kutaki | hxxps://alobes[.]za[.]com/js/zimp

Analysis

max time kernel
329s
max time network
329s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://alobes.za.com/js/zimp

Score

10^/10

kutaki discovery keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isnnbkfk.exe	INVOICE CHALLAN.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isnnbkfk.exe	INVOICE CHALLAN.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isnnbkfk.exe	INVOICE CHALLAN.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isnnbkfk.exe	INVOICE CHALLAN.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isnnbkfk.exe	INVOICE CHALLAN.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isnnbkfk.exe	INVOICE CHALLAN.bat

Executes dropped EXE 3 IoCs

pid	Process
2500	isnnbkfk.exe
1880	isnnbkfk.exe
3204	isnnbkfk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isnnbkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INVOICE CHALLAN.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isnnbkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INVOICE CHALLAN.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INVOICE CHALLAN.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isnnbkfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1980	taskkill.exe
3872	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133729767137015455"	chrome.exe

Modifies registry class 56 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000f9e9b8759918db0154a0a4709e18db018e2de267841adb0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1916	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
4252	INVOICE CHALLAN.bat
4252	INVOICE CHALLAN.bat
4252	INVOICE CHALLAN.bat
2500	isnnbkfk.exe
2500	isnnbkfk.exe
2500	isnnbkfk.exe
3492	INVOICE CHALLAN.bat
3492	INVOICE CHALLAN.bat
3492	INVOICE CHALLAN.bat
1880	isnnbkfk.exe
1880	isnnbkfk.exe
1880	isnnbkfk.exe
4188	INVOICE CHALLAN.bat
4188	INVOICE CHALLAN.bat
4188	INVOICE CHALLAN.bat
3204	isnnbkfk.exe
3204	isnnbkfk.exe
3204	isnnbkfk.exe
1916	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 216	2828	chrome.exe	83
PID 2828 wrote to memory of 216	2828	chrome.exe	83
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 1584	2828	chrome.exe	84
PID 2828 wrote to memory of 2276	2828	chrome.exe	85
PID 2828 wrote to memory of 2276	2828	chrome.exe	85
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86
PID 2828 wrote to memory of 3152	2828	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://alobes.za.com/js/zimp
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa2a4dcc40,0x7ffa2a4dcc4c,0x7ffa2a4dcc58
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1792,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3896,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4904,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4856,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5408,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4384 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3860,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3124,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5876,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5948,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=952,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5568,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5112,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6012,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5996,i,18386637767206407752,13210472988850211381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=728 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1916

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\Temp1_INVOICE CHALLAN.zip\INVOICE CHALLAN.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_INVOICE CHALLAN.zip\INVOICE CHALLAN.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4672
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isnnbkfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isnnbkfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2500

C:\Users\Admin\AppData\Local\Temp\Temp1_INVOICE CHALLAN.zip\INVOICE CHALLAN.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_INVOICE CHALLAN.zip\INVOICE CHALLAN.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1312
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im isnnbkfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1980
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isnnbkfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isnnbkfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1880

C:\Users\Admin\AppData\Local\Temp\Temp1_INVOICE CHALLAN.zip\INVOICE CHALLAN.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_INVOICE CHALLAN.zip\INVOICE CHALLAN.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im isnnbkfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3872
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isnnbkfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isnnbkfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
59ff281c055fa7762279fae00d2dc202

SHA1
681cbd3883bbdec5a7f1be12a086d9553a04140d

SHA256
58f35949b20c6e7f996c0339d1627045ad985c5eaf2cc7e09436eaf33c431ebf

SHA512
5f193a216f20a6b6ce2984dee4f6a9cd45ef19454d8fbfc542b2a35d62b603c80638162d69545fe99d1978d5a5e02a05b7f7243a0b25fc952c2b69d9ff691778

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
64272f1762ceee23420de72f50a03657

SHA1
803415cc97690c81c0f6562b5831046b197c3b55

SHA256
fcb7dc3e0e35aec1f0a3155f4d3d2e0de977b71bc69b5c4062422ae6133bb08d

SHA512
faaa727bae727d191096426a6c826830074bfa18f227318a5ec0e2df907c4e8fdcf1486feb1fdcdc9bffe7910b6a44cd30ecd32bae29ec6e5d8ad4ddf57802e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
585b9a60e3835ca6dee8fb46faeb1378

SHA1
e1817d6d2326683f7e586b1336f8e114145867b4

SHA256
55021f424095901edc43253347ea2bdc96b010bcc3114f2fc8ba83abd17853f8

SHA512
0966658e2eb2440f52cc4e33e19d4b172b8e7793e1530120d63af4838113ac00b0aaa42b220043ffda2b36055d7815baf47e9f277cb8c358300d96ce3615c5b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
0918638d57e1cabf878c680398a6af50

SHA1
c8c3a68e9306d7e86a0a1974db3959efccbefb09

SHA256
6b5efd8369870d4f3f8c8cd1b5f1dea72fbe93844d5a741b5fab934c5b6e569e

SHA512
aa60b318a2696d68b08ebce37fb12f0f1bcb5373de656b9f451f0764a5a9f7f798e7e7a568142602dc398ae851158a35d12f6b1e2c90f0c0a414dcd86e9e6f3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
39ed7b042aca92fb89d9cbf39cae5dc5

SHA1
b0832ff2a3684120facbea6588afeff99e23925e

SHA256
ab56563311fac3cf778e38c3254533474353cfd803f4870d53294d7ae6f3bdf3

SHA512
6ff506bd52b8fa47a6ee8a531a9db025659d3e076a54a4400e2c186d95165aeb9c48a4c24ffc8771e44822516663f5bf23a38bd491719637f5ef013581c2c049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
762b613bdfd09b3c8ba40cadcd4b8125

SHA1
a177433adadd425b55c1049a87e1ba5c4b07058c

SHA256
1770c04676d2034ad9e6c89393c4f91941c2cf9ddad183102ffbf171e1b4c243

SHA512
407a162dbd8f573a37c241ec170f189d20b9b39ba18f745c9bc5c9f41cdebd1ad32760635e4e4361c8ea2ab75814249b60ed7fd93ae8a32b59e7c76bd0b20621

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
ebd56575b4312a83d60d6094f2d116e3

SHA1
c98bd24a62ad69c859ac3742f2a26242d7a22083

SHA256
8adca8c66ced31bbb56a7ee8e3f3d720f1a0298d2d1e72c4b4508fee1256861d

SHA512
9a16d0c1d68f7e187e5787af786ebf3c385cf45493a53f693ddc15ea83592e35989d8ad4f7e6c347c2511d09fbb547a1b37ea5c113ca06e7faaf5b0f6cde0801

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
4169231e95d9d53f2b1c5cc347e2bf5b

SHA1
f4855f8bae88fda32393b978d7b727215ec711b2

SHA256
7e3eeb555a2c3594aebba9721e3737f2601240450553c13b097ec774b9d9286f

SHA512
82b35b5efe530130b84aa6aa59a116d9bad3dfbe09f1d5ad85913dcb37bba69623153a5215dc57e06ffc6cf5696cb85f4e2ee36742160ab9a2600684872c615a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c5dec15f0cb2cb69fe6feb19f8a5acb8

SHA1
545d4e20d1b5f513bcc8d687cab9de245acceb1a

SHA256
79719828a41786e7a8c780f73050b421465f93e0f833ccd5989723626aac442a

SHA512
49a92a5b9e1ee766ded8e32a77d13c8521657c502ef489b9872dfe5b301df539cd69c70cc0fb76fc25d01fe4710c7db0f22994f893ebe50824247711314dd56a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3dcf4e36cf269bc7d2059a4b57261fcc

SHA1
8cc6a4db70df78ece9445a6a0cebb3e4b4f26bee

SHA256
c845db2f445a1274b969b787e5653e599d515d88e31843eb6b473d6725450bd6

SHA512
68f016824c92c144b00a883a68fc888b7ea1926abb95ae848bbb1a5ac9d446b094d657baae60ff70b30321de6b26a8d30712b9b2ebbe281877691809aa8adc61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5db7b061afb39a25fe57fb1b4ac7f636

SHA1
9f141fe0a127ff5c72b14157df6ff483ca6cabc1

SHA256
5d82814adb24ca64cfe438448b0dc19a2bba385f8f7709155bebd48932d2dad6

SHA512
a0c363d5b04f53a3056d959a15c49b253bbbb7f79d2cda9edf6821e6408956f1a82522cd4de8317b020243be7d2e5c7ddb6ab35d350c512c6f4c91a06858f849

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
056a16667e4f3c1c37556fa93993307c

