kutaki | 6e58e550bd70d90404f4dc31665b65fe94e7d0b522d523b87e1202df1d42aff4

Analysis

max time kernel
1200s
max time network
1208s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2023 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rrer
Size

118B
MD5

7df22483fc28e11687de7b6ae3dd8112
SHA1

7e8ea44249c9d32827380ab197da96e7579108da
SHA256

6e58e550bd70d90404f4dc31665b65fe94e7d0b522d523b87e1202df1d42aff4
SHA512

c8fb3e2ae60ab8a72adfa680ebff102480fa36a5a7ce69cd06eea0a381b24eaa5cdeb1acb95b16f44fa4a82e3109d7e6938d1530440a7018dffc065bbd49c157

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

Invoice No 88404.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wjoqztfk.exe	Invoice No 88404.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wjoqztfk.exe	Invoice No 88404.bat

Executes dropped EXE 1 IoCs

Processes:

wjoqztfk.exe

pid process

4744 wjoqztfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4744	wjoqztfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133349072242464786"	chrome.exe

Modifies registry class 2 IoCs

Processes:

OpenWith.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

chrome.exechrome.exe

pid process

2368 chrome.exe
2368 chrome.exe
2368 chrome.exe
3944 chrome.exe
3944 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

2368 chrome.exe
2368 chrome.exe
2368 chrome.exe
2368 chrome.exe
2368 chrome.exe
2368 chrome.exe
2368 chrome.exe
2368 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe

Suspicious use of SetWindowsHookEx 41 IoCs

Processes:

OpenWith.exeInvoice No 88404.batwjoqztfk.exe

pid	process
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
916	OpenWith.exe
4620	Invoice No 88404.bat
4620	Invoice No 88404.bat
4620	Invoice No 88404.bat
4744	wjoqztfk.exe
4744	wjoqztfk.exe
4744	wjoqztfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exechrome.exe

description	pid	process	target process
PID 916 wrote to memory of 3980	916	OpenWith.exe	NOTEPAD.EXE
PID 916 wrote to memory of 3980	916	OpenWith.exe	NOTEPAD.EXE
PID 2368 wrote to memory of 408	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 408	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4716	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 380	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 380	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe
PID 2368 wrote to memory of 4388	2368	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\rrer
1⤵
PID:3080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\rrer
  2⤵
  PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffcef819758,0x7ffcef819768,0x7ffcef819778
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:2
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:8
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4676 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4964 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5232 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:8
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1016
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff654c37688,0x7ff654c37698,0x7ff654c376a8
    3⤵
    PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5032 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2824 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3800 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2316 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1496 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1680 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1064 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2372 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5540 --field-trial-handle=1884,i,3609870856841970021,10670050512219104829,131072 /prefetch:1
  2⤵
  PID:1612

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4752

C:\Users\Admin\Downloads\Invoice No 88404\Invoice No 88404.bat
"C:\Users\Admin\Downloads\Invoice No 88404\Invoice No 88404.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:4620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3004
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wjoqztfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wjoqztfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4744

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Invoice No 88404\Invoice No 88404.bat
1⤵
PID:4176

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:4912

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
2f615d7ab24af5420c5a34acf1a0e370

SHA1
0618a27183bb10c43364e5a69d51534e4a3a3a07

SHA256
c3b9e003feecb37b9ec27d440bd466ab9a656e0ccf1dacdf75f7762915622f56

SHA512
bf6ff5ed88c506fd335c10dc70b35ab6595f6f1057b4a9b872b928d5cddd784e187698ac6c58dffde79683d78a6b5cc758eef1c48afa2a19633fe27b4d4eea48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
2e1a42c2db6b34f7bc0dc6937f6a18b6

SHA1
08087b37c9a96695e298467e390ee5fd1ce62a11

SHA256
1afcb9cd6c1e35667591eff00ddc2e4a8143fb79472d419a6cf7277fe9e9c5b3

SHA512
5532581fc83a704ab86117ccd1cf83c5ced68cb61630b74e67d70b2bd9ab9c09a8288a26cadf002223dd61fdcd237031575b7a18596672397d9a98d32bf42731

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
248dccc6a8982ec77d2ce85dbdfc3285

