kutaki | hxxp://engineersyard[.]com/wp-includes/images/crystal/lfgnc

Analysis

max time kernel
388s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2023 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://engineersyard.com/wp-includes/images/crystal/lfgnc

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

Payment_Receipt.cmd

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fzqblkfk.exe	Payment_Receipt.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fzqblkfk.exe	Payment_Receipt.cmd

Executes dropped EXE 2 IoCs

Processes:

Payment_Receipt.cmdfzqblkfk.exe

pid process

448 Payment_Receipt.cmd
1528 fzqblkfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
448	Payment_Receipt.cmd
1528	fzqblkfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133385592707751087"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings chrome.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5004 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1740 chrome.exe
1740 chrome.exe
1716 chrome.exe
1716 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

1740 chrome.exe
1740 chrome.exe
1740 chrome.exe
1740 chrome.exe
1740 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings	chrome.exe

pid	process
5004	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeRestorePrivilege	1716	7zG.exe
Token: 35	1716	7zG.exe
Token: SeSecurityPrivilege	1716	7zG.exe
Token: SeSecurityPrivilege	1716	7zG.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe7zG.exe

pid	process
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1716	7zG.exe
1740	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Payment_Receipt.cmdfzqblkfk.exe

pid process

448 Payment_Receipt.cmd
448 Payment_Receipt.cmd
448 Payment_Receipt.cmd
1528 fzqblkfk.exe
1528 fzqblkfk.exe
1528 fzqblkfk.exe

pid	process
448	Payment_Receipt.cmd
448	Payment_Receipt.cmd
448	Payment_Receipt.cmd
1528	fzqblkfk.exe
1528	fzqblkfk.exe
1528	fzqblkfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1740 wrote to memory of 5028	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 5028	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3368	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4244	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4244	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4784	1740	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://engineersyard.com/wp-includes/images/crystal/lfgnc
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b1ca9758,0x7ff8b1ca9768,0x7ff8b1ca9778
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1880,i,987497424550448071,14277799794266104797,131072 /prefetch:2
2⤵
PID:3368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1880,i,987497424550448071,14277799794266104797,131072 /prefetch:8
2⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1880,i,987497424550448071,14277799794266104797,131072 /prefetch:8
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1880,i,987497424550448071,14277799794266104797,131072 /prefetch:1
2⤵
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1880,i,987497424550448071,14277799794266104797,131072 /prefetch:1
2⤵
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4564 --field-trial-handle=1880,i,987497424550448071,14277799794266104797,131072 /prefetch:1
2⤵
PID:3564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4720 --field-trial-handle=1880,i,987497424550448071,14277799794266104797,131072 /prefetch:1
2⤵
PID:996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 --field-trial-handle=1880,i,987497424550448071,14277799794266104797,131072 /prefetch:8
2⤵
PID:836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1880,i,987497424550448071,14277799794266104797,131072 /prefetch:8
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4020 --field-trial-handle=1880,i,987497424550448071,14277799794266104797,131072 /prefetch:1
2⤵
PID:3696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 --field-trial-handle=1880,i,987497424550448071,14277799794266104797,131072 /prefetch:8
2⤵
PID:1124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4748 --field-trial-handle=1880,i,987497424550448071,14277799794266104797,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:880

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap70:92:7zEvent15426
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1716

C:\Users\Admin\Downloads\Payment_Receipt.cmd
"C:\Users\Admin\Downloads\Payment_Receipt.cmd"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:448

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
2⤵
PID:1972

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fzqblkfk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fzqblkfk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Payment_Receipt.cmd"
1⤵
PID:5060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:456

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Payment_Receipt.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:5004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
f62dd41f22af9dc15591fecf382da15d

SHA1
a5677fd26666330aa88475d9e537d05b89686698

SHA256
86fd1969576639e914ff10d3538a6585df1ec3725e357d1cc590066fa657dc20

SHA512
476e69c063e24c776dc4fc5bd8f591c4ad24d0da4cf59c419a8938d62190fcc1b4d205568cd18e6f81d40d277dcf388e2730ba929aefdcc455dde40742a9788a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
5b92de8997a36b8c45caf1a7a9dcc503

SHA1
6878096bb7aeffc753ec28759d3bc6e620eb2e9f

SHA256
2a4554d1c8e6436487fbed90d3b37dee62da3ca09964134748716cc7c8064f27

SHA512
ed9d2d495fc65c219cf93d0dcd6b912a5356d6aac608be76065df8ee8107ac6f117cc90cd2941d0e5c533c674199241b86e9c58944554e22a7531dd95c7755dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b6188692fc615612f395061aa678a0e3

SHA1
74216c8cdc03eca5d9247c2926fee495890e1ea2

SHA256
5a48ba3b3b0ff2a7c793fc1adc6697d90dead00b16395ce20b53c09916171a9c

SHA512
53dd211d440c36b291b45f57dd093221b6212d0a01c3ad65c39d097eb1af8f7c9f75a09db408d1f1e6fceeb77ec8391fc24f6dbedf74e76efdd17df36e689244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
97KB

MD5
7084d0365180e817db08011613a38efe

SHA1
4d5f65897495e2273bf13d15fab7f07637bcab58

SHA256
c4778dbf9dc1d21f3522211ad0faacecbedbaa6c13d4565b8acf30a958c513ec

SHA512
3e0e1e8b89b290a5ba11d144e5db0b28a5c9f9a41a645834dd08525aeb3ce84ca25075646c734d0747266ef3b4d70b2d9b2781ff0978ee116173dd3b010dad43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
97KB

MD5
ad663bc969ede852e7566940696bd4da

SHA1
ad7b2dbe1e4f7368936eaf566f84fbc698a17fd4

SHA256
2b600e0288c9181365fe63c86877d0f7f227db818a86e8dad093012568255022

SHA512
68bf246b13526bd1a3e88bed15938d4047a93b08e229bec9dbbdf3a0ef6986457423fe05955a5943a23f864f6c5c34208518acd4b08df7a60777c2ffa2ef71ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
b4cecd353bacd093da857198cb8e03e5

SHA1
5b3db99deb47806d31019818e11af9fd12b81019

SHA256
bc0a8319e88ed1f1888177423f53eb75caddc72d28e376eab211f8d1357b0d0d

SHA512
ff6dfa87dba71ad4122a220ac489ffd33f0848f8a0b8dcfc2d9a739a78ac79e340d312aa215a36d88bb4ea7def7a6a1e83038b7703a55b959bff978a1a4d8c3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fzqblkfk.exe
Filesize
2.4MB

MD5
49da6d69f825c8723f3549d0248921fa

SHA1
a4994443e9441a9315f27d07d46e1c4ad952c146

SHA256
f5960dc9a89da73d8b612e94145ec5664082dad50514071a54e4cc7d8a7820ca

SHA512
0b8c7f0e5aa7146303e354443254761d3cf16a139b3294de366fb0a1f756258307b7eb445e9e8138359e2c30e428afacbd939dd6cc8d61a57cebc78e6047de85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fzqblkfk.exe
Filesize
2.4MB

MD5
49da6d69f825c8723f3549d0248921fa

SHA1
a4994443e9441a9315f27d07d46e1c4ad952c146

SHA256
f5960dc9a89da73d8b612e94145ec5664082dad50514071a54e4cc7d8a7820ca

SHA512
0b8c7f0e5aa7146303e354443254761d3cf16a139b3294de366fb0a1f756258307b7eb445e9e8138359e2c30e428afacbd939dd6cc8d61a57cebc78e6047de85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fzqblkfk.exe
Filesize
2.4MB

MD5
49da6d69f825c8723f3549d0248921fa

SHA1
a4994443e9441a9315f27d07d46e1c4ad952c146

SHA256
f5960dc9a89da73d8b612e94145ec5664082dad50514071a54e4cc7d8a7820ca

SHA512
0b8c7f0e5aa7146303e354443254761d3cf16a139b3294de366fb0a1f756258307b7eb445e9e8138359e2c30e428afacbd939dd6cc8d61a57cebc78e6047de85

Download Submit
C:\Users\Admin\Downloads\Payment_Receipt.cmd
Filesize
2.4MB

MD5
49da6d69f825c8723f3549d0248921fa

SHA1
a4994443e9441a9315f27d07d46e1c4ad952c146

SHA256
f5960dc9a89da73d8b612e94145ec5664082dad50514071a54e4cc7d8a7820ca

SHA512
0b8c7f0e5aa7146303e354443254761d3cf16a139b3294de366fb0a1f756258307b7eb445e9e8138359e2c30e428afacbd939dd6cc8d61a57cebc78e6047de85

Download Submit
C:\Users\Admin\Downloads\Payment_Receipt.cmd
Filesize
2.4MB

MD5
49da6d69f825c8723f3549d0248921fa

SHA1
a4994443e9441a9315f27d07d46e1c4ad952c146

SHA256
f5960dc9a89da73d8b612e94145ec5664082dad50514071a54e4cc7d8a7820ca

SHA512
0b8c7f0e5aa7146303e354443254761d3cf16a139b3294de366fb0a1f756258307b7eb445e9e8138359e2c30e428afacbd939dd6cc8d61a57cebc78e6047de85

Download Submit
C:\Users\Admin\Downloads\Payment_Receipt.zip
Filesize
2.1MB

MD5
bf63fc45c319a29cfad91418a47e0936

SHA1
3a659779ecd57473b596b4a047a62fda9f2f672c

SHA256
77dfba9b6f16d20471d46be4faf4b0c7ce5be4b95e767d809ae5b71bfe6b57c7

SHA512
72fa66028808f4b6384491b5cdb2b46e574394ba57d5a38e2a77c03c8c26371a54af8f4f83944bfde191dd3d1b1cac0ee613f9c0bbbbc3b48b53598e8e93ef6f

Download Submit
\??\pipe\crashpad_1740_ZBKYSMABLWYQCKZA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit