kutaki | hxxp://bursadapur[.]com/ewsd

Analysis

max time kernel
47s
max time network
190s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-05-2023 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://bursadapur.com/ewsd

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odpzdtfk.exe	Invoice No 74492.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odpzdtfk.exe	Invoice No 74492.cmd

Executes dropped EXE 2 IoCs

pid	Process
2796	Invoice No 74492.cmd
2860	odpzdtfk.exe

Loads dropped DLL 2 IoCs

pid	Process
2796	Invoice No 74492.cmd
2796	Invoice No 74492.cmd

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1240	chrome.exe
1240	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeRestorePrivilege	2640	7zG.exe
Token: 35	2640	7zG.exe
Token: SeSecurityPrivilege	2640	7zG.exe
Token: SeSecurityPrivilege	2640	7zG.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: 33	2716	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2716	AUDIODG.EXE
Token: 33	2716	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2716	AUDIODG.EXE
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2796	Invoice No 74492.cmd
2796	Invoice No 74492.cmd
2796	Invoice No 74492.cmd
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe
2860	odpzdtfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1924	1240	chrome.exe	27
PID 1240 wrote to memory of 1924	1240	chrome.exe	27
PID 1240 wrote to memory of 1924	1240	chrome.exe	27
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 944	1240	chrome.exe	29
PID 1240 wrote to memory of 824	1240	chrome.exe	30
PID 1240 wrote to memory of 824	1240	chrome.exe	30
PID 1240 wrote to memory of 824	1240	chrome.exe	30
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31
PID 1240 wrote to memory of 344	1240	chrome.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://bursadapur.com/ewsd
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ff9758,0x7fef6ff9768,0x7fef6ff9778
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:2
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:8
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:8
  2⤵
  PID:344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2220 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2212 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3284 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3364 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3576 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:2
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1572 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1280 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3956 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4188 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4088 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:1
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4968 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4040 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2144 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3948 --field-trial-handle=1272,i,7730234373024456408,3168858399922225079,131072 /prefetch:8
  2⤵
  PID:2908

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1620

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Invoice No 74492\" -spe -an -ai#7zMap12572:94:7zEvent31761
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x188
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Users\Admin\Downloads\Invoice No 74492\Invoice No 74492.cmd
"C:\Users\Admin\Downloads\Invoice No 74492\Invoice No 74492.cmd"
1⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odpzdtfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odpzdtfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2860

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Invoice No 74492\Invoice No 74492.cmd
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10abe59af3169ce92d451a7f474c2307

SHA1
78f8b38f57ad688ab8135af52c65703fcfb6a11b

SHA256
b3b4faa81a8eb4a2965add98ebe988c3fdf13dd63cc9296d61db5a2645cf8112

SHA512
44fbd4be251dc7fce33f543d2550b9899b54463115610da33be743e3e014c3a9f0110e3b1b7e2b523feffce9a79a90179bad741ab35cfe6f233ec1bbf6b796a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\219bc37c-7e19-4055-a965-93e6d217954e.tmp

Filesize
5KB

MD5
34617999c26d5b58de994780ba8339e8

SHA1
d991527ad4641937c7205d0c59f413a05801d4ce

SHA256
8982d267c50b9b89b0114d04b196e008d4851790df77b178982e755db27e711a

SHA512
a0ffae4dcba25287b1c14684bd313fe6ddae419224c62055558ad4fc6551107ae1997d3c84a49e09b70454ed25fc9d1b284168d99c8803307b333384851745cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
161KB

MD5
d0689623f131fcb540b6b70ff1c8b55a

SHA1
50726cae90a7d1cd36246d1d929a2ab77a785de6

SHA256
345aa90fb35c263b36c1fbe3dbe0d4151029eb80bebb0b759b5344960e950883

SHA512
e7ba0546266d2e798912cae355aad65b73fa8c108349ea73074700701e55617c46a49edf531e2424a98aee1d85ce340ce94def0b121eaa191c0e510074fe58c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1016B

