kutaki | hxxp://doctor-fateev[.]ru/NEFT%20RECEIPT[.]zip

Analysis

max time kernel
447s
max time network
452s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2023 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://doctor-fateev.ru/NEFT%20RECEIPT.zip

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

NEFT RECEIPT.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dprrqrfk.exe	NEFT RECEIPT.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dprrqrfk.exe	NEFT RECEIPT.bat

Executes dropped EXE 2 IoCs

Processes:

NEFT RECEIPT.batdprrqrfk.exe

pid process

3284 NEFT RECEIPT.bat
2544 dprrqrfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3284	NEFT RECEIPT.bat
2544	dprrqrfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133458114027950055"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2508 chrome.exe
2508 chrome.exe
4596 chrome.exe
4596 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

2508 chrome.exe
2508 chrome.exe
2508 chrome.exe
2508 chrome.exe
2508 chrome.exe
2508 chrome.exe
2508 chrome.exe
2508 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeRestorePrivilege	3288	7zG.exe
Token: 35	3288	7zG.exe
Token: SeSecurityPrivilege	3288	7zG.exe
Token: SeSecurityPrivilege	3288	7zG.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeRestorePrivilege	5116	7zG.exe
Token: 35	5116	7zG.exe
Token: SeSecurityPrivilege	5116	7zG.exe
Token: SeSecurityPrivilege	5116	7zG.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

chrome.exe7zG.exe7zG.exe

pid	process
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
3288	7zG.exe
5116	7zG.exe
2508	chrome.exe
2508	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

NEFT RECEIPT.batdprrqrfk.exe

pid process

3284 NEFT RECEIPT.bat
3284 NEFT RECEIPT.bat
3284 NEFT RECEIPT.bat
2544 dprrqrfk.exe
2544 dprrqrfk.exe
2544 dprrqrfk.exe

pid	process
3284	NEFT RECEIPT.bat
3284	NEFT RECEIPT.bat
3284	NEFT RECEIPT.bat
2544	dprrqrfk.exe
2544	dprrqrfk.exe
2544	dprrqrfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2508 wrote to memory of 3056	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 3056	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 4992	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 2988	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 2988	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe
PID 2508 wrote to memory of 840	2508	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://doctor-fateev.ru/NEFT%20RECEIPT.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2da29758,0x7ffb2da29768,0x7ffb2da29778
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=312 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:2
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:8
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:1
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:8
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:8
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2848 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5384 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5520 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3868 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3996 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3076 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5680 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:1
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5616 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6076 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1864,i,11228584105987248766,13035482019691168594,131072 /prefetch:8
  2⤵
  PID:4252

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:408

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NEFT RECEIPT\" -spe -an -ai#7zMap24367:86:7zEvent19628
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3288

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NEFT RECEIPT\NEFT RECEIPT\" -spe -an -ai#7zMap21042:112:7zEvent32284
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5116

C:\Users\Admin\Downloads\NEFT RECEIPT\NEFT RECEIPT\NEFT RECEIPT.bat
"C:\Users\Admin\Downloads\NEFT RECEIPT\NEFT RECEIPT\NEFT RECEIPT.bat"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2512
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dprrqrfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dprrqrfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2544

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
186KB

MD5
9f61d7b1098e9a21920cf7abd68ca471

SHA1
c2a75ba9d5e426f34290ebda3e7b3874a4c26a50

SHA256
2c209fbd64803b50d0275cfd977c57965ee91410ecf0cafa70d9f249d6357c71

SHA512
3d4f945783809a88e717f583f8805da1786770d024897c8a21d758325bcd4743ff48e32a275fe2f04236248393e580d40ae5caf5d3258054ea94d20b65b2c029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
f47066b42383c20e158c1c178f7af447

SHA1
3bcc6ad2a496dbba50831726b0ef91d9ae042985

SHA256
2dda0ca5d6b2d7cda4f9d0a5ae7307bc82b6510cb72e1bd81c60b28d0eee2783

SHA512
5fa959cd27f25523812f96dc790285ee35700c4420e171663730decf5c277d5e8b1de2fd8151c347fa40c62f8ec8c0243d5fe5d1d378bce7fd77dd6fec3c8109

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9631e3c157abecaa870d951c2968984a

SHA1
6f28acee1b8ae8d9cd38e92e95abc51d07a862d4

SHA256
537747d00fd5c5981e72b87b203409aac19c0633b8e942b6aac10b18f3d1b213

SHA512
8fbcd82493618467db5caedd263b368e3a21a0e121bcac5c21ac051f5ab0e38cd957947e5d7f369263d5ad916466da9a75917f4ffa3fb77f7183af35a9e2ef3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
593a4a261bc9c82766f4aa6ad31c5363

SHA1
5ec03ebf33a62609d43ae9bd01456a9662241357

SHA256
7a92509eda571ec6d2c1e0c82a0e39ef35d45cb770f951cd769ed54a8727509b

SHA512
d07a72c63854a5c77c0254b37494440e6ab7c6525577c3adb9bdc4247f899e5cd7b366b5fa93ed65b9f5c06ae7dd7cef745df520633ff631a78f58ab6e0bb57e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
99d9e3a8a52a48f142e7010a0fcbe502

SHA1
4a07617892cc6047878600aecebff5d50bd08061

SHA256
f09d29089c43006713b8c0b30160deebb0e701f205c536c0b01cdd622accdc67

SHA512
65c5451415c4470cbd1eef1a2fcfbe0d3fd7074e2d98d24d2988501163ddfe6fd0ac827b23123de6d2ccb18b9d724ba3ac5203de646c445fd11501ddf8682220

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0b8f4315a7eba914106973a1f44b7e82

SHA1
863a562515ffddc203620e4ec8ae0b12cf673a60

SHA256
478d67844b3a0b16733dac0857504b5fc39660feec526d380cbebd208ace976a

SHA512
f55c79a243f80feecbff702c9065dc4053f79089d3fc8207b4223e179bfc18eacd9b8b3835dd07b7dc255441919a0bfaa6ac119bd5dd07eb53fd6174647487ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
15e190f2998a2d82cbeffae2b4f8b506

SHA1
5247a1d6e51ef52fc3048eb359c146361f5882d3

SHA256
7a8d7df0eefa26b4566211854148185cc538d1a1da139ccb2a31f0313246070c

SHA512
c8826c1098ee5d26a88c813312b3f9bd436b25932d203673e098ba302254ff68cd4b3b47bec4a3c9ef3c189ff9bd83caaf9a3f4e53ae7399dc1f6fd0a1d9abc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
22f55fada5647ee12ccea68a500e2725

SHA1
9ebba06c2f1488280176f5070c15fed834f76f42

SHA256
7605bc4d464a74942fc128c78c19442e8cbf052274b08f3b27e24b91ae078e96

SHA512
dc54df7f28b0d603b3b12fa81cc771b795017c4acdcc86c987780627cdea48d33ea3fd3bb9565e31b78436ce90463a4640e64dc57016add03df7c994e86d35ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
a017a3b3c950bea315047fd5ab7e95f2

SHA1
0c91d92e65fcb9c929c681c98b752bda92c112fb

SHA256
cedc03f5186696901a2cbaf10acad5ed74546794c51767aa40f0b5d37eb65353

SHA512
d20746db13ddf28fced57e10b9d4030bd263839fae6be04a924915a7ccb045b63637dd1ff86a49811635b2ac7bbd8141020689e705579ca36ac92aa32acafbd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ff977b6ed8a0da5940399707b333bf2c

SHA1
7e989f07f7a2c44a1d81759543d93b7b20111633

SHA256
9638c28c5393ce4f4f342d71c452be2aa9135e1ce010a3f4f077f902e607d9bc

SHA512
a79aa80acecdf8888e31e4f59841add30d398601f84ac9e22dbf40ed235f93dc4d99e53e5df2011311475fb63d0dfddc96e9a2e60ebf5122d96a94b7e0dc1c46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
281c4874ad8ce7895dc5a027d4dfd518

SHA1
2decb3acb5e5fca8546b97c5f9ce831fbafba43a

SHA256
8119b36b070a59813a5e397f296abb02f8ff64edd76297ed09dcb93f2881383e

SHA512
70dd2ecbd487eb14edc2acc349b37a50716641dbffddcb248aad896eca54a98f5297b6b72c08660eff99e7b9a4bd8f08f0d0e24a2b9877ffe7e47e4414100f05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5dcd178661ed6d7ddfc79751dd14007d

SHA1
9e9b2f49feaad73205fd67d69305fc4967dda7d3

SHA256
baed49e4e86def761a2e656280e242c8841a40fad6228c7b95941628186aabbb

SHA512
5bb20b4c359377de3d4702255085a97555f2a0826d5936acb6d7a9d1c107317b48cd4d2ccc73dc2c0dca921e75b0b263e7cff224b0db560edb6740682f1b2f69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8eb4dd25a7fc8c8c5fe3789db2c0bfbf

SHA1
358bbeede4706a5d42e0ebd39c57f0c6bb37ff34

SHA256
f017059099c81b5500c8930d87659318c9538784d0c55629a4adbeecedf9ee73

SHA512
563c6e3cd9f78f6d960641881d522966b5df2ee3853c4a09b91aaed248acc4b2c5ba2de5ca9e068c405971afcc115f6f978b71b1ffa0af693950756feee905bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d1d57eb040e3a1f26c4d191955b12200

SHA1
678311de2e724939ab428cad5fe95728040160b2

SHA256
949c5e3f6826d1759ba94cdd2b8a7084588ef870f976b3c652c00201a53f299e

SHA512
5b4446320c6bc453bb3f4f559d30bae972c6883d71c6d8bdd224abe3c0e250555a1a5fa33722238f46157071c04a0ada3c212e825d97374ab0d600043e2dfa34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a1a30.TMP

Filesize
48B

MD5
377dc621bbc91c051930f3c3a4aace1e

SHA1
5225a503d55aef6bfa95147f4ff131b78386692a

SHA256
b49dd5b0ad973946b45e30d2fee89b7955a3eaa71acf8136afa097cc388b9441

SHA512
ca6af97c099be7ae5091d18a93ee26db072c4c0537b74e98538fcffc6cc5f0bcab730f0b2b49b28906a62b447305f654fad6f53f4437008f99090c1006699fac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
e82210461301d86383c2f1eef07a8c83

SHA1
26f3446cb0c18b1a178a69cc0d37f538d2ae0537

SHA256
5a96819b455f2193e0fe3abf4ea9fc0ac67749b4e75dfd83c1b27bfea9a47423

SHA512
5090adaecc83adfc35e83f771e41bf49dea38eede428eae30dee8b4aa496516f90c4cec73cf0b4a2a8643db9e8adda103bc1734e981dd1f083e72f38a25cba33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
964b84c69b28ec1ab5e748344a036fbc

SHA1
023a4a6edc3b3ad4f5ce4311258d38fb80cb8582

SHA256
a529197d2bb0df895b5ebb1a3e2d97eaaaef718ac942d180f7f00c7333b946ff

SHA512
9c297f8252dfaeb45009fe9e79e680a4172ccaac5e6792a358e9f2e9f7fbe9e89a1874d5ef02d68210f5faee0a6df8c1b37b4d17a814895eb5687e891287e1f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
b578dc2a195af45de6ed3eadba83becf

SHA1
5065dbd2173e19b1326fd0465c7ff518cfaf278b

SHA256
112a805663fb67943817ddf7721c6a4feddfe6eb1103a38f051f6a661942a5a5

SHA512
ca8ea26a7812b414604ad13a579d67075c2359e14bc3e57c64dc61cb30a122609d23342da836a6e538076888c7eff1141e725076d689230c018f595a7212224d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5c6132.TMP

Filesize
107KB

MD5
5b7c35222a1f69afacc916924e059386

SHA1
99a74e7695691e743f14587bac72e7da7ab7b656

SHA256
7ec69738472f2a77b6e0dcb3c9d50ca3837b4bfacc95f352e259b8a52de8ca64

SHA512
aa4435917cb8a14de371b8ea1f41b7bec1a5e09c05d5bba6e330cae55c0a9b3fdc3e6d3afc3c038633e9cef513ebd448e3d16d680df8b579f1f4bc1d287a0ee6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dprrqrfk.exe

Filesize
2.4MB

MD5
5ee81a84ebf389055aa233770b09a710

SHA1
45fe4367dd86f888a70e0c82b899a6602596bfff

SHA256
0ee72014a5767e3f99297e27fb4cd66fd8cbdf8577e494e9eb6aea61d4194626

SHA512
9208ea252f5d899fb7337052892175241bb2fa9c4943113f6731cccabb2a36dd94a44299b2e207fa760df303b53171af309a7c00580bfa0b7f67896054eb54f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dprrqrfk.exe

Filesize
2.4MB

MD5
5ee81a84ebf389055aa233770b09a710

SHA1
45fe4367dd86f888a70e0c82b899a6602596bfff

SHA256
0ee72014a5767e3f99297e27fb4cd66fd8cbdf8577e494e9eb6aea61d4194626

SHA512
9208ea252f5d899fb7337052892175241bb2fa9c4943113f6731cccabb2a36dd94a44299b2e207fa760df303b53171af309a7c00580bfa0b7f67896054eb54f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dprrqrfk.exe

Filesize
2.4MB

MD5
5ee81a84ebf389055aa233770b09a710

SHA1
45fe4367dd86f888a70e0c82b899a6602596bfff

SHA256
0ee72014a5767e3f99297e27fb4cd66fd8cbdf8577e494e9eb6aea61d4194626

SHA512
9208ea252f5d899fb7337052892175241bb2fa9c4943113f6731cccabb2a36dd94a44299b2e207fa760df303b53171af309a7c00580bfa0b7f67896054eb54f8

Download Submit
C:\Users\Admin\Downloads\NEFT RECEIPT.zip

Filesize
2.1MB

MD5
d259d10134ce1f45df757051b2b1accb

SHA1
c4c4260ae42e0522fab0d5696631fcfc0a2c665a

SHA256
3e32fbdd6075589abb8619e1b1a95058a01d62750525dae10a89ea8112e16e0b

SHA512
7c2df714593559bb417b7d95dc525ea096d8e49764ffb59b26e438ab65a3f467c8868db561100df21c0ca85a0559138ee304146bb433fd2b6d101cc7c3b1c34a

Download Submit
C:\Users\Admin\Downloads\NEFT RECEIPT\NEFT RECEIPT.zip

Filesize
2.1MB

MD5
43bfb670cfff87ffdb8febd6da7513fb

SHA1
a232eea674cda0f71751eff2a6571a8e9602d2a7

SHA256
dec7a59afa017490684a8f597635acdbe964762612f6924bd5f2361605ada714

SHA512
2dd21b31186799592905f1371b32b0dad0f3363ed6af50895503fc30fffb0ef6541fff84782f1277bf2f3f658d180fda8376166f5c758d97557469005dc1aba7

Download Submit
C:\Users\Admin\Downloads\NEFT RECEIPT\NEFT RECEIPT\NEFT RECEIPT.bat

Filesize
2.4MB

MD5
5ee81a84ebf389055aa233770b09a710

SHA1
45fe4367dd86f888a70e0c82b899a6602596bfff

SHA256
0ee72014a5767e3f99297e27fb4cd66fd8cbdf8577e494e9eb6aea61d4194626

SHA512
9208ea252f5d899fb7337052892175241bb2fa9c4943113f6731cccabb2a36dd94a44299b2e207fa760df303b53171af309a7c00580bfa0b7f67896054eb54f8

Download Submit
C:\Users\Admin\Downloads\NEFT RECEIPT\NEFT RECEIPT\NEFT RECEIPT.bat

Filesize
2.4MB

MD5
5ee81a84ebf389055aa233770b09a710

SHA1
45fe4367dd86f888a70e0c82b899a6602596bfff

SHA256
0ee72014a5767e3f99297e27fb4cd66fd8cbdf8577e494e9eb6aea61d4194626

SHA512
9208ea252f5d899fb7337052892175241bb2fa9c4943113f6731cccabb2a36dd94a44299b2e207fa760df303b53171af309a7c00580bfa0b7f67896054eb54f8

Download Submit
\??\pipe\crashpad_2508_IKFIQLMWONQEIRMF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit