kutaki | hxxps://vrlabels[.]com/[.]well-known/pki-validation/qpkw

Analysis

max time kernel
52s
max time network
223s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-05-2023 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vrlabels.com/.well-known/pki-validation/qpkw

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

Payment_Note.cmd

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obbsovfk.exe	Payment_Note.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obbsovfk.exe	Payment_Note.cmd

Executes dropped EXE 2 IoCs

Processes:

Payment_Note.cmdobbsovfk.exe

pid process

2628 Payment_Note.cmd
2696 obbsovfk.exe
Loads dropped DLL 2 IoCs

Processes:

Payment_Note.cmd

pid process

2628 Payment_Note.cmd
2628 Payment_Note.cmd
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2040 chrome.exe
2040 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeRestorePrivilege	2444	7zG.exe
Token: 35	2444	7zG.exe
Token: SeSecurityPrivilege	2444	7zG.exe
Token: SeSecurityPrivilege	2444	7zG.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: 33	2548	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2548	AUDIODG.EXE
Token: 33	2548	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2548	AUDIODG.EXE
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe

Suspicious use of FindShellTrayWindow 60 IoCs

Processes:

chrome.exe7zG.exe

pid	process
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2444	7zG.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exe

pid	process
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

Payment_Note.cmdobbsovfk.exe

pid	process
2628	Payment_Note.cmd
2628	Payment_Note.cmd
2628	Payment_Note.cmd
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe
2696	obbsovfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2040 wrote to memory of 1740	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1740	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1740	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 824	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1472	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1472	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1472	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe
PID 2040 wrote to memory of 1120	2040	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://vrlabels.com/.well-known/pki-validation/qpkw
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7139758,0x7fef7139768,0x7fef7139778
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:2
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:8
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2220 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2232 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1348 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:2
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1448 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1160 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2064 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4812 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4620 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4012 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5340 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 --field-trial-handle=1208,i,1971773850073238440,15530584317878341270,131072 /prefetch:8
  2⤵
  PID:2148

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1728

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Payment_Note\" -spe -an -ai#7zMap10291:86:7zEvent12476
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2444

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Users\Admin\Downloads\Payment_Note\Payment_Note.cmd
"C:\Users\Admin\Downloads\Payment_Note\Payment_Note.cmd"
1⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2648
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obbsovfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obbsovfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
161KB

MD5
d0689623f131fcb540b6b70ff1c8b55a

SHA1
50726cae90a7d1cd36246d1d929a2ab77a785de6

SHA256
345aa90fb35c263b36c1fbe3dbe0d4151029eb80bebb0b759b5344960e950883

SHA512
e7ba0546266d2e798912cae355aad65b73fa8c108349ea73074700701e55617c46a49edf531e2424a98aee1d85ce340ce94def0b121eaa191c0e510074fe58c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9df49c550910ec4a305a0742f01e261b

SHA1
ee0766b5a9bd7d6fc8a766205e2f72818b101e97

SHA256
e8f718eb00897f4011594523c82b8a5312f93890fc297c54734ebfa37719975b

SHA512
1f2730ecb47267bb1107a0aa3bda94f21ebe6137502ababe75a38b39b9693a835e247f2375df3ed8795f481f799de356e87aed981c49b6f1609e5c2f71520cf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6ada1d58a16f541ebecf32686919c572

SHA1
b7ae9fff2a9f5daa2ba58ab773a0cccce20b9cac

SHA256
75abce463710888fb1d0e29084d8f885f1a6a541af02bff139f50365d65c53f4

SHA512
dbf58531726da1ddb97305c2ec48d4ebc0bcb3cbed2fb4e0050a571f67b8ed546d1bcf765bf3b2dcf565b955a9946a4bf741a041bb17a0b892402ddacdfc79c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
683B

MD5
3453d426e4663f70b223793aae6ec4bb

SHA1
feda976f82ed3179640f48dcc2279ea148f90cea

SHA256
9a033917588c9ee44bff09841cf36d0aa3c48c47b43d7ef2f273d66f7f672c15

SHA512
5426dc201735a9f8e4b975e16fcf6313ea1bc5ef58f3e3fb155e2e7167e9f0d6f31432f71bc2baa39b207998bc5d11ffb1ab3f951d64381777b03afbc64afd2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
73286b98f78d5e0c6c74ed79c511ba2f

SHA1
8a82f3313abe16e64c5af572b323bb03cb68a96c

SHA256
12995d11e6ab854ce01f821701de19f1f18de697dac2adfe55703d4e3f5942cc

SHA512
8cc4eba5b661e3cc52c5530d4dafe488e55210da5d7b21306a46aa344f1613d30d71bbcd57ce878827579b654ac030507722ffb0ac338cc573e3a5206cf14b6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3c96f94d00277828a70d0bdf55901198

SHA1
e2769fde641b2ee57508d7d6bcb28d6e91c3ab56

SHA256
bfcd290c245607ad628e18c87f7d3887172de11a9ee7e3e740379be3fa1db44e

SHA512
8b506bf7b2d389681c1f0ab77a2a5746474ae73fd18a2a110b3ff64ca8049442c19f6d5e63521ace5aa09923692dcd79766a1e54ff12d562b317142c8ef153c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
330dfadfeaefc9f5ae40e6d5dc9bbe4e

SHA1
554463d4dddcabc88627be0fe1b38ac80ac39dfc

SHA256
75577bda3ec4989eba7b785d62f82edd86537686b86376ccbf68820c89a18b27

SHA512
e1a6b6c013e8d7bd2bd36b58448290866aaed7b1a16615286399eeabbebbf9a37b60b0589f319f3af713c63a14db3f5359be324d1dc253f02df82d5e8ce04420

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c68d1a2bb2e477e45605a2d897c81634

SHA1
6d9da39df6b5f161a13e67221ae3b88cc756acb6

SHA256
0059141957d59948059508741d72f940f019349f79991d7eec516bd9b6219f3f

SHA512
8c0821a79c00378e05aa52779e6f755cbfa0c7b30e62229a022183e106400179cb284c10020e9c0a50269c65ea2f625c111f1d7146066f5d88a40efb41fd38c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RF6cddc2.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\da80d80a-c49a-4cec-b823-550980292162.tmp

Filesize
5KB

MD5
09f7377cefa31ee18d96df59e448315c

SHA1
1cf4b3d19b0f64fc76df19ca86fafd74344d15b0

SHA256
4284cdbf8d1bb5e16cf912406f4f374fae253ab5d17537d2d993fd03120069c3

SHA512
25e66a12ab5532f8cc44ea1d34790ede3558c6a55133a012f1266dfc0f31d344dc2da3a3afb04585830900486a4db85437e515b130d0099fa7e9cacaa38385ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
149KB

MD5
b805b494d5326be8cbd72c05c5144bc0

SHA1
38da76cd503289a7f181f1ab4600fc9c6fbfb0f6

SHA256
09587eb948569a9d9d65d96ddbee939da20ffab76b6682d4f909732a98861f22

SHA512
72fb4ee5fd5827109b1245b182b13acf0d8c8a2ab6a1d6c7b1af43e31ec85636b2b7a6888a607bf5162249e5ec393d3104f2254664e552c28fb73c54f7f57835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar23DE.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obbsovfk.exe

Filesize
2.3MB

MD5
dec8eff4a5f0416e70ee9572476e3e1c

SHA1
2a0c5f4cfb67fa2429a6110f4a3fa01bae3ab07a

SHA256
ad4ff94367b23aa1ef381bd3e0ee0c7b89998fa98909612b417f671b987a3686

SHA512
d8c8a9eecbf78dc3ce7a277aac2b64ef185b19b5a85ec6eaafa5e37f45ceb6ddef430f1c32a1f97fe471aba15cc147bc56dede78f2e9224ab7b0995957ffba84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obbsovfk.exe

Filesize
2.3MB

MD5
dec8eff4a5f0416e70ee9572476e3e1c

SHA1
2a0c5f4cfb67fa2429a6110f4a3fa01bae3ab07a

SHA256
ad4ff94367b23aa1ef381bd3e0ee0c7b89998fa98909612b417f671b987a3686

SHA512
d8c8a9eecbf78dc3ce7a277aac2b64ef185b19b5a85ec6eaafa5e37f45ceb6ddef430f1c32a1f97fe471aba15cc147bc56dede78f2e9224ab7b0995957ffba84

Download Submit
C:\Users\Admin\Downloads\Payment_Note.zip

Filesize
2.1MB

MD5
44b8fab572ac5eee02f89e50a0ef02cf

SHA1
e0d6864fb9bfb355a117ac0564bbb8e6d639addc

SHA256
07c15d2f26cd874c341f972bb2e717c3284052a955a0f63cc6ff4104c1e4e2bb

SHA512
e377943977b3a2b8af12480cb7c9acd56c86d5a21121817fed55312d9722622775fd62128c5987a82544df1173e724b9e6f7bd6e12cb2ad6a2c31e317c6d5409

Download Submit
C:\Users\Admin\Downloads\Payment_Note\Payment_Note.cmd

Filesize
2.3MB

MD5
dec8eff4a5f0416e70ee9572476e3e1c

SHA1
2a0c5f4cfb67fa2429a6110f4a3fa01bae3ab07a

SHA256
ad4ff94367b23aa1ef381bd3e0ee0c7b89998fa98909612b417f671b987a3686

SHA512
d8c8a9eecbf78dc3ce7a277aac2b64ef185b19b5a85ec6eaafa5e37f45ceb6ddef430f1c32a1f97fe471aba15cc147bc56dede78f2e9224ab7b0995957ffba84

Download Submit
C:\Users\Admin\Downloads\Payment_Note\Payment_Note.cmd

Filesize
2.3MB

MD5
dec8eff4a5f0416e70ee9572476e3e1c

SHA1
2a0c5f4cfb67fa2429a6110f4a3fa01bae3ab07a

SHA256
ad4ff94367b23aa1ef381bd3e0ee0c7b89998fa98909612b417f671b987a3686

SHA512
d8c8a9eecbf78dc3ce7a277aac2b64ef185b19b5a85ec6eaafa5e37f45ceb6ddef430f1c32a1f97fe471aba15cc147bc56dede78f2e9224ab7b0995957ffba84

Download Submit
\??\pipe\crashpad_2040_AFYYBKPOJTLHFZQK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obbsovfk.exe

Filesize
2.3MB

MD5
dec8eff4a5f0416e70ee9572476e3e1c

SHA1
2a0c5f4cfb67fa2429a6110f4a3fa01bae3ab07a

SHA256
ad4ff94367b23aa1ef381bd3e0ee0c7b89998fa98909612b417f671b987a3686

SHA512
d8c8a9eecbf78dc3ce7a277aac2b64ef185b19b5a85ec6eaafa5e37f45ceb6ddef430f1c32a1f97fe471aba15cc147bc56dede78f2e9224ab7b0995957ffba84

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obbsovfk.exe

Filesize
2.3MB

MD5
dec8eff4a5f0416e70ee9572476e3e1c

SHA1
2a0c5f4cfb67fa2429a6110f4a3fa01bae3ab07a

SHA256
ad4ff94367b23aa1ef381bd3e0ee0c7b89998fa98909612b417f671b987a3686

SHA512
d8c8a9eecbf78dc3ce7a277aac2b64ef185b19b5a85ec6eaafa5e37f45ceb6ddef430f1c32a1f97fe471aba15cc147bc56dede78f2e9224ab7b0995957ffba84

Download Submit