kutaki | hxxps://www[.]dropbox[.]com/s/ou3xkgkz9fs49cv/Invoice

Analysis

max time kernel
139s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2023 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/s/ou3xkgkz9fs49cv/Invoice

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

Invoice No 88404.bat

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oamsatfk.exe	Invoice No 88404.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oamsatfk.exe	Invoice No 88404.bat

Executes dropped EXE 2 IoCs

Processes:

Invoice No 88404.batoamsatfk.exe

pid	Process
4776	Invoice No 88404.bat
1136	oamsatfk.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133349063788897558"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exechrome.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{B9F37099-7FF9-4C59-AC14-4902D2C55E9E}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
2484	chrome.exe
2484	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid	Process
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe7zG.exe

pid	Process
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
216	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Invoice No 88404.batoamsatfk.exe

pid	Process
4776	Invoice No 88404.bat
4776	Invoice No 88404.bat
4776	Invoice No 88404.bat
1136	oamsatfk.exe
1136	oamsatfk.exe
1136	oamsatfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 4176 wrote to memory of 2064	4176	chrome.exe	30
PID 4176 wrote to memory of 2064	4176	chrome.exe	30
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1220	4176	chrome.exe	87
PID 4176 wrote to memory of 1664	4176	chrome.exe	88
PID 4176 wrote to memory of 1664	4176	chrome.exe	88
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89
PID 4176 wrote to memory of 1696	4176	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.dropbox.com/s/ou3xkgkz9fs49cv/Invoice
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca5779758,0x7ffca5779768,0x7ffca5779778
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:2
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1584 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4640 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4588 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4548 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3200 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5888 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3224 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:8
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5360 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:8
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2836 --field-trial-handle=1872,i,10590860561164039854,328316217803377302,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2484

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5116

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Invoice No 88404\" -spe -an -ai#7zMap3693:94:7zEvent19995
1⤵
- Suspicious use of FindShellTrayWindow
PID:216

C:\Users\Admin\Downloads\Invoice No 88404\Invoice No 88404.bat
"C:\Users\Admin\Downloads\Invoice No 88404\Invoice No 88404.bat"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4776
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2264
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oamsatfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oamsatfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Invoice No 88404\Invoice No 88404.bat"
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
36fe51ff48b280dcf410c04adee61921

SHA1
7839759b27191b967765d27a47e884bb44f6be1e

SHA256
a120042725fa01c1e1b25578253e0db4c28384547e7acc38a3f633205a0863d7

SHA512
444685e5934eda36c51300dbad9f558d6ad9b1dcd77f6b047c0a7dffb310753789a06b43ae9ce2b2bfd7bab574f944a8650442865370352d9cac0d72b84cccec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
766ba98aa5d3cac8b5241579332ac6ad

SHA1
e54e1d93e5c15996a28d503c9f41ca74584e670e

SHA256
a5eccbe6cbf9d5d98cd31529e2d22046e7486b9c13c016115f905360971519e8

SHA512
95f01edcef0efc93e45c4fa30bf1eb991e0b4b462efeefe9a652d7986622f398bbf4520aa6d739520fc8703c897711b918eea0b18e310cddd36ba3aece0eb48a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\93e02133-f8d2-4a73-a893-c28c01987ea1.tmp

Filesize
1KB

MD5
64c4beb0d44cadd034dbcb02f9d1bba1

SHA1
3ab43512d063ba8d17fb65aa9163b6dbd3e603a2

SHA256
4a28214bdb2431499fdefa1f2dcc9d8f27dacfc0ee39f4181631651401451770

SHA512
482f43edb9e42ace1da1b03a99e824a7fe709ab4d208f484df3de8f9412d3427b4082e23d3d874d14c748a5ad18db47a6f6b766635c93d74ded47522c1cbbb35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c1b3aaa5642afbd9b05c473d9ced85f8

SHA1
4f47fad502c9f385cd55fb4231d5163322d88e82

SHA256
8181a47b8e600652d30aea9a7cd829f42361952b76ed20f239a9555a67b24d15

SHA512
8ce1811efb6f938d7b0360057cc631d3eb78d985adacbca7052bfe79c31ce8aa45f3f02a31905c59d0604fcc2eb284297af865fb40ce529a4e0381c50d3596ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bbd79f5e5ad9bc04388e287466fee73b