MD5
abee45e9e68dc665b4a04d966d8fcb58

SHA1
f20e599ea4ab572d52ae0f5a8eecd992ab09e96a

SHA256
bd3c03c9fae6c6d4f66333fa51dd5d68d766a2ebc413bab91e41056d5a6feefe

SHA512
c986878ac4234f0e2436c827406bb3ed5b3584a7855b3c9502ac14c8982787883020339471a54f40b6f1e2642dcc5ca140a7f1fcc9b67efece723b6fa3b73718

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
852B

MD5
56321f838de77be7fdec314b7b3a3494

SHA1
7a84e9ad825e5ec1bdda66f844c8eff33fda987d

SHA256
7087239ad2ae7f6e8e0ef0b0591efa0b392c6e1100fd4c4eb93f225ead553d2b

SHA512
93cef1bd831991a099ddff35da4e6404a6d172dd595889fb20f394dd6774b944488eda75eec9d2d199b8c3f7635fceb79e4883d72952aa9caadd2d8b5b953eb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b59486ffea74e729a59209e5376e9c9c

SHA1
c70a69e6e49eb5818f0503c02d5223824d71a8fc

SHA256
68b3b78a935ef8a8fc5849bf7005b1bc1b60920c4aa854a55f7035e567cf8e27

SHA512
3e6de4fe5edd2ae04f8f1cebfdbbf9781ddf99534e8ad6e934817c524b4520c67cd3fbd39b976162d2268440636e14b9aad701591f294700048fcdb81c424208

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
eb8c237848beb65c86d5c6b81e2cd087

SHA1
09695aa0f0dee97d87dd88b420df647208cb0261

SHA256
328c3a244b2870e8f21ca425021f2cc334bf0e105c02852a36408dc1a061ec75

SHA512
1d50be3621f5970c041341b1ed48aa08767979a4e261f175204e3b48b3977c47cef5b66d1d495733df13074b88cdfbf865f3d0126520a5a81c469da7fc3d776b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
4e52c374484a33cdc6aba3c409ddeccd

SHA1
bfdf45c9546b5af9c6102ae0b9e2a1900d7fa0de

SHA256
1a0a6db026bd2db6b9020a1a53ec0286fbc79171f1f2e50a0090fa6fc46db727

SHA512
044bb8a9b0e86cf08e471f2bc75e66ac58378569e0caeb16c8f924a00e78019fa3ac889394b195209950a843b85f1ae719991481184e7c41075615f738b92d20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
59bd1969696ca973f94d9e63618aa2fd

SHA1
f62f29576c9b9a7138d7b08c83e6237604c8af0f

SHA256
bf88547bcee57fc99e901befa347afc21d7c7e68dc88627e79ed80107ff26d87

SHA512
e7dd76b29653e825086152af3bd1a8dd6baf0f01bc3ea38bc9df89f9d539cb83d481fecd603f792fdb612eaa14fb99de8b0cecca6a6f675fcc4ed83e7c8b26f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
11642d647e38c71882b3160703316be4

SHA1
5bfbe77fc640a05fb415f18c557071db41469d51

SHA256
fba082ce5d8a241dd56d9bbbd03fba871d0d2a739eca8a8716a697953d923441

SHA512
d25da97a875eccf610a823c2a8b5a014421e488997c50396a247586eb296410605afc5937a4db7a551ceee9b3c3f68b43b2f01f7d59d466f60b141b786ccd0a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RF6e3026.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
149KB

MD5
56794f32d877ab1704e7e7dc343b502b

SHA1
48eb6346b4569d3ecfd4c498ab38c96ccb0bd47b

SHA256
af24f80ed190230f59ce6269548c4e1183d94d072342c0f7f089b0be8cf9f731

SHA512
525f1c0c07c83e1225e2765beec1e37e01147561c51ecf90ce0da52ba8b73cafe29857b4252f4e8251ce5b196f5955938609d8fdc05d926e64be55eb934b00ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab41B5.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar42F4.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odpzdtfk.exe

