Analysis
-
max time kernel
560s -
max time network
507s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
04-05-2023 09:54
General
-
Target
328f16252f457172a193cceac3a0ecb2.pdf
-
Size
192KB
-
MD5
328f16252f457172a193cceac3a0ecb2
-
SHA1
7f87d89ab783c5580d87248cfac439f6ab58c761
-
SHA256
59147dcffece72594ab38c68b150129ea747158a87caa607cb35bb20fa036d8d
-
SHA512
b070812e2e263a20ffb9d1834028f1a4e65a15ce97b3be468887c218727add0b4c71aac60f52eb923a4f9ddd493d59aed7efc5d0874cecc9ceea5e973af746a9
-
SSDEEP
3072:iyCbu89grDkgK8ShiDSshfSfoY4tOuMcFSzrmUjpD2BpNkiTv2IBq1QjAbtaZ:iy0UUrgDSshk4X2jFDUpnTzA9EZ
Malware Config
Extracted
kutaki
http://treysbeatend.com/laptop/squared.php
http://terebinnahicc.club/sec/kool.txt
Signatures
-
Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 24 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\328f16252f457172a193cceac3a0ecb2.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6E2D8BC7DA3BDB576E79803870CA6724 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0E292B95147501CCBD4E6977BD7B93A7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0E292B95147501CCBD4E6977BD7B93A7 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:13⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C44CB8B3556ECC82F84A9BE3EEBCA479 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BDE5FA87455F61DF93DC71C48A3AA1C9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BDE5FA87455F61DF93DC71C48A3AA1C9 --renderer-client-id=5 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job /prefetch:13⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A175204030EDA166E587D50F5353BF75 --mojo-platform-channel-handle=2444 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B63096A07A3922FD731DCD6E8AFCB245 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://technorepair.in/ITR/ITR.html2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc08ee46f8,0x7ffc08ee4708,0x7ffc08ee47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7552e5460,0x7ff7552e5470,0x7ff7552e54804⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3844 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5444 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5380 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1492,8024266613247297763,4672953713784129981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CLAIM FORM A\CLAIM FORM - PART A\" -spe -an -ai#7zMap31828:126:7zEvent278731⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\CLAIM FORM A\CLAIM FORM - PART A\CLAIM FORM - PART A.bat"C:\Users\Admin\Downloads\CLAIM FORM A\CLAIM FORM - PART A\CLAIM FORM - PART A.bat"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anisvkfk.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anisvkfk.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD5ea3563c4ef330fa60919c525fafd0bdd
SHA1f75562309f6868f525b3f46cb7ffbc2397f4dc6d
SHA256c814ba89a4df0c88df2f93dc0517934ef3659d3f73e9edd2f91365a4cde92ac1
SHA512eeddb12313f64fb24fd5511292fb4f5d1498f4d6a69e82c08a2785e9bce61faf5277431ce27ae858b84a0b567b1de23c485c6e826107425d7b4f1dfb620afbee
-
Filesize
152B
MD55a10efe23009825eadc90c37a38d9401
SHA1fd98f2ca011408d4b43ed4dfd5b6906fbc7b87c0
SHA25605e135dee0260b4f601a0486401b64ff8653875d74bf259c2da232550dbfb4f5
SHA51289416a3f5bf50cd4a432ac72cd0a7fb79d5aeb10bdcc468c55bbfa79b9f43fab17141305d44cb1fe980ec76cc6575c27e2bcfcbad5ccd886d45b9de03fb9d6d7
-
Filesize
152B
MD5c1a3c45dc07f766430f7feaa3000fb18
SHA1698a0485bcf0ab2a9283d4ebd31ade980b0661d1
SHA256adaba08026551b1b8f6c120143686da79f916d02adbef4a8d1c184e32a19fd48
SHA5129fc93f01ab4b14f555791d757ffe881787cc697102547c61847552e597e206e70c6d35fedff559c72a0a67d1b95e769095ecb0a8a7d4f07cf58a7a0d57d3e9f4
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
2KB
MD51c022c8ad92d0d56e4407eacaebf9aa9
SHA112803221f772e3ed17a9fc4e85e55b6dfd451b23
SHA256f45331d7102b6d0ca3085c0c0fc4217a6ad012ff96dddd9e806f84243f7c17c4
SHA5125b54bca993962d15008443493db7331f88db05f0284382e461a911b2dd6b94032868e1e55b7bbe9b345cefd0878789d8eb06f27de8f50bf38cd743a4f02d905a
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
404B
MD538126630c0edc4f8d3fe5dc371f27891
SHA1d42606a3933ccbe68d2ac7ec924fbf705fc9baa6
SHA2560cdd5ed501ed09a810c6324561ddbe2f6c1de9acb068c44f552e12c09131dd64
SHA51209ac20407e782fd2372dd127d0388359ade7550cc414a3388185fff0f93580f179147081142d66ab21c867a02ea64361dd06a112c7c88014d77f656109dc13cd
-
Filesize
4KB
MD5b81c8aa567c167ef93971e66cfb10f21
SHA1f6c76f4c08e721a693eca35364872249f484d030
SHA256ca5009b5820baec8d4089ebd70fb8472a38ff24f0f2e6a9ebf1cbb081d351c86
SHA51211263557d4c9fe79ce3d18a459de6686781fa5044053ce90bd4476340bdd9a3dfd29c17ed341f0f3b117a35b3723cc8af52cc8d0372e5315a1f49f0c5308ae1e
-
Filesize
5KB
MD533aa0bfa9d6bcfc9967a065417c9490f
SHA18d7ab22f805d2e9e3dfd5562b40cfd91548889ef
SHA2568ddd1c77c9cf706ed2985b2ffd90d2ca80e903bb2cfe5d4ce9d088f33b955988
SHA5122de6f9eb799cd0ad23b6827dc949049c7e050bc63997c0f636e6af04864884dd7fcf44e1df5d9a7654d625ec785b98c2b8f75da491973962dd128ddf17594fa9
-
Filesize
5KB
MD57fb5e1951224067926cac7d171a2f87b
SHA1db277b4372fb2491aa4640c53ff7e74188089a68
SHA256d39221cdf8d4a30eb7f3dcfb34500223903d4017417939a66bd781a6d7c78ac6
SHA51298ffc0c96374e7bf1d46eecb52d9245a26cadfbfb1d3a11c754adc1e5344bb838b5604bcd55f76d39242159527b255ff061d92a3cd260f6496f19d4c3a9baf47
-
Filesize
5KB
MD5f7d8021224f7f0bca2e1bae5b9db582f
SHA10d786f6110fae80c063c96c584300b17e9b020c5
SHA256a0c18d1f02b1ed9f6f9c77e4d28c998728e9d3dff6fce9a2ae13c9c0eb146f52
SHA5126d56c30e1caa53b8157e827f70b634f5367fc48a4b0a251cf6ab922630428f3f83e86323b5501b64284bb7bd46d22437696ff484976558168bbd83bb527e1cb5
-
Filesize
24KB
MD55edab6d3ffbeee247ccb4423f929a323
SHA1a4ad201d149d59392a2a3163bd86ee900e20f3d9
SHA256460cddb95ea1d9bc8d95d295dd051b49a1436437a91ddec5f131235b2d516933
SHA512263fa99f03ea1ef381ca19f10fbe0362c1f9c129502dc6b730b076cafcf34b40a70ee8a0ee9446ec9c89c3a2d9855450609ec0f8cf9d0a1b2aebdd12be58d38c
-
Filesize
24KB
MD5784a51387993e9aeb34d4ad4ed93ab48
SHA11cbf9ea1b6c2ea18c8670f26ebf9c11d7d245bc4
SHA256567af49b26f4676e8c8ad07b34db13ae7a9e19ba01e6bd1af390a611b44413f8
SHA512ba34c55cea5840723b16f09f0a790f823a5a65657f8163018cbfcbc3a13c83b1b4b6a1f8ca0fe188c1ba7d78cc9319889235c0f6042a2013755fc6d820e4b9e6
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
13KB
MD575655d079391f1f9b354dd70b3ba4a04
SHA174a71c3b3d80663de5cb370d55f21518649bdad4
SHA25625f442deed3f0961488602fa79599ed9829beb6299b87219b21aeec25d042bf3
SHA51266265585ecb51fdaa5e17d5803acb47da7a638d61ccad06b9b7cb9527f55d44ee4141a66bf7c782cbe52d20aee8077fb179e6174bcfcb78396ed22dbcd30240d
-
Filesize
13KB
MD598e17b3856605bd42458b4c28601cd32
SHA1b780f85643fb4e6fde5353595cd25da8c524fabc
SHA256a8e71a2029f795e6b4c6e52ebaa22bfb34c25cec483d3d02644fe076d5e785ce
SHA512d6c411f0c0370ed58481cd2aec9c6df1850c1da950fd6324d77b6c7e06cd23f47b61f8693cc41beaed43a2e20ffd6c922b3bce85ee3c5a7b284ef3a116864c7b
