hxxps://github[.]com/Netaa33/KRNL-Executor

Resubmissions

06/04/2024, 03:27

240406-dzvt3ahg7t 8

06/04/2024, 03:23

06/04/2024, 02:55

06/04/2024, 02:53

06/04/2024, 02:31

06/04/2024, 02:28

Analysis

max time kernel
320s
max time network
321s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
06/04/2024, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Netaa33/KRNL-Executor

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts.txt	NOTEPAD.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
18	camo.githubusercontent.com
2	camo.githubusercontent.com
17	camo.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133568477279010246"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Installer.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1844	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3444	chrome.exe
3444	chrome.exe
1736	chrome.exe
1736	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3444	chrome.exe
3444	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2576	MiniSearchHost.exe
4612	OpenWith.exe
4612	OpenWith.exe
4612	OpenWith.exe
4612	OpenWith.exe
4612	OpenWith.exe
4612	OpenWith.exe
4612	OpenWith.exe
4612	OpenWith.exe
4612	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4972	3444	chrome.exe	77
PID 3444 wrote to memory of 4972	3444	chrome.exe	77
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 1648	3444	chrome.exe	79
PID 3444 wrote to memory of 924	3444	chrome.exe	80
PID 3444 wrote to memory of 924	3444	chrome.exe	80
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81
PID 3444 wrote to memory of 2396	3444	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Netaa33/KRNL-Executor
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff885df9758,0x7ff885df9768,0x7ff885df9778
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1824,i,239078902647201306,7708120122232912350,131072 /prefetch:2
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1824,i,239078902647201306,7708120122232912350,131072 /prefetch:8
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2148 --field-trial-handle=1824,i,239078902647201306,7708120122232912350,131072 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1824,i,239078902647201306,7708120122232912350,131072 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1824,i,239078902647201306,7708120122232912350,131072 /prefetch:1
  2⤵
  PID:604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1824,i,239078902647201306,7708120122232912350,131072 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1824,i,239078902647201306,7708120122232912350,131072 /prefetch:8
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 --field-trial-handle=1824,i,239078902647201306,7708120122232912350,131072 /prefetch:8
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1824,i,239078902647201306,7708120122232912350,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=216 --field-trial-handle=1824,i,239078902647201306,7708120122232912350,131072 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1824,i,239078902647201306,7708120122232912350,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1736

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2700

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\drivers\etc\hosts.txt
1⤵
- Drops file in Drivers directory
- Opens file in notepad (likely ransom note)
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Installer\Installer.bat" "
1⤵
PID:3464
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:4176
- C:\Users\Admin\Downloads\Installer\compiler.exe
  compiler.exe config
  2⤵
  PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Installer\Installer.bat" "
1⤵
PID:3864
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:872
- C:\Users\Admin\Downloads\Installer\compiler.exe
  compiler.exe config
  2⤵
  PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Installer\Installer.bat" "
1⤵
PID:3216
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:3152
- C:\Users\Admin\Downloads\Installer\compiler.exe
  compiler.exe config
  2⤵
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Installer\Installer.bat" "
1⤵
PID:2292
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:3380
- C:\Users\Admin\Downloads\Installer\compiler.exe
  compiler.exe config
  2⤵
  PID:340

C:\Users\Admin\Downloads\Installer\compiler.exe
"C:\Users\Admin\Downloads\Installer\compiler.exe" C:\Users\Admin\Downloads\Installer\config
1⤵
PID:1968

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5fbc21f5f5d960d51a33c6e2f20b6ddb

SHA1
99c55792c5773c6682a7bd8a472f122c38e83960

SHA256
a1e94a9b4450614481b018b9d071682ff68fcdf8c3109975a526e76d7f1da06b

SHA512
1dc523c4c0f817fbcb1d8d5d58ab1e60563f57f3f49d2cbd8ef13c0d6218fbb8f11d667b0f14ec722ec3c9227517f84ee39677756ed75d1828ed28e029617d13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1ee91ea8829a21ab6f06131c34f4b3cf

SHA1
99b04d78c017dac968c826af2ecde1d4b1093343

SHA256
ccf23ddf6f5d279de94c032b69d78b96e8e8ca3edddaf643de1cccdacfbcc266

SHA512
6f856cf2b5bb6bf87ee2479e3021eda7d43fe6ccd97e3e020d61947ace96dba5d0fb163e6c389dda7aa0efdbf5834f351d13925431c5c80b6f6dc794c6301541

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
aac643ef8660a3dfed79e34ba63a2772

SHA1
a7f456a4b8ff01bc38af5298e985e6f49226807d

SHA256
82673287af7d85668c411a1e0f2c2da97cd5b674eb36856be4d856473c403c87

SHA512
ac70af3ab9e343d743584fc3397e12cf98f824b2c17e709ccb37393964c245215b58d038265ab67210b4947144d997b5aae6c2e501c03d9c2b6e3d1da50de1d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b2c9e7daeb8fc18ed4a0e1a0d9e69c55

SHA1
e75eefe1d42611da4c639a6c636338e5219c07bf

SHA256
50cb5e85817d9176d32c2a8182f497e81c8683d3a6bfa16fb8e5455aac629711

SHA512
c31d245580a48ef33fde027738db15fc07a53e9ab3be27086e22949f048471891c3f8efd02365227746cc82706a8dcd11a9595afe19ef1f192cbfd75e5f15f40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c965cff770bc222a3a63d0ab7c597e54