SHA1
729c8248d9f2ec15a91c907f0ed3199b9cd0b2f2

SHA256
7fc1d52fc3c5f116ef96285aee11110bf645996d18c281c2ad8e6072c9a92996

SHA512
e1de440c59b4f507c5ada0750ddb96438da5e1334bfcd223bb6f21d4b520ea254760ec29145f52a95512118eb5817631034a36eeb3f8baac9e31fde8b2817ec4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cc4b4ad58deb906129e2a890cefb3ceb

SHA1
b5cbbf781310b3f9def3751a95a3cc09cc324cc6

SHA256
fd60b82b6971cf80826c3d22a8398a6fe8a8c80ef53866849c68871658605be6

SHA512
a06dc2650a6b5606b4a5d2a61af620cafd92de22eafdd528362cca7fd0e5e68f5e33577c517cf93ae9462d3295b97da0bcdfbfe77288f40e8d54d975f9a88378

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7e0bd0f571f5c1fc1b1836df9721ec0b

SHA1
4ff74e1efb46c93b86d46f795c9b05f8bbaccc2b

SHA256
892a95b6b3c670d3aad78b4f5fdd196cbd44442c6fa14328fb66033afd29bf3b

SHA512
a8823a877a65628047304a0f32d693968ad676cd25bbaed458a2d4e5c5d58d305fb2c772eafac5618f0fadf9d73c67fd97c349ff1f0db1dc1b4875a036a46b1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
91ee46522855d45887cdef30ab2ce7cf

SHA1
0bdf2125660a722b4f9ec0308b9758850efc0192

SHA256
b06336d0d16d18749bffd0058e500d7bf4d0401aa351214dce2472a31256a3ce

SHA512
feb8f5fdd0f74a66c88098caa70a6dd69044ea25566bf3ca25da65bb8a5674ceff1ff555ea2f32fc255ea0fd7adc8a2469ce3c9282de315270741f001447671c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9cebb20bf6057b7445f905c132280d31

SHA1
4e1444260bde5c53b232371e565bd6bce11d2e1a

SHA256
73109a3571564a99ae1b5c50c22b6f5a7938749788b3e6ce8a982a8863d4d68c

SHA512
08e980a5e5edc3595fd5c2d3e3fe39db70c82439461e9ebf71d0025d4577cac962b513f24c463bb0d577a9945da96c13e2c5ac18d0dbe8983903a9ad3d0fe8cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
66c3ac57efbb2f4d117e32f75313881b

SHA1
46bc61e51ae019ae5d719998b23f0d77998c3dfd

SHA256
e1a9c96fecbebb3ae159ff39557d8038f343e771ea38400062b4ff920cef2d05

SHA512
c61332098850385c877e44f932f60b286a547826b0e99c430ee34206f610be67e7f652de0c81c90c414d3c24dc6e2210f4347092f46f2266a44821b9495507a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
71da62868a9dbb35aa29cf04e98350c0

SHA1
39ea5c32d490035a1769dd41d60f005c621881a0

SHA256
21ccc6e78d178a39ffcd04741dfa49a65068aec7d36cef5e19b6d226c7511c77

SHA512
acc2c73517f31d3bf0656eb97ef2b1a8f9bcee3ce7fa846d622976a414ce6609645aaa51803bae78cc005a62630e655ea78a4257f046d7c7bf4588717b4d177b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
90d667cf0b70786cd44cb655e7887bce

SHA1
e94c682953c13491a8b927f8012a6d09922013a4

SHA256
85b967b2351eb9db2fd4ad386fa5f53661c7bb1a3c0656fbe3bfe001eaa48e61

SHA512
fd669d3c2e50f97415426142d6f602bee3e18a6b4aa77f5e4cb66674150b45cab1ae7ee432433de2a57416c331897500d2eef1e3a98c5b74f9ab88028980b77f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8ac56b4608c56bc74bd99d1d19abe80c

SHA1
aff84a4b54e80e9b5aaa0b7f467322cf91d7b712

SHA256
6d8d9353594bd17338d9d547a83e5742f40a53464e29430d3902e7a802c47917

SHA512
4fb9387809c49ac0a0130e7913bacf831ae41be4d08d56b9278a844d5d6d07bfc1bb46711ec8d063a91a0c1970fc8856115adb4af82f0c92965c68355ac1b847

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
603b8f7a6b4165eededab75f1fc458df

SHA1
e8ecee5af61db8ecf9b7db713cc3401fdc8bfd19

SHA256
a6a3c12aaf8f02ed53e692248c1ebec809a215a48658e28d01588025fbb2fe91

SHA512
987e0a17e96fdbb5193601bdd5156a557f4cd310e7685608bc76b6c383d542d1e4921d49c2465e692ad89d966f1a3b8acb6330223384f8017dbfe1c6b5cc32be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7cf1d9518564c05f732bc690ae3dd56e

SHA1
e2be108c04d93adbe7fb0d42be35fdf766321221

SHA256
ce050bd018e06f6a74a5508f7478aed31b94c63cce48478d685e7a9b8e7b5d96

SHA512
7ef6504b27e15201487ae274b596c1c952e40078706413f80631ba3fad6f1239c07df9a4a94b6ddc2648860208fc6d83511219f94b0928ad1256815ced634c54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fb1bfcda6e9fd73186c10fe1d3e15f80

SHA1
c4bef3d322b2fc623bb63fa1afb0fd0a7b0a2cee

SHA256
384135fb7e4c225b3b8dd4d619c1165edce090ce41c7d24d22a599c8bf5a3fd5

SHA512
1280c5f3d9ffa753f9fae3b7258a0aab89ec0227e99c1b5a0dafb8dc7d40d43cf0000810a70105ad863434d67bff093903ac57d95a0c8acb5523e8dd67a7ce9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c6cfdf7a0f17c6b62369d7052ce28f9f

SHA1
8544e7aa1d5ac4a3a39173411f941ffe367cf07f

SHA256
761554678cbbba36a1e0311a40372b68382f835426e0809da1407229a0f314ac

SHA512
ab6800a24731cecfb7d621f3624130bc2f9bf5c0161a4f327168af9df8f6dd1296dd734156598cf88cb6d5969adcd9b337ed0b98884ef0c10e504cd17d7a6e70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3bdced065fdaf2291e661b9b3723d025

SHA1
ca10507e1d968b5fb2aa6b257aa8cb9c0a5f202f

SHA256
0ccfc83fdb242ae2a57f1922fdaa123657bb64a64e540bef8213cd29d411f7b2

SHA512
5972189ba7c49a580ccb05dee6e74507473839de419f541f042e1dac588f4dd644f5799552ec9c002de2c502dcb1b42bc35e370d295f20b68062b5d6287644cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dd09fa4f2f5bf0457fc720989ae66916

SHA1
0baf794e09e15c66ea5c58071bb5ab073df75203

SHA256
36c87946345d280cc91de6ba88751fc96113b63c0051f361debe6af55df346ae

SHA512
17c5eb3316b4943c401f2d3a40661548697ef28385d95640150ba7801da45ef4a6227ae76b1b3f1e695ffa7264b9157b16205f18b4f81cffd100c2e361112cb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aa66c5b3f9020210f2ad5a37ac21902c

SHA1
17c3824cb8c59321c81c0e4878c22e25cc27b3d4

SHA256
9072257ec87a4811046032f9e17daa53f898f110d3e94c82b281ee60e5a90271

SHA512
a18844c4c1c992c7739501a16aa0273143dac9627bd15229f4712ad4858e15454450268755b48278be0a2cca72c110d0da6dc2967ebd3e951b5d6f88a3dd6f5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8c9b3d8f2498eb8d5a267c4447429aa4

SHA1
cf087c7a78699f1a8f54ee6f1a4177f922673f4b

SHA256
70e8b5027f7fa5da72d20dc5e460c1ef25d2a130e27234f62014038ce002acc9

SHA512
29fa20a0be48a81d14378b745e2842ffeaf555399ae163767501c4b70e02f3423a3148e6eae48351ea723defcff5fdec3e434d11c8cdbfec909682990a397f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ce305bb670bf08075d829bf0d55b121e

SHA1
2a569d426c4d32d649c0317e5ec034e41a7b26ca

SHA256
ed91b5afe9bd08f8c08203bf88cba91b8904378477b3368e75686f88a2da1df6

SHA512
91da8e72b94c185ffe18f4c0406a3589acac80ecca5893e417f06171bf4ad19af51ba9f59b9f4ebaec678cd0d6219f7ac4ce0984b3009e77bef76c4c3fc42b36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
226def1e902a3bda315149dc767a992a

SHA1
18c2a96bfe1fe43a9312634609a44634cc2e622e

SHA256
a98e46cd1bc51dec150aacc768c155a14a37f9e601c2957bcd0bf20045ea6979

SHA512
6760ed4a2ecd0972d0ed5ea2bcbb9f05a7815b5ed543809dfd676c3d5a4c7e067e145dbc1c7b6a3ea6b88b37030840159b424708c254d65d5f75f69ee6225a8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
06593beccd9af09b710f4d34fd21b838

SHA1
1078dcd475039cdfbf6631d3466f495eba76e36a

SHA256
cc36d1c92e7376129d21d16a9994dae16dd87e30d885bda273d90b6ae337b81a

SHA512
e4be099b38c9299c52574e576d30b1b75a6de7f644610e01c9469e690e1609e6f06c6cdf0d0b44382629dd0c867af53551bee63e5ff22be1e243edb23b538a34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dfc1488104bdaeef7956ca2a7cbbe088

SHA1
79a4689e6f2ff9c98a3c440b7c9d1905ed969d32

SHA256
ce1f1d758f200e2529b79143dc73697286ea3f8fb33a0a3597269c9ac1ddb867

SHA512
bd700ce961ed3f01023832e4d44d364d19539a1229a6e2e3a2b82db448fcb7c4b3e58c6840a45eedb2b1e35b17f31c51ef4947d8c7979b1884210999feaed1af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
9d07cfabd0ce1402e5330ae6559c9808

SHA1
41706a1be0cbe3ad4334225daa85e8c91244f231

SHA256
e6802f2fe503b4d8b31c53654740591a3b5093a01f0a0b027040d4dedcc42dbb

SHA512
1bc7e07374598eee0a8d8a65210a30cdc05eadabc0a282b72f0f2a0ef0a0c6e929ec1f49fe39614237b2353d2c450c5dce81a3888f53717afa314e3bfa38a505

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
72d1805ae13c2188ae94bdc5b16397ae

SHA1
5863ac5902ec21328d557b5f21aa01b3fe9728a9

SHA256
0caeb907647610ab2c09769dc51a6e90f08355ca27b201b4e5635a0bf598f2e5

SHA512
13cdbcad4650cd7451a4793361f7a1f7053e43820b61507a5405f9bf93b874bf6aaa2857666b4939d7b0a2169adaf046e65098bd650960ba015006a3fb438bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
fb6ff15a8c4b5fdc9511653b81bece58

SHA1
94148f0646bb0d474076c97159bc6ce8b6e0a3e6

SHA256
9fa1bac3dbb31f17eab991b59ee0319b0debbfae06fd5e72f3cc69e9a6e3ae80

SHA512
303f9c3361c3c153ebdf43400e5a8906edfbba6566e05e893b480f97a5ea9fee56bc39cb9d0febd45168d8163c70489e2dfd71f6ac96f045b3b9f4c477fa86e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
ab52370d42f30a105b7409d3d804d848

SHA1
7993e409db08ba7d74aa8769d4bb75a57e835b4f

SHA256
b0dded8cd3d22e86c25131712d41167db277a720c933e1fd8659740a8f5910d7

SHA512
37533d3c928ed4eb69b10e00ab6f63e67351caa7b955227cdd2d3cb9f09e41c9dae99b36dae34eee6912876dbd3da0d053a142c7dd6d5fe69cc3d087d02bc9a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isnnbkfk.exe

Filesize
476KB

MD5
a596e3fdf582b9a121cfa210eb1ddfb8

SHA1
678b43ff0322679327d6cddde8d6064053b38350

SHA256
7f4910a64f45b65a0caf323b77724379210e7731b496c1401df9e82c2d8774e8

SHA512
7a83a0ee38de8abeb5d06e046f2a7449e80096a91d079c0c7cf2e20b2455e3e61402c41b4c16914894b1fc0e7818b9c2c90d132f0261c32f338bb5754da69d1e

Download Submit
C:\Users\Admin\Downloads\INVOICE CHALLAN.zip.crdownload

Filesize
326KB

MD5
93be7bf03b45bac3f03c409fc46b3c0d

SHA1
c4cc1beab10c8dae231799ca655719c30d7eda8e

SHA256
6a83de633529ca3c8c63ffba8498b283433b6e15c61be237fc49c5cd1612745a

SHA512
2eeeb4f2b75570e8e9b0101b4eba599baa80bc4ea856d119aa2d8546c134495a5af9911ff6c262bc820f30485f972fd32625679ce9f6bb94e1575a8b011249bb

Download Submit