SHA1
323ef8fb77b381192b4e3006db01193a9774baca

SHA256
f54c5babe1409dbede348aea8132c8896740e0b177a699939f449430971f7e68

SHA512
7be17f307b54801ad4312f9a1ff346f70ca8e819092fe41ea352c3686de7113330b3611ef3f6071afacad1058bd24db8573913587e206d1f379d9c3819369cc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
67cbff933232e4283a32b5c460a605ad

SHA1
fb444d731dca4b76ed4c7157e21f7b83b8ad07d4

SHA256
47dd6df21a6c29cce688d7c28e6f1944578be29fd70d1bfae637d00ef720dbe3

SHA512
cef4632f3ff75ae954e27ebf1c62859e497e70f5be24bf09f8f76d6db48564f42818d8b1177cab464d3282a249f76d9292b561f5866b7dfae47d006fc4a4272a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
433a0a388c6ebfb2504cb21f860c6c7c

SHA1
43ab9bd352f4734abc7ff03530a58ff125a1a76b

SHA256
ba9a69672d3daac9c46c56e8c0f820663f35a1f1e79a912e5cda8c22b1ff9839

SHA512
b31d3fee74bd8473392441c4865be088a374da6fc8706349aca92000881351366f81d1caa39c8b41ca4c4324cb08c09bca44bd517e6772c82d6352ca540f7f29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2ce2992f0a189db19a1492de580a4956

SHA1
54af8303d2d00a1e6113e9db86a3a976c002449e

SHA256
13181cae10285ca4f1d9c9a25c2f5c7e3a6aca4ef239472c374ec97f9a0de23e

SHA512
f8c403d8b3ef5d1cb7985511995cd99725289db502ec679a448a8412b12f54eb971b9c4f36f368a229140779e9201ef1b0dc72a3440041d181fe8cb800864e59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
2f0fe5d3ba0ab303a236cfdef188baa6

SHA1
2c87bf9bcbdf4ec2b876ddd3acf9a3bf50227dbd

SHA256
6d85921fd8b45aa0626f272173aec4e5d86401cf0cd3650c74a10e6c24555248

SHA512
b541c2c015f38e2d75e7f27f5391bcf5258d10a9157ade88f48ce15ce4fa9c51c09a85ba398258fd8b9e7cdaa87953f8e1cc2da4c67bce41a7a115caac3c6793

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
07e7d07468904df5b4d4dc9d2a5bdce4

SHA1
6d3fb520c09f135f0f7bbfb647d6789f08b810dc

SHA256
c65c32f7ccd0baa8253bf158ae5e79dcd853f20bd7da671cf9b09d7ddba174cc

SHA512
15c2a7784c81282b64ca5ff0e5229292f2fc918c55c424e8241ec2cd80f8ef0917fe859ae2996de3f444c59dd470c5c75acf1a1089c75d0a3aaea73e0788fd6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
727fb9ec0cdf85c372797df8c33eac19

SHA1
5fdf28a9ff73ec3826d78999c5dc869f1dcc96cb

SHA256
b8f0d8fc355c5282c69537f56d03906cce08aa8557b30f7ac168357cd7b33e72

SHA512
789c47eb43a6449d636820938c16376a67254fa56a6a81a5b8ef13cdfc547b51e92852cbbaa2c48483a6b5ee67e3c2fb2e87c1aa9003cae63b234dd9ef9b0bfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7c95cd518ff2872f13934101419137cb

SHA1
1d0b115b0f72e6aee83f44abd56245f679fff7ec

SHA256
8ad27671e9998884c08119ca54111f6020def7b5f1398d5c314bcc9c321917c9

SHA512
00dafa8d50c6bec427d1e0753317e734658db2eb9a9efaeb6d3362226f542894c5dee4dbf9c71b43519ff9ac57cf54103664216e768e0d6466945d15a78ac171

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
eacd9bc3462e56edfa3ab49f0b687b3f

SHA1
dd0439fd22b8674b7d788792d0d7b9de1c5dcc86

SHA256
893107a299d308f6a4a9bd53de5e4b39fcd42be612f461e6287c6a3730cc9f04

SHA512
be1fc3127b3eadd0972eba50f607ff5bbaf3ef51cbe38324762a84158693e7b474149d924a0b08a6d505332d49053bffc0c969958af3fd432a538a3bc3eb6e7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
182a8a03b01588f52e8fdfbf631951c5

