kutaki | hxxp://revolutionforsuccess[.]com/images/icon/bqiw

Analysis

max time kernel
101s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2023 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://revolutionforsuccess.com/images/icon/bqiw

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 4 IoCs

Processes:

Credit_Return.cmdCredit_Return.cmd

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\naztgofk.exe	Credit_Return.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\naztgofk.exe	Credit_Return.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\naztgofk.exe	Credit_Return.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\naztgofk.exe	Credit_Return.cmd

Executes dropped EXE 2 IoCs

Processes:

naztgofk.exenaztgofk.exe

pid process

2612 naztgofk.exe
560 naztgofk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2612	naztgofk.exe
560	naztgofk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4784 taskkill.exe

pid	process
4784	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133288863144213779"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4268 chrome.exe
4268 chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	process
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

chrome.exe

pid	process
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

Credit_Return.cmdnaztgofk.exeCredit_Return.cmdnaztgofk.exe

pid	process
4340	Credit_Return.cmd
4340	Credit_Return.cmd
4340	Credit_Return.cmd
2612	naztgofk.exe
2612	naztgofk.exe
2612	naztgofk.exe
2852	Credit_Return.cmd
2852	Credit_Return.cmd
2852	Credit_Return.cmd
560	naztgofk.exe
560	naztgofk.exe
560	naztgofk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4268 wrote to memory of 3464	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 3464	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 4792	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 3052	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 3052	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe
PID 4268 wrote to memory of 116	4268	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://revolutionforsuccess.com/images/icon/bqiw
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff87ed19758,0x7ff87ed19768,0x7ff87ed19778
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:2
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:8
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4412 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4860 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:8
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3928 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5316 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5468 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:8
  2⤵
  PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5452 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:8
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5636 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5916 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4628 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5976 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5828 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5304 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=1796,i,17722485540219391061,2950837312564397087,131072 /prefetch:8
  2⤵
  PID:3568

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\Temp1_Credit_Return.zip\Credit_Return.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp1_Credit_Return.zip\Credit_Return.cmd"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:4340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4064
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\naztgofk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\naztgofk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2612

C:\Users\Admin\AppData\Local\Temp\Temp1_Credit_Return.zip\Credit_Return.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp1_Credit_Return.zip\Credit_Return.cmd"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3276
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im naztgofk.exe /f
  2⤵
  - Kills process with taskkill
  PID:4784
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\naztgofk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\naztgofk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
162KB

MD5
475f3b2f4b6829f089f959d8291c69ab

SHA1
10cfe4b0bad5e7fc4c1bd4c4f79f9cc32ed93c99

SHA256
4f40a7d3b7ddf8e77c9b9556b37cdbc062bda1e20757b4c709adcd3ee624b219

SHA512
fb2b2fb4b86dac393e35c42e66e327af699fa1c6baefdeb4ce9f95298990faed0ad556475d16ba6ad31868412f6179d996cff7c15329f4ef92778be592e9d712

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a382d6e1b23caba4f9e5a6ecff30f747

SHA1
e5e42f02a6359129d5a28c23b735ffd3730a9dda

SHA256
c449f59f8f2696ee357f016f3002ff97e31f87ff399adab108c83e5cbe4c23ec

SHA512
cc44606826d961b3573d59a40e56667b77984c86f08c12bea6c6b1c1290c1c6d65170c68b3c91bbc9230b2c1d9765c8e55a21784490a267b5710e2621666edfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f844ce8adc811f8ea003a5b047e37626

SHA1
068ad9f2ce1016652bae0ddbbb95932edaf3630f

SHA256
b0bb86167c431e42693b4ae87fe27762fd87168d884cf1cf235258a8c2de7c7b

SHA512
06d322a50dccc6b51742d0c8f001b87ebdecd06a00f0fa645b04860f2f78e2d0f358b840f4b746a0f001c988c08b862fac47d44344831c8db12c425bfa2710fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
09302f5d384d87bc07f85931e537edab

SHA1
8ab0254f2dc51c154093deaef521b082fdc680c6

SHA256
467eeaa59b19dd8554b1a06b2338dd12239c4597fda890bb1467a6713f456069

SHA512
8158cd8e50ff71566df2b27e5d53091e1114603781d3029f07613ba22b3043f13ce8a2218d5644a3609172a94f04d65ddf1cea8f8ec5d27bb232bafb32439898

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
871B

MD5
3aa75aaf9a115387530ddf8c1f26d29e

SHA1
4205e364c711802ff15cf1e429ad085e8d4ffadf

SHA256
7d4484ca7139b1ef2d25d7378dc9ec537ef02953e950d9dfb9e204b97feb5346

SHA512
2dabd866c92e1cdc94ea7597b3548e100459a6f4a6a24ad49b9a338b104d729fb81a2d7b0a8a03cbdcfb0a32d7f58bb06ce5666d1e1c469f65731c476e3ffa14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b8a12b9964d5839394850e69f2489f0e

SHA1
7a41d5c7c1b84e0c8c41be97adf0ba72898c6ccf

SHA256
40f2fd5a6e90a007eeb514fb472f38d28057d42e451f65673964be0aa1a79c30

SHA512
d339c28ed0285fdac7117a99da23d933835bf1584581e34aa611498b658fd4c34a7cd81b2026efc19e7f7878e31869d714cac12d8a5ca540f6006a86f553fba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
47e85c016efcb62ba4a42d36456bb87b

SHA1
1b30ccb4bf8dc46cdd88278e21fb92daea1401d3

SHA256
f2d9ee84c14b3f02fe5d245aa45fd08b034f13e0ea7b7d837a3f8a71b3a2cf12

SHA512
cdb2e222c994900c4a82651c4cff3f850b947da764e99df883c9e5f2e5e6d2005f6eceefb53eb39f8a5fd098fc3a3013ef0b04398347bbac42006e8ab662decb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
91457a52d5e9c51ed798adb72a9c6887

SHA1
533bd440fadf4252bb093d137e77a7559e427a5a

SHA256
b7eaf80ec9afbcbde9372a5b9e2c73fd29d63c24a772cae78520c9ebff79dc19

SHA512
1de5c58fc989a28f60f04a582991b1faecc32bb74fcd07f34e1e6b7e748afd50c87ecc9441ac87926a399c30d85cf8f2ea5e3be2bd9be432006cb6c6ab05c13a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
acf6af173d1379d8d3cc411af044b1ff

SHA1
67acb8af8a75a08f29ded2b8d60fdfc4dd2111c9

SHA256
2b08aad2ee5894269d6daa934dfda6ba458dbf37cce3fd82d69af210adc85f2d

SHA512
5e5ea7756cb388a614077bb627d7653c229717e314e5d31c497d0c84cf3bd837202c3624578c66b7daba429956b4b2a46e93db2ef27d1cf11a0fc20aee55792a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0a8c772cad815aa95279cc0773bfaf0a

SHA1
0007c7737b2a42dbbeb0b7f258fc0554ba0239ef

SHA256
c3c5de3f3de81184f16608053b063944f38a2bf317a1e262ccd5a6ad273622e7

SHA512
abebbf5c031dfdec221927bfa29f2ede5d9412c1d6ceac8627b1e319f8fc983afd7ac4d21c784980147042934a0f77bad1c1fc504f4d0f423b4de54ceeb754dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
edc1c18dda364e65ef01bcbe35cf3d32

SHA1
6ece30ece55536653a1877fd525f1e2ffd4be4f4

SHA256
402869d5d96569c93d343aecef220545c6cecb9e8931d2120069d919884dbaa3

SHA512
6a35c648c3ec6e13f27028179297e410877b008329449878dab0d541a11ae3542e1bebd59af164e39aadd2b53d22f7efbcd62145a2e8f424c0c8397355b2d16c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b366938ec0793a0db9a388bfafc7bdda

SHA1
1fa0e37dbe934cfcfe1f41be47d72af6940043cd

SHA256
ed55db2c8f8970c4ede15cbe1073ad172233971a2603762b9847d2a438bb2a34

SHA512
0da87fcf0e51e36301e8335036d53a91acc640227a2e83bb2c3a7a0e6d2c3ffa085b6414a6c6f3ab8869b74c0b0f8d64d13253cd03c1e04071fb610abbc4a41c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe570ee4.TMP

Filesize
48B

MD5
a71e0bb48f31b1471527d60602d17e4f

SHA1
278fe199c33ddeeac95e85fc9fb617fb39276e61

SHA256
3762661e481a4fbaa9d2f9e9acbed926c38aba50ec4cab2b3190154429abf0f2

SHA512
5c4c3a6757d075ab27346a74bde5d83e40fc7d5637aa7db694de2bf937f600fe4852d55c2e604029c955fa87d23a797902811a4d1a2f73b99c6c381b4d12a689

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
2e3a94e7bee83852036da4cfcc543f9c

SHA1
b7b939b1148bb085517c384b95fb5389cccf8cbb

SHA256
cfea4eb01997d3043631d65705c9220d3c4f350cc15832952f8b37468cfc6e76

SHA512
a0b18438b7297a375a82557b1539ffa3a595227c71960c9c826db41d5c5f704fb0a00fc737e5bc0ca7f66ec7c18fb56a9e27b1b095f9b43dff16fcece60e7038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
fdf85ea5190389d9b57e2ec155bd89ab

SHA1
b9e70e575ad32ba3979dde0a1bb7753e10fcc8b1

SHA256
6918847d18a666011d99730d07b53c251d8bf1a00099a47c8c35b693e30d8321

SHA512
80f2c57b471884ccc1a4964425b8a3ed372614b57b2d82bcfd5b07fd4fe35ae32318d4eea8b5e6af30c7f66b2214db1629a86204cd9986f0672c4680ed451c59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
0633f51d61aa1fa6c852485d16e3eaf1

SHA1
83315c313b48f85260846b357e11f8f297a7cd54

SHA256
eac9747953ad8233f01f56f45a64b8aaaa10aee6a723c5607a4291069339df78

SHA512
9fc93fc90091db7e3b35c3e0b29b3a368da9324e0819b9d29b5823e4dfa878c05b16e19a497f76e6e84a8047830314da9eeb7356f46ff633d4d073fbb8183346

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe56edc0.TMP

Filesize
102KB

MD5
3470343b722f60219a16b67b3eec3d0d

SHA1
5ea4b2fd6e1160ce6bd5f52596f7c060bbd5c1ab

SHA256
94662819bbdb7c20870137f17ee2a27452a49171d6ea46257f4147d1611f03de

SHA512
4b55b9be6eacc35d2405443d7ba277a50b856b6556256b547e39dc996988e4ab486a66800691a1b9746e7775a11caddf3432217e97ebd2b1886b8d09216b7e13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\naztgofk.exe

Filesize
2.4MB

MD5
73dab08f86035f76562bddb07c99d669

SHA1
96a912251f3ff176b74037c44506c6b96ee34aee

SHA256
f9407a6a164ace0ce47f997f2e9d8c862298bd9e496d0c3f8714c12b9ae2580c

SHA512
2556b881fb7d34b1b02b5c510120e6f701a6c53d5c2d617c4c18a817ed81ae50e30a3f095c863c35257f3149eba4964e2f43240a13c5a3655dc5b642ea230ebf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\naztgofk.exe

Filesize
2.4MB

MD5
73dab08f86035f76562bddb07c99d669

SHA1
96a912251f3ff176b74037c44506c6b96ee34aee

SHA256
f9407a6a164ace0ce47f997f2e9d8c862298bd9e496d0c3f8714c12b9ae2580c

SHA512
2556b881fb7d34b1b02b5c510120e6f701a6c53d5c2d617c4c18a817ed81ae50e30a3f095c863c35257f3149eba4964e2f43240a13c5a3655dc5b642ea230ebf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\naztgofk.exe

Filesize
2.4MB

MD5
73dab08f86035f76562bddb07c99d669

SHA1
96a912251f3ff176b74037c44506c6b96ee34aee

SHA256
f9407a6a164ace0ce47f997f2e9d8c862298bd9e496d0c3f8714c12b9ae2580c

SHA512
2556b881fb7d34b1b02b5c510120e6f701a6c53d5c2d617c4c18a817ed81ae50e30a3f095c863c35257f3149eba4964e2f43240a13c5a3655dc5b642ea230ebf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\naztgofk.exe

Filesize
2.4MB

MD5
73dab08f86035f76562bddb07c99d669

SHA1
96a912251f3ff176b74037c44506c6b96ee34aee

SHA256
f9407a6a164ace0ce47f997f2e9d8c862298bd9e496d0c3f8714c12b9ae2580c

SHA512
2556b881fb7d34b1b02b5c510120e6f701a6c53d5c2d617c4c18a817ed81ae50e30a3f095c863c35257f3149eba4964e2f43240a13c5a3655dc5b642ea230ebf

Download Submit
C:\Users\Admin\Downloads\Credit_Return.zip.crdownload

Filesize
2.1MB

MD5
f4f29287d66d6a91ecd2686bb2ff277c

SHA1
54012cb37c457d5d58fbbad0e67e9527f2a9f4b1

SHA256
53789a3e9440e325921e1fab16a32612a5d33995cc7520d791c2d9af087379ed

SHA512
0d1424777c57d3c979b7cc95700b2fd76a649ab71cfeed2b9fea51c803fc8c1ae89106e94cfef3c2bdf451a5816317b240258487aa9d08db27d56855aa685f0d

Download Submit