512
f6699de2d12482cadf20a68a29e90802aafaf0f2f22c8b6bee5e3e732a444f448568cee31a5962d8cfe53b58700c0ff4264b31f69e3d63520754a268229bbe2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
4ef511e3c3ebeb3a1878ca1d54728e8b

SHA1
6d6ef928f162e52218118457febc3ed1a06b65c9

SHA256
979f470be3bb762fca9025614e7530c6d9d3a0b6d0d7d3c5154fedd92ba9b0aa

SHA512
5d5fcc77b6bbca75475bf704bfa9b96d627c093fac3bd47584549ad554160bd64a053bc29b42ae7f67660bdc451b06d3594d9a3f81036251542b69f30dcc223d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581b15.TMP

Filesize
103KB

MD5
dcea4e5cf9029605e5162123ae018fb9

SHA1
6036f07579a74cf0449c5966923ee86f1503c573

SHA256
38366fdc968bacf431968a5eaec5777007b8fd26796a4535ae0df8d33f09fa7a

SHA512
2569c51eae1f096502504e76df2b19666231519f87bd53c0cdccf24d2b0ea41955b4eda4d5ba450ca28cff3dd8a719d70049e3fd9a657a901083012f1fda69cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xrkpqnfk.exe

Filesize
2.4MB

MD5
c39e73033267ae166eaa5932507ef95b

SHA1
668cb060f6cdf86175c2b8d56198b5a4b2581d18

SHA256
2cb398ecd2ee5c6760a8fb2c9c70008e86ab077af14e1c417d064dc33e65ac74

SHA512
b3483ea1c12380676cef1a557aa67028155844de94fc49791a81e2a288d26739f4a6f9ad48942e133f452b7e5a296ff267c931a1faef9e73c11c2e9d7b421fca

Download Submit
C:\Users\Admin\Downloads\DOM-04-INV-1616.zip.crdownload

Filesize
2.1MB

MD5
54296ea424208d0015990c41f5bc3398

SHA1
b1788502661b50c7c5eb2c5d2711c8a24e0acbe2

SHA256
2fc48658b482ab74fd5454acde5d29304ea9d36b8c8f55b14f0c943d5f4b06aa

SHA512
89047af3dc7b62fac4f3e729be90bb63aa1296695a6463e133efd45ef67e087b8bb737eb28f92547f77066ee3d66197866a3140f415b6b9cb30ecaee03f45027

Download Submit
\??\pipe\crashpad_3192_VUPZXRIULHWGLNWP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/380-158-0x000001B5205E0000-0x000001B5205E1000-memory.dmp

Filesize
4KB

Download
memory/380-166-0x000001B5201F0000-0x000001B5201F1000-memory.dmp

Filesize
4KB

Download
memory/380-157-0x000001B5205E0000-0x000001B5205E1000-memory.dmp

Filesize
4KB

Download
memory/380-155-0x000001B5205E0000-0x000001B5205E1000-memory.dmp

Filesize
4KB

Download
memory/380-159-0x000001B5205E0000-0x000001B5205E1000-memory.dmp

Filesize
4KB

Download
memory/380-160-0x000001B5205E0000-0x000001B5205E1000-memory.dmp

Filesize
4KB

Download
memory/380-161-0x000001B5205E0000-0x000001B5205E1000-memory.dmp

Filesize
4KB

Download
memory/380-162-0x000001B5205E0000-0x000001B5205E1000-memory.dmp

Filesize
4KB

Download
memory/380-163-0x000001B5205E0000-0x000001B5205E1000-memory.dmp

Filesize
4KB

Download
memory/380-164-0x000001B5205E0000-0x000001B5205E1000-memory.dmp

Filesize
4KB

Download
memory/380-165-0x000001B520200000-0x000001B520201000-memory.dmp

Filesize
4KB

Download
memory/380-156-0x000001B5205E0000-0x000001B5205E1000-memory.dmp

Filesize
4KB

Download
memory/380-168-0x000001B520200000-0x000001B520201000-memory.dmp

Filesize
4KB

Download
memory/380-171-0x000001B5201F0000-0x000001B5201F1000-memory.dmp

Filesize
4KB

Download
memory/380-174-0x000001B5179F0000-0x000001B5179F1000-memory.dmp

Filesize
4KB

Download
memory/380-154-0x000001B5205B0000-0x000001B5205B1000-memory.dmp

Filesize
4KB

Download
memory/380-186-0x000001B520330000-0x000001B520331000-memory.dmp

Filesize
4KB

Download
memory/380-188-0x000001B520340000-0x000001B520341000-memory.dmp

Filesize
4KB

Download
memory/380-189-0x000001B520340000-0x000001B520341000-memory.dmp

Filesize
4KB

Download
memory/380-190-0x000001B520450000-0x000001B520451000-memory.dmp

Filesize
4KB

Download
memory/380-138-0x000001B518040000-0x000001B518050000-memory.dmp

Filesize
64KB

Download
memory/380-122-0x000001B517F40000-0x000001B517F50000-memory.dmp

Filesize
64KB

Download