Filesize
2.3MB

MD5
d61b4e414e08564e3c76514dabc61bc7

SHA1
c4497f7036a753b19d4c22eb68d943fd4908bb3d

SHA256
1add4a876fb3d2a2f694ee3eecb0d6d5600efdad1b9f4a2fd27f7babfc265ce4

SHA512
d760efa49774c9e72fe8a911c08ac945342878252a19627a3a41be5e91eaab9b4bfa5982fee5c27df10e0a4645435393a3191f5116b6ac3a8a789a8db2ef7f37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odpzdtfk.exe

Filesize
2.3MB

MD5
d61b4e414e08564e3c76514dabc61bc7

SHA1
c4497f7036a753b19d4c22eb68d943fd4908bb3d

SHA256
1add4a876fb3d2a2f694ee3eecb0d6d5600efdad1b9f4a2fd27f7babfc265ce4

SHA512
d760efa49774c9e72fe8a911c08ac945342878252a19627a3a41be5e91eaab9b4bfa5982fee5c27df10e0a4645435393a3191f5116b6ac3a8a789a8db2ef7f37

Download Submit
C:\Users\Admin\Downloads\Invoice No 74492.zip

Filesize
2.1MB

MD5
3ac2cbf9870b1fbfdb2e62a0517a1470

SHA1
ed845b3a3426d03133140dd7f83a560f93cd8138

SHA256
ae01366ce16b678216d7c6251843bcfcce8e1d4326ceff2281915876c883908a

SHA512
9b711528d5c00af3c3a48bc0f82702da8be257fe269cfe67ef1eff976bc49ed91b8d99755a6964e0e881f648aa68b8333489b230c0b110e4c15da4f27933cddc

Download Submit
C:\Users\Admin\Downloads\Invoice No 74492\Invoice No 74492.cmd

Filesize
2.3MB

MD5
d61b4e414e08564e3c76514dabc61bc7

SHA1
c4497f7036a753b19d4c22eb68d943fd4908bb3d

SHA256
1add4a876fb3d2a2f694ee3eecb0d6d5600efdad1b9f4a2fd27f7babfc265ce4

SHA512
d760efa49774c9e72fe8a911c08ac945342878252a19627a3a41be5e91eaab9b4bfa5982fee5c27df10e0a4645435393a3191f5116b6ac3a8a789a8db2ef7f37

Download Submit
C:\Users\Admin\Downloads\Invoice No 74492\Invoice No 74492.cmd

Filesize
2.3MB

MD5
d61b4e414e08564e3c76514dabc61bc7

SHA1
c4497f7036a753b19d4c22eb68d943fd4908bb3d

SHA256
1add4a876fb3d2a2f694ee3eecb0d6d5600efdad1b9f4a2fd27f7babfc265ce4

SHA512
d760efa49774c9e72fe8a911c08ac945342878252a19627a3a41be5e91eaab9b4bfa5982fee5c27df10e0a4645435393a3191f5116b6ac3a8a789a8db2ef7f37

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odpzdtfk.exe

Filesize
2.3MB

MD5
d61b4e414e08564e3c76514dabc61bc7

SHA1
c4497f7036a753b19d4c22eb68d943fd4908bb3d

SHA256
1add4a876fb3d2a2f694ee3eecb0d6d5600efdad1b9f4a2fd27f7babfc265ce4

SHA512
d760efa49774c9e72fe8a911c08ac945342878252a19627a3a41be5e91eaab9b4bfa5982fee5c27df10e0a4645435393a3191f5116b6ac3a8a789a8db2ef7f37

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odpzdtfk.exe

Filesize
2.3MB

MD5
d61b4e414e08564e3c76514dabc61bc7

SHA1
c4497f7036a753b19d4c22eb68d943fd4908bb3d

SHA256
1add4a876fb3d2a2f694ee3eecb0d6d5600efdad1b9f4a2fd27f7babfc265ce4

SHA512
d760efa49774c9e72fe8a911c08ac945342878252a19627a3a41be5e91eaab9b4bfa5982fee5c27df10e0a4645435393a3191f5116b6ac3a8a789a8db2ef7f37

Download Submit