SHA1
9dbdfc9d21f09d492e8d661a3c05a90f9b68c874

SHA256
c114a1c60f3cb3b644f99b8336a587cb213b5d24ed681a9009167fb684daba51

SHA512
8765ceb52574b43ba24fed999c2ba484602760f9522ec5fd8194feeaafb06a2102c828a314a8b2b63222bbe91ff4ae041f6a22b8f49c0600c140d1c88c7ef2a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
10acc1370b04ae16978196d09e099d55

SHA1
503d4f6950fbaf9cb8b7fc52d61edc328ce5e512

SHA256
8064fabc7c20b8de62861169e52fbb9bb3d06bffbc36d5573c9edf3839dfc974

SHA512
19da199efa91ed12773ef3b7b0394a4e1f23c3c1db843bf318888d36d95de90eb44077dc2f5e1a0f7ac3647610c679efcf481e11a0d66cf13c92701509207954

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
10c243764dc871f9d2248064e9ad458a

SHA1
17bc3e0f533c407b6a4a2df56979315147b751de

SHA256
7b425c4442b94cd8c35925addba9bf2e7b5da9ab0ca07b4349a0f86168f983ef

SHA512
e0bc484e4e63c16e9fbec1715d2b2365588115420fd41d252a16cad76752345b3c4efb82821d2b11e749a258b5c2eb02a41b2eb4ac03a2255d92840efd0e2068

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0a5497aefc468e01e16502f9a82b8024

SHA1
b50feadb745f3d4c3e58c87979eddebdad853da1

SHA256
8b4bb7d6b17c8b56397a96b2aab47c4d1e69fcedc123bb646775e5a480660063

SHA512
c7be0763c1574a5d8168b0daec2785111033a7ff95862bfeef3a2250faf4a49645aaac355b1646dbe4c712ee06231746eb28cb5cf4e0f9ebd2b3a9dd3bac6d4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a7b2af4165e18c5069e148f1514d5851

SHA1
89770f5cd11876da57b4cf1fa7763ebe3474193b

SHA256
0b4875e7bbb0c0689d732c6843946e9097282f1f48c08cb157dc2990334c346d

SHA512
7d36d48f447eb43ce98d275adcf68f9124fec7b48e48614c6d57d1caa9d9d2105ce7306dc795627624adee9e33192588b57a9e5401e64ba2affa9c6b82ead94c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8d199c98d4d91d032a9cf378962f2844

SHA1
83a2ba3ef24601da5d9e7316a233c079f4467c66

SHA256
a0f16b4063a95ca8024f2f7e9aede24c267b27adb725ae10173ceda84cf8ac6e

SHA512
c3ae05df164bf758586550b5c14ba1e129b77952fc4e1e513dbc99b2d8c018b38d6a458fd8b675c48ffe84a6d1e2a050f0ca3ec3235d2b35695fa263e1c562bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ed2d1d0f00cea7e7eaae6a2a90eacc8e

SHA1
c2a46770142269da7a845d0bf2189ca0e774fde3

SHA256
ffe691c8a2e2c83dac76f5e801e9663c2efacbbf6c4b581cd31fa15a5f0b5302

SHA512
8368cd8c4ac3fec24e337db24882bf9e1163636d24b274cfaea584b2eec7742fd032b9935e48ac58c206f4e0e5aa68198dc8f8d87511c0a5cb27fe2f284433ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4dd2439c27772b22bebbc41ed62da2d9

SHA1
cb42f90a4f01c4f1a5653cb7ce50957f672b0191

SHA256
fdea440a7ad1fe17ea3fa851908cfeda45fbf3c0ba305da82002ed75f9c264f3

SHA512
57f889d3d85775b218dfb37fb3a0e43d1629446160e08bc7bc525838812aff0d99f9eb3439d9c5299121cd70106e649b0f52456eaaeee0566d8577437db395ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e42f22c5326402dd4449f0c86fa076c2

SHA1
18b888d61b32553a6724635742cdd52697f37fd0

SHA256
3e32f4792d3c0730c3f397e95f5ef1da7f3dc798294001917af047d918d670c4

SHA512
83dc082c1e6571c98c12942e6ae98441fc8c327e18bcaedd5c96f764177712ecd00fe25fc3659542913a0cf01c98d0600b4c6bf8b7abb7f42062782b172e11c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
35397f5fa2bea50e0018aab542241a6f

SHA1
7cc695ec84f00b385658cdf76b1477691b1b75af

SHA256
d6380513fef7524f0a281686058dd8148acc7cbc7a8036118577fd492ce141fe

SHA512
c2af746b529bfa04eb07dba802820b73ff6f3b1caddd4b5fd99155efb4e146d330df3b6d6d84ccb494104b4002458d6a8448a70766236ce198b9eaab91b207d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9c59a12931bc6f30943fa9390449ee6a

SHA1
73606d1102668a0e2af533f7ee11a8b653f45a54

SHA256
635336a36cae310c8fe9573ce6438582704d2a13200a62663a93106623d51c57

SHA512
b0bfece7cf0ba408593020b13809187901ab28a0ed74394e060adb8bb448e8b4258ae6c6d78bc65c13fc40fefcdd7afb25bec16802cf2351f93a441e45dbb058

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c66d9d1ddd2d7b9c130eb26942832dac

SHA1
1b763aa3617c737e5ff1642525a928f43a7333f4

SHA256
4e0f4f505aa57ec1dbc18e5ae4df42fbdb39b3bb97af4269d6467a9ecc1fbc0c

SHA512
1c59198e6e2c614cc26ded736433cb336238fa13e9b2d0a702b885819f571a399755a6228d76f858c3f3afa8409e36ba4714732c3ce5212326353eaa3eeb42ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
74348dee0aa6f416013ca8a31fe06583

SHA1
1dd78a45358dab3675432ddae8bea9af44f5536a

SHA256
f9116af13061e9c9bed6632bc498b34864eca24ac4729455ccd941e77aa9a6fa

SHA512
4f60cf48cbfba5a4ffc3f5e2bb512a3f2ddef97ab85c0216f709a407f8dfa1a09cf60767fcc2e35ef3cfee0a95335d50861280f07050b262f465c27e981e0ccf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
a0f86b03579751abb73dd5b3cce287ca

SHA1
10ddd6e31608c44efb27f8b642b99df852479c83

SHA256
9bd2c3bcf9a0f8890b1ef6f2bbb642746f2b78839c4f6143f321fd51cc880200

SHA512
d55a27656d61ebcf28ff3e1280ee786aabd599b7b9373edd78076d7f4bff82a11d28cfc090f3e9df695b73490d7cfeb3e479eb2d2534b07f9e61a126b81cf528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
5f3fd7d10d5ed8167826917f64fc0194

SHA1
a386562e83d8c9bb6b0895a07dbba8f1d5d0a9d3

SHA256
c0b406f4555fc26b2d6e1921051443170f11a272a196ac058a9e3e2b501e852b

SHA512
0c30b57cd407c1d0e5da73cf804e7dfb592dd62ad1046e2af345fbba332708502d7e9083d62198465b4e079d9baa5eb1ca25e3e344d9e4e19f92cb3f82e09233

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
603bd410a21435fad3d8eba887132ab3

SHA1
80c4be032851f8807da222c38dd4cc31b34f8eb3

SHA256
bf3caa0695a662a05de47edd6c553ceebe99c540ac74bc719b25e86c3b38ebf1

SHA512
9f997b96b176345711d3d9d7c3a3613725069ace3afb52982845903f6a4fea835cba22678119fe94162cf39146d6f163b0ef8ceeee91db3842f33830828b0ce8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
108KB

MD5
c7b8f05d5dff89063542c99cb3e33173

SHA1
461c2a3b0455af28f56883e59beff6d03e488659

SHA256
37fe9dae588b2789a6150dae86cb834aa487c61332346473b1fd5ddb66b7107a

SHA512
bb1a8260f3f9f012c07adbd8d1d8f51e901eec27aed1651dda3d299954a9407dd84c86b17330c90e654b3f4672da21a9882c5928e1582b9e77d9c8a245be0b10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
115KB

MD5
1f0eeccf1297a344f052db5588193222

SHA1
3a32c2bbfa5e50716cfe05b3d01ed145a925d8fe

SHA256
2c695b90678133c18c28c8612a3d55dd19fbfa951bbbba9aa9371d9600710140

SHA512
da6af67fe7cb5cf44b9fe279dcfee65469385ca284393b65aa18379a98f168995d5d77fb30e959f225b642a7458bc853bae69a525b3c681bb42b036f06261b80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5961dd.TMP

Filesize
105KB

MD5
bf3026bc6f507d11dc66ce30f247dce3

SHA1
806f7a7d4ab3174306860e8032933f1b1ac22f66

SHA256
5e3dd071d7f6d58b91d98b21fcc9d9ac4fb456e91d84e00a655fc30901bee1d5

SHA512
d4a863a215296a8f1cd7c53f06eb3052a12a285683f5ce15073922da9bdeaa3d6e161177a8c2c777b0802da8451af954ee40138ca8847217075ec147bf5160d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oamsatfk.exe

Filesize
2.9MB

MD5
560f4049a77df65858b292169dcfc4e7

SHA1
d57078d853074841f38b864e7890d4c2839cf089

SHA256
7999d0441c310bc8bcc7ed86d613eece57a81f4fef6cddf592efae05937785fe

SHA512
db87807b417742dcbc32a9c0bbc833a5fefba8ad28f1703e7ba446a8949c76eca41f2637a6feacb07dd43258ecfe0ef4c9a17576fffd90a9409214d8d95e4de7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oamsatfk.exe

Filesize
2.9MB

MD5
560f4049a77df65858b292169dcfc4e7

SHA1
d57078d853074841f38b864e7890d4c2839cf089

SHA256
7999d0441c310bc8bcc7ed86d613eece57a81f4fef6cddf592efae05937785fe

SHA512
db87807b417742dcbc32a9c0bbc833a5fefba8ad28f1703e7ba446a8949c76eca41f2637a6feacb07dd43258ecfe0ef4c9a17576fffd90a9409214d8d95e4de7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oamsatfk.exe

Filesize
2.9MB

MD5
560f4049a77df65858b292169dcfc4e7

SHA1
d57078d853074841f38b864e7890d4c2839cf089

SHA256
7999d0441c310bc8bcc7ed86d613eece57a81f4fef6cddf592efae05937785fe

SHA512
db87807b417742dcbc32a9c0bbc833a5fefba8ad28f1703e7ba446a8949c76eca41f2637a6feacb07dd43258ecfe0ef4c9a17576fffd90a9409214d8d95e4de7

Download Submit
C:\Users\Admin\Downloads\Invoice No 88404.zip

Filesize
2.4MB

MD5
dbe37e700e7f1424e255629e453bacf1

SHA1
2f3c21c26d3faaaf5ea96fb710d2108800cb9efa

SHA256
f29a29a81edfdea36ece02fa5b22ff4ab6c4b5ab03f8295fd7dacf5464554100

SHA512
8e13b824b40b2cc97d22ef2d89c71ee7b1012f7034cdf88edaf2f86cc6e2a5c46d44376712845fc27e92e3ab922f159bf460e16bc857c76364481b36eb670bb6

Download Submit
C:\Users\Admin\Downloads\Invoice No 88404.zip.crdownload

Filesize
2.4MB

MD5
dbe37e700e7f1424e255629e453bacf1

SHA1
2f3c21c26d3faaaf5ea96fb710d2108800cb9efa

SHA256
f29a29a81edfdea36ece02fa5b22ff4ab6c4b5ab03f8295fd7dacf5464554100

SHA512
8e13b824b40b2cc97d22ef2d89c71ee7b1012f7034cdf88edaf2f86cc6e2a5c46d44376712845fc27e92e3ab922f159bf460e16bc857c76364481b36eb670bb6

Download Submit
C:\Users\Admin\Downloads\Invoice No 88404\Invoice No 88404.bat

Filesize
2.9MB

MD5
560f4049a77df65858b292169dcfc4e7

SHA1
d57078d853074841f38b864e7890d4c2839cf089

SHA256
7999d0441c310bc8bcc7ed86d613eece57a81f4fef6cddf592efae05937785fe

SHA512
db87807b417742dcbc32a9c0bbc833a5fefba8ad28f1703e7ba446a8949c76eca41f2637a6feacb07dd43258ecfe0ef4c9a17576fffd90a9409214d8d95e4de7

Download Submit
C:\Users\Admin\Downloads\Invoice No 88404\Invoice No 88404.bat

Filesize
2.9MB

MD5
560f4049a77df65858b292169dcfc4e7

SHA1
d57078d853074841f38b864e7890d4c2839cf089

SHA256
7999d0441c310bc8bcc7ed86d613eece57a81f4fef6cddf592efae05937785fe

SHA512
db87807b417742dcbc32a9c0bbc833a5fefba8ad28f1703e7ba446a8949c76eca41f2637a6feacb07dd43258ecfe0ef4c9a17576fffd90a9409214d8d95e4de7

Download Submit
\??\pipe\crashpad_4176_IDFUVFVHIKUXXCFZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit