kutaki | hxxps://savitriinterior[.]in/drf

Analysis

max time kernel
245s
max time network
248s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16-12-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://savitriinterior.in/drf

Score

10^/10

kutaki discovery keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki
Kutaki family
kutaki

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zsainvfk.exe	TRANSFER COPY.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zsainvfk.exe	TRANSFER COPY.cmd

Executes dropped EXE 1 IoCs

pid	Process
4556	zsainvfk.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSFER COPY.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsainvfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133787914140143874"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\TRANSFER COPY.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\TRANSFER COPY (1).zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
236	chrome.exe
236	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2952	TRANSFER COPY.cmd
2952	TRANSFER COPY.cmd
2952	TRANSFER COPY.cmd
4556	zsainvfk.exe
4556	zsainvfk.exe
4556	zsainvfk.exe
2736	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 240	236	chrome.exe	77
PID 236 wrote to memory of 240	236	chrome.exe	77
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 4364	236	chrome.exe	78
PID 236 wrote to memory of 908	236	chrome.exe	79
PID 236 wrote to memory of 908	236	chrome.exe	79
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80
PID 236 wrote to memory of 1140	236	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://savitriinterior.in/drf
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d3ffcc40,0x7ff8d3ffcc4c,0x7ff8d3ffcc58
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,17145625502424082090,11020782678209192872,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,17145625502424082090,11020782678209192872,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,17145625502424082090,11020782678209192872,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2372 /prefetch:8
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,17145625502424082090,11020782678209192872,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,17145625502424082090,11020782678209192872,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4044,i,17145625502424082090,11020782678209192872,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4420 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4668,i,17145625502424082090,11020782678209192872,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4780,i,17145625502424082090,11020782678209192872,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=1040,i,17145625502424082090,11020782678209192872,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=736 /prefetch:1
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5324,i,17145625502424082090,11020782678209192872,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5300,i,17145625502424082090,11020782678209192872,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5364,i,17145625502424082090,11020782678209192872,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4860

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3428

C:\Users\Admin\Downloads\TRANSFER COPY\TRANSFER COPY\TRANSFER COPY.cmd
"C:\Users\Admin\Downloads\TRANSFER COPY\TRANSFER COPY\TRANSFER COPY.cmd"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3460
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zsainvfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zsainvfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4556

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6ba73143798745c6af629b5a44086969

SHA1
52b0f01cdf3c966dac9a07c1f3a12ff25e81e19b

SHA256
2776fb291be570a70a36801719000d98093e5279bd031c47559922d5e39daf20

SHA512
854d1f52e0a1fddb9317d39c9d309e7ceeb12680bf48e43d7cb8aa42dd938662e53810a3582f9eb7dc75ed894137d0d2993c3244a286e857f13b1e7d18f2e1c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
539c2d376f3b58d8eb16bb3667905fda

SHA1
40de96241915f30590e3b92346d6cdb849ae5be6

SHA256
93a01fad60521c4cdd6fee05f38ffaa6361d26f7c6c6e66e429a475ac5e6a24d

SHA512
388d08a6bab900b50360e114d3db4175f5013f625d1669d38e1e771fc1272271fc2a54af8190cbcdc8d19f5d1430dbc5a9fa02266d6621fcaed4de391146dd89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
908b74a1b8022ea32625a1cbc2aee05d

SHA1
ad0483eca44b47543bda106c941528ecdc693100

SHA256
3bd2247d17e0973c6d24f5a3be4dabd57aeb5f38678722e51876d6dfa1ec5007

SHA512
0ff4fc5da024cd058d72c37dbad4e3a16f904a09fe465881b2b3487c38b8a6a17cb0969e8dde21d473863782589dda9b149911f146f8007c55a3017b16b9a6b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c0b6d37267506808ccc6f8f9f2539998

SHA1
bfb919e289c1ceeee7f50fb901bc292aafb2e156

SHA256
a175d42835dc38708e99ef76ca27cc6c70a566e363db350fb83adc36cf1fb6c1

SHA512
22915a6721d87228b9dad7d4410053e8ca79c6cfaee2b1a0cc560a708593794b28617f2839e443f6984bfb3c7f6d81a9031b4f55ae178549940c415e6d441c1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0328a45e4bd27b6afb98779e7cad6eda