SHA1
26a30ef250b0e36fe39e8acba6e9a520f1d3145a

SHA256
39c026e44d8c55199e74543a98af1bc33d4f3a0d893ac73f0d7118bb296e5c43

SHA512
b0e2d5ae7418ffff802711727491785edb82316719f7c769e7a91c9460356188d5b763fedc59c8c6cfb7c2854e93cdf5ac0e5996520365f0c770c4c23f4ec42f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a9589fe85c873ab3f8e01922487ff8fb

SHA1
f9d0fd837ab109fbcebf98ec2fff514d1c09931a

SHA256
5be8ed6f0f7268d5915e5c02e5ffff5272084fc852cc6686494e9bf15ba6e808

SHA512
e129f16fd2e21cdac0859017806f20fd6981780659a91e30cc9e555e25554b44b15b65d3b80ba085e5c867d43e1217822f89b51a0b2eca02950f6b8364999e95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
78ba899de530c0f02057a8dfb7264301

SHA1
3e62e2edb23c2db57bef9add7cdb404ce170c2b0

SHA256
6279d9e851d28c27badd44ede926ee5e85bbcfb54dd3e7fe466c26139d796c3f

SHA512
6b77ad6a24d7911acd3435fca76b2fbe96a5b317701dd8c9322cd3130af3b73b1c7787c7eea9bd26cfac75349d909999aa401205fce67aa7a63d2138899821a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
167b44bda90dd7cefce36dc8e239d8d4

SHA1
93fa803b24c4e1a3a56952cc50818b385e958282

SHA256
201671a1724363fdfde21a161577432759bee47a3075aefeda280f251858f5c3

SHA512
552e3e43fd9d28194eaa4770ff5d7533506a072f05c931d1c8338a98662c0d0c9b0a102a4c840ea15979b58adc651615fa8683455cf74db580405ae44bd16af1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe588122.TMP

Filesize
92KB

MD5
3eff82f26da3625cc9674251533ed78f

SHA1
57244c0cb59bf1258d1712edfa8b9a671c15aebc

SHA256
3a58e3c09e672c74551c5276eca5a705823382c213238ef3b1edc2914d46faf0

SHA512
189812d381ea7d4e6aee17ea130148a60d2cfede0ec76d8a99649f6337bcd7b64cd2d34b0478e60f1e60c3c63cc1815a0c446edbeb82bc50cdd78a3e90b2c943

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
eebfb84605e05222e3ad98f4b9f62db2

SHA1
36ddd440df5b2776281ad245a6a57e7a183c09a0

SHA256
4a9b70f7113d5c252937ad9bbfa110031124ffe3643648db3f944111b61bd559

SHA512
90e6f46d36c30783af4032f72beb58eb157849a8197e39945542da8a0c1313cb87e91f18a732f5718ec6a676fcd790458419bcc22c608824416fa6df14bf5ba6

Download Submit
C:\Users\Admin\Downloads\Installer.zip

Filesize
476KB

MD5
9bda27c2159a36fadbbb4b073eb58363

SHA1
e1c38a62e2f7efc3ce4e0a3c81375f8fbfe36826

SHA256
2eb959e06c121bd6ea9e5cc6edb280aca21344837f653660f5c97b46efb97793

SHA512
195ea7bcbc412a2ca57c5bfb1090f7c378deb77625efd7ac590cd0150ee39fa1a85dde264f270e1d9621562ab16db0366a019d5ecc6340b447baafa2844fbfbd

Download Submit
C:\Users\Admin\Downloads\Installer.zip:Zone.Identifier

Filesize
624B

MD5
b93b00f250f418d586f570bbd54b845e

SHA1
9135ce7a2dfef3831fb74f11490ab2a25567264b

SHA256
cfbc5846346becdbd4d6b7cc26c83e7cfce26ae78c8abf796b778ffc72b7955e

SHA512
908a64bd042011d23ce4ce6dfc69f7d33ddabb9623c0e60a350adc585d36b1faece61d391a946f9fb36f85aab0ae6f76a5a3c459fa433d293c01b1e0482b454a

Download Submit
memory/340-1041-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/340-1039-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/340-1038-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1800-662-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1800-659-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1800-661-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1968-1222-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/1968-1225-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/3020-854-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3020-836-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3020-844-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3020-845-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/4180-281-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-295-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-262-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-259-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-267-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-266-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-265-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-264-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-263-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-258-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-256-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-269-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-268-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-270-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-271-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-272-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-273-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-284-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-283-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-282-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-261-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-280-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-279-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-278-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-285-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-277-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-276-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-275-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-274-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-286-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-287-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-288-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-289-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-290-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-296-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-260-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-294-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-297-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-293-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-292-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-291-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-298-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-306-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-305-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-304-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-303-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-302-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-301-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-307-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-300-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-299-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-308-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-422-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/4180-420-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/4180-424-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/4180-435-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/4180-257-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-255-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-253-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-254-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-252-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-246-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-247-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-248-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-249-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-1044-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/4180-250-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-251-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download
memory/4180-245-0x000000007FB40000-0x000000007FB50000-memory.dmp

Filesize
64KB

Download