-
Filesize
10KB
MD5628749a4f5a58a601ecdb8f786cb99e3
SHA16fbb6cc5af1a97b98f305e6f8759dfcf279787df
SHA25663ae40dae7ead04dc5a149024ffdc943253191e8ca21d7c2d4b090b1fd6739d5
SHA5128ee0fcdfff56b9d97b57af70149010b37ada8222a370a5ea1d06ca43f38114642fbe96e93cde8dfd2f29eff84b7b3c6db2970c8a319f10de972092d6e1de0be6
-
Filesize
12KB
MD55c55382c36ac51ed8112b6f1f1e1537d
SHA198531a41ace3112fae8804b7a76b293ef7feaa3e
SHA25631a54b9640c9e0e75c7b2b35c17e013416206528c6748b63df7de11e439d7fa0
SHA5125f8e3e1b5cc4eef4576b1e68d87702129a65ee6d87d7529aebbff9c8852079b6f805edfbcedfdcc449ad13f8f60629f6260b45372b2c810e38553899d8ec0051
-
Filesize
13KB
MD5c37239fa0ae0790256cddf63e6f47cf2
SHA106a73391b6d906af872e2486476d513044850e70
SHA256fd1b2325e4451932312e31f9f3530afcc646b4dc742efee9a5e3d8f0c2c3da38
SHA512a35e00bf6d88c57499c03989b64ddd240c811a97743959000f68083bab91b59ff7e6f566eec4772caf779c53a01c3f248e640c0302b1b7bbd24f971466b56681
-
Filesize
13KB
MD5446f15579262e1cca62d1b5811de2d4f
SHA1f290f6f498a8776ccedc4b358e1dea989a83970e
SHA2564168a85ccb0a20813e01178ef5e5dedae9dcf72a1e3e093f73caea869ece7bbc
SHA5126adf772660e75825a89e0b91126de45136418bebc6cfbb3aeab8c29e035647663bd8973a05d876e79f6a68ac23e6f97eee9fec4f8686ea3134fc2d475ae05aeb
-
Filesize
3KB
MD54b59e9d7ae54293e2a6fba8da64c00ce
SHA1147205677bf4ccb5441d242bbfebe724ffb43944
SHA256a093c38f5c87ae3172512a8f3095e8b35202ced5055b259afac48da4778a43ce
SHA512b80b576b7039716e73904578c60b8817480b51944209793b5dc702480f17cdc911d45b1c32c55a6e1f7bce0ba90b235b59aa4ec99fb83dc96bbc489197793459
-
Filesize
2.6MB
MD57d5f71b752b46ee22a1072c5467e1767
SHA1e79994a5a067f8ef997318a8829566f31305d202
SHA2560d131d8ad3c79f22c03970df7345832eb4de17545be1f078c3063e66de6ac4b5
SHA5129fb5640ae73335361ca6b166e7308036c0b6c2c892def329a7957bfb190dab1ccacf5e6a50ebc17a6c00de7d69d3646e1144fd4fe177ac8b2a1f30aff4ef1c11
-
Filesize
2.6MB
MD57d5f71b752b46ee22a1072c5467e1767
SHA1e79994a5a067f8ef997318a8829566f31305d202
SHA2560d131d8ad3c79f22c03970df7345832eb4de17545be1f078c3063e66de6ac4b5
SHA5129fb5640ae73335361ca6b166e7308036c0b6c2c892def329a7957bfb190dab1ccacf5e6a50ebc17a6c00de7d69d3646e1144fd4fe177ac8b2a1f30aff4ef1c11
-
Filesize
2.6MB
MD57d5f71b752b46ee22a1072c5467e1767
SHA1e79994a5a067f8ef997318a8829566f31305d202
SHA2560d131d8ad3c79f22c03970df7345832eb4de17545be1f078c3063e66de6ac4b5
SHA5129fb5640ae73335361ca6b166e7308036c0b6c2c892def329a7957bfb190dab1ccacf5e6a50ebc17a6c00de7d69d3646e1144fd4fe177ac8b2a1f30aff4ef1c11
-
Filesize
2.2MB
MD52e09ee95b8f43d9f1da8cfb28ebf3e9d
SHA14e586ebe040a47295ee65543467342aa5dcb2e89
SHA2568f52af42a0c03f463ce50fb1a894f6f68aa3b6be0c3c105cd4c6a1ff1d44bb56
SHA5120e0ca9721dd50ba4c5ed66bf9ddb5242ce56d7f4c249c96b50082b6df178835cae61b9d678a2be7e52f202208b6e85caa241038be3f549ebdc8e92c98affe59b
-
Filesize
2.6MB
MD57d5f71b752b46ee22a1072c5467e1767
SHA1e79994a5a067f8ef997318a8829566f31305d202
SHA2560d131d8ad3c79f22c03970df7345832eb4de17545be1f078c3063e66de6ac4b5
SHA5129fb5640ae73335361ca6b166e7308036c0b6c2c892def329a7957bfb190dab1ccacf5e6a50ebc17a6c00de7d69d3646e1144fd4fe177ac8b2a1f30aff4ef1c11
-
Filesize
2.6MB
MD57d5f71b752b46ee22a1072c5467e1767
SHA1e79994a5a067f8ef997318a8829566f31305d202
SHA2560d131d8ad3c79f22c03970df7345832eb4de17545be1f078c3063e66de6ac4b5
SHA5129fb5640ae73335361ca6b166e7308036c0b6c2c892def329a7957bfb190dab1ccacf5e6a50ebc17a6c00de7d69d3646e1144fd4fe177ac8b2a1f30aff4ef1c11