SHA1
20ea523843085597ffb4745de7a99da950897845

SHA256
ab7bfcf877dad76383ce22d4283152b1b55ee5c4becc168c08b2408a3782b75b

SHA512
4826e8dbf50e13757b3af66109403bff0f51be8a6ce4630356264439de9b82976727a9097176e93aae0e3b521a1bd3f7490bb520c40ed1f32831d312ebe17d0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6266ecc9f2f40d06b88c9f4f2e9c81d6

SHA1
ae7c7c5ad10e91563291b62c37ead5ec813dd266

SHA256
092ade491d037ad0d794d4122ec59783a5830b9c284e87ae6fe73ed968a1610b

SHA512
42f20ebae59c5136ed0e2852455e241224ae8c223009dbd0557988a2d4d4965cfda672186a9637fa7ad591378a7e986be65bb4d7c9b2330dca4ea4f6c98037e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6001ac0d35912c8a78c462242f8dbffe

SHA1
b0aaaca66d6440db6283e52d52eee60b678e0a48

SHA256
5b827df760127cd3941fa16c9ec3c7329859654fd2917334692cf4e6aff9b121

SHA512
831f689828abeb066b564bb1d75814880308a02f106736641c97a7d44dc4d9bfedd62f18d7aa6da57e5f64faeecedde1b640a712a3ebd51384d059138d6c80a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
de2f89f72fda04b3a1b9ba8c58e2fd15

SHA1
7bf4592a8e66af02be76df0f63e867263d030ef9

SHA256
bce2e1ff26ebc457f05fbe98990020005c4e4ee6c7b8780d7b37d7f56373c40c

SHA512
a8e15d1be5139f4c15c80796d098a55e9e734351141a3ae5f9e9aa7c1a44b826a5357f08ee1c698d23a50f9db2ac138ca886f4670c556b509215a9ad682009ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
e2bd8bd6c40b91e7ec164c841f6df233

SHA1
68f76fa7c14fca12eef1eccbe9d5ead45a909021

SHA256
91ab22eb65bd4c6ab834bdfdc9f6112156c64af7a5b0f739d34d8d45ef8c2bdd

SHA512
e4f8ebd666611f0269f2e6dac1214576434b3f3ac7232fbe2f585525b0776e6de66b0b9c1ef0e71c563f94e2fabe1f3641e8e434591366dc1a5458b5afac9634

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3f45febed29e2c56a7cc5a1e54bbaa97

SHA1
68130ab895b028704a1d0ba2dd14deadc4f38681

SHA256
c7db399a449a63698ef801c44a10f6c86642c76775133c0d06a2e85e396187ce

SHA512
9d4b3d415519ee04c63a7a074cc06fad7773a3dd47a8ed676f7c57396fb098525ecb13612b35f3f296d3e42aee4eed84369f5bc2997b1d3fa883289b92205c61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c656c7fca38246e2a1121ef27379e523

SHA1
259fed4f9d195587a2353b9d97a9ac0e7c269484

SHA256
d023d06fc058fdd2e86208780ddd0041ace98973e528fa1a3ff8174a5d5ff54a

SHA512
279c94d1057d210cd4fc6a54c006d62112ecffc28a1b5cc8947a5fc4954d80707213611e7ed3a3f908117cae39f72699fd616cd90276d5cd07128238bca42fcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
180db29b46fa0a340cc486fc0ffc2416

SHA1
1326506ebd9aeae835fc60816a40b117b5742cc9

SHA256
83844454b65af610e27fd80d4dc51004dd7caaba76005d85a3da52c036712938

SHA512
1e4f95f6d856067458f8d4cf17060753b58d4fc92b5e9f48df3bff09f285f6cb465fd0dfeeeb6c26f1dbbcfce34efebc91af9665f81433aeb46280b2e577f24f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
3227b958ac882c12c0cdeee17c50e99d

SHA1
77fbe5f1e11f2e5fe8d7c6fcad4d9266615b3129

SHA256
bcac61b56af5edc76835781c87e686e3a15c02bf01c426b142258f18fe42bf2c

SHA512
92fbc74bbc2d2704c686cdf3577721e34dff0e2c65e7e3ada7a681cf56c6cec0fa4ee0bcb90c90dd8ad03b88e20eb8fbd1b67e1f8dbdc8e7214da5460acf8380

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d191518e3977eae30664138e1942b5f3

SHA1
a220d4651a315e094f1a36848e6a1f135fa164bf

SHA256
7cf139b6c6597646be2ee6e8790b0cfa71b3a3cae5b50f96ecd9d5ce344ac452

SHA512
0565691e6958e637808b09dadacceb1c177af3b9eb275046068b93350419fbfe2c3081a0c42694a0af92acd52797aebf234e35d5f2dcfe712f4bff42efa5b354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ddf93fbb2f2f382bba7002edbff12341

SHA1
f64828292e54039d17a1e79cc0491426162f9cbb

SHA256
7af5074ac97393105ae595e2096ac988a903a2d22aae642f4950d28c7b3c4bd0

SHA512
0b3975bf8dae33b65fa92f216a2c3b7db34eebf103df348ec656d170caaee58991e31979ad47c8da7f508e7ce5a210a92a04056f4607b6b0f7677efe607b0221

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
0c973b7ae7c3b3546c06109cbdd4dfde

SHA1
082aa090ff2445106c743473c274bf7d54025828

SHA256
b45903f9f1209cbd3a9fe56e6e7942b6259acb665dafea8a5fcc571dfd800559

SHA512
db385a0f274c9532b7952e8b791223a94b51c045ad2ce313ffdfa1cad51938fe7ca4a3b25dbba7ea41b9a5a23609d3caee33a9509da0a8fd50f334039280fb25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
0ac847d207a7c3d132bfc7b4ac9c8392

SHA1
14c4bdf85e85e0ace104e9767fb5ee9a60a575f1

SHA256
cddc3f65261bfc6a98694be963fbd13f2ec6fc33ed255487e59e1ceb8dc7471e

SHA512
7b157944360e6906e9a230cad70535c1250fe351fbd56e578bba4586f20727cc017432260b63c1401a3c7a1f6ce933f9906caafda8551f6d79ae2fa945a555f2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
d6d3499e5dfe058db4af5745e6885661

SHA1
ef47b148302484d5ab98320962d62565f88fcc18

SHA256
7ec1b67f891fb646b49853d91170fafc67ff2918befd877dcc8515212be560f6

SHA512
ad1646c13f98e6915e51bfba9207b81f6d1d174a1437f9c1e1c935b7676451ff73a694323ff61fa72ec87b7824ce9380423533599e30d889b689e2e13887045f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zsainvfk.exe

Filesize
488KB

MD5
75a89cfe719ef99ddf685ce5c30d9924

SHA1
13940f856c8b4ecf2d45f58fa8bbc53a7c7f40d0

SHA256
f520e5e6be76823ce0b328ee1ce1a268353227dbad9c160f9f18f8e2256ae549

SHA512
d174aa7dd03947ca7bd384fcb98cb96119e1d60736a21a48cf7a16f0b72d213a8b4ce7bfaf81f4a70e45a2041f0bfb51dbeab6b351b389c02e309d0f449fe128

Download Submit
C:\Users\Admin\Downloads\TRANSFER COPY (1).zip:Zone.Identifier

Filesize
67B

MD5
8034f22f80516693e7d0986b2c0b07ce

SHA1
2802ed837fb836a73d4d57164f639dda67780e3e

SHA256
e213f91675c81febff751fece040751549323d42d6319b9e623f34a1e11588b3

SHA512
227705329e398d5898a8ef575767712f5ead16520870b9512ae4b5abae5cf4f06a12003eef65b92c32f97effcc8b345e999831c7e1f8d9254b4e1fe4ba79005c

Download Submit
C:\Users\Admin\Downloads\TRANSFER COPY.zip.crdownload

Filesize
327KB

MD5
af8f427f45502d7aa6b81faa872b8352

SHA1
f945d2fa6a7a01cdfc72fe02cfc1f88137425eb2

SHA256
73663fc736e703f2ff10cae080df6a94a9b3c874b247e35168e10ad2c837ab95

SHA512
f658aaca3113043d79808f1ce1c2442d87f21f0b0239b22a2bc05181998ec084f2ffce0f521c736e7799bfac760254e11bfa4cb0b9b7a1558b6f765528ffadb3

Download Submit
C:\Users\Admin\Downloads\TRANSFER COPY.zip:Zone.Identifier

Filesize
136B

MD5
f360db28edc1acef0fe7874ed413de54

SHA1
38ef7996d97ddc9843b6907e2460e1df4e8cd143

SHA256
b9560ae4e1b5d1802a4ef0d229502b4ed1dca93fa3ed9d6f7a084e1e07e8caf0

SHA512
1ae62fa58c9d91d47a80eaf58bb44fb8e42c49fcdcf16ae71e0d2ad68f47a7d2257ca2c5273c7a9aa5f73d44f5f60c54a1a62a8692a2c2cdbdafac3a0b8a1882

Download Submit