SHA1
1a15d7cb25c3b0451f048871729f7ee9b3f38971

SHA256
b0c70c0aa726af547544825c91ee6a8a07dd8fceeb288f4e1bb5de0743f465b8

SHA512
089a9cd46a64bbd12852e9a587c0d541b8fa680fff059ecf6e9ee86113845e0b49c654c81608f38488e5458cfe1da2e99d25e4941d1f9210f0038a885f4e0e5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
946577618bc2041bb3e0c742540c78fa

SHA1
671ec2548f01bbeadbb2cf4352e8388aaf610935

SHA256
3cf76a05deb7a17622810a56e12ff5439c84dea9156c9f6d58472a056470bab7

SHA512
18cccd8bb5dbf2315bb00934306e44b8fc337987dd29bde9f65c88a6c3a546cf69f8473d82f3d09dd38fe4de69cb801bd83ce4bf8e343f38e36dff7e5b427a79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
405d90420867bf257157719c89f0b143

SHA1
15525fcd2802d7bcf62ee982f10f5260802958d1

SHA256
c3a5ab3d313570cbff63c9ca44a8382ac3f5abd80bd504a335e86bdff41b44f1

SHA512
798aec0d386db27825d814fe47697f048a45673a0f612676b564ba645620d2009d70c11fa83eb754f771144dc2a59f46ec5e1b1a4e61420b369b804ade8edbfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
752af90da54d6cc6343f71c08154c1d6

SHA1
c43731501a16aad50c675590ac7b77efd9f3e96e

SHA256
2ef2ace1b8054074be90fa1d2c558b6989b5f0f3df2dc3e4c123b746713a6ff3

SHA512
b674607c577ec143b374d0357f16b57643662d3c6362f7c8170f7e271a9fbd8b1d487f4706e9fe529ef375b31b61e8a9d5908e355ec98972ab3274d2d4b51eea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe652f49.TMP

Filesize
107KB

MD5
288a02fcc02aec16ce4d4d7d8f6dbe98

SHA1
d1de8f10d90a2405fd51f1f4f307b5cf513a83f5

SHA256
6c96c406874bf4ff5b46371e8646412e1e16cad24e93c12d2066fe7cfe16a111

SHA512
cd8baf91ae9aafb7190aedbe2cfe3beb624db5ebab508cf20e6cd355e5e683f60d242260e302688be3a790581438d22de321495d03435337428fadc3c64c50b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wjoqztfk.exe

Filesize
2.9MB

MD5
560f4049a77df65858b292169dcfc4e7

SHA1
d57078d853074841f38b864e7890d4c2839cf089

SHA256
7999d0441c310bc8bcc7ed86d613eece57a81f4fef6cddf592efae05937785fe

SHA512
db87807b417742dcbc32a9c0bbc833a5fefba8ad28f1703e7ba446a8949c76eca41f2637a6feacb07dd43258ecfe0ef4c9a17576fffd90a9409214d8d95e4de7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wjoqztfk.exe

Filesize
2.9MB

MD5
560f4049a77df65858b292169dcfc4e7

SHA1
d57078d853074841f38b864e7890d4c2839cf089

SHA256
7999d0441c310bc8bcc7ed86d613eece57a81f4fef6cddf592efae05937785fe

SHA512
db87807b417742dcbc32a9c0bbc833a5fefba8ad28f1703e7ba446a8949c76eca41f2637a6feacb07dd43258ecfe0ef4c9a17576fffd90a9409214d8d95e4de7

Download Submit
C:\Users\Admin\Downloads\Invoice No 88404.zip.crdownload

Filesize
2.4MB

MD5
dbe37e700e7f1424e255629e453bacf1

SHA1
2f3c21c26d3faaaf5ea96fb710d2108800cb9efa

SHA256
f29a29a81edfdea36ece02fa5b22ff4ab6c4b5ab03f8295fd7dacf5464554100

SHA512
8e13b824b40b2cc97d22ef2d89c71ee7b1012f7034cdf88edaf2f86cc6e2a5c46d44376712845fc27e92e3ab922f159bf460e16bc857c76364481b36eb670bb6

Download Submit
\??\pipe\crashpad_2368_CFUOUJRYKALZWSSO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit