kutaki | hxxp://simtinstitute[.]org/wp-content/uploads/2024/01/set[.]html

Analysis

max time kernel
260s
max time network
405s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://simtinstitute.org/wp-content/uploads/2024/01/set.html

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 5 IoCs

Processes:

INF_Note.batINF_Note.batINF_Note.bat

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ldxdqufk.exe	INF_Note.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ldxdqufk.exe	INF_Note.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ldxdqufk.exe	INF_Note.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ldxdqufk.exe	INF_Note.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ldxdqufk.exe	INF_Note.bat

Executes dropped EXE 2 IoCs

Processes:

ldxdqufk.exeldxdqufk.exe

pid process

3012 ldxdqufk.exe
880 ldxdqufk.exe
Loads dropped DLL 3 IoCs

Processes:

INF_Note.batINF_Note.bat

pid process

2312 INF_Note.bat
2312 INF_Note.bat
1040 INF_Note.bat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3012	ldxdqufk.exe
880	ldxdqufk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1000 taskkill.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exe

pid process

2532 chrome.exe
2532 chrome.exe
2532 chrome.exe
2532 chrome.exe

pid	process
1000	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

chrome.exe

pid	process
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

INF_Note.batldxdqufk.exe

pid	process
2312	INF_Note.bat
2312	INF_Note.bat
2312	INF_Note.bat
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe
3012	ldxdqufk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2532 wrote to memory of 2964	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2964	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2964	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2184	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2900	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2900	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2900	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2652	2532	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://simtinstitute.org/wp-content/uploads/2024/01/set.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef73c9758,0x7fef73c9768,0x7fef73c9778
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:2
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1376 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2208 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2200 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2772 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:2
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1468 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3892 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4008 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:1
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4140 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4160 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3852 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3976 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4220 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:1
  2⤵
  PID:300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4384 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:8
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3904 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4352 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4256 --field-trial-handle=1216,i,8312028546159996434,7539164674466149721,131072 /prefetch:1
  2⤵
  PID:2008

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\Temp1_INF_Note.zip\INF_Note.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_INF_Note.zip\INF_Note.bat"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2436
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ldxdqufk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ldxdqufk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3012

C:\Users\Admin\AppData\Local\Temp\Temp1_INF_Note.zip\INF_Note.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_INF_Note.zip\INF_Note.bat"
1⤵
- Drops startup file
PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ldxdqufk.exe /f
  2⤵
  - Kills process with taskkill
  PID:1000

C:\Users\Admin\AppData\Local\Temp\Temp1_INF_Note.zip\INF_Note.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_INF_Note.zip\INF_Note.bat"
1⤵
- Drops startup file
- Loads dropped DLL
PID:1040
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ldxdqufk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ldxdqufk.exe"
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9f6f5c6fafdf110453a419a2d1ef615

SHA1
b15532cf6743586c76b3132f3a819d3adde4da0e

SHA256
2e8e67cc24eb2f9eff7ee0ca569157fac97d8dbb2f62dc0b80174b3fd1ca7200

SHA512
1b3960a9d1196d587ed296931fa4907b072b8fdd9f8337ff0c5e610b29d16a009bb75b2516c864f97d12d22724bb1e2b0949b61f87f0cf84e00b1feb6c84d6ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4e786920-6aa0-47cc-a03e-521dd6c16dbe.tmp

Filesize
7KB

MD5
0d16708f9e68c91da09684a0bba12064

SHA1
c0a43adb84f26f3e781a267aea81363a2ce09dc4

SHA256
8f733a67468808c20151cef5f144086955704deeb78b9ca6aaff447d2a743173

SHA512
5f18e67fabca0b7ab770cf67a6576771a24ae04009efae6354f8fcae20c4667fbe5094daa73f4837f21d81502ee76cb43711a4018a298b18a369a414fd5141bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
201KB

MD5
c445ab4315d0633d446998c80764cc36

SHA1
47d3dee9845cc6e29b6771dd6560793b8b93000e

SHA256
5635695eeb70b51c449aea7a5bd3c9699c3c28c64498fb7fcb8173aad45d7242

SHA512
83a32ffdddf3ee56e89f232c8d05a4b00265895b0e41d13700f90fa389f0bf3f112c291c24c3819751803322b11e2ff866971d835d601672b36818c4e099bff1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e41ad71f3cebd75c4027580531d79dfd

SHA1
63fa58dbedbe9b606b722f075f3993d256b56cde

SHA256
41745d2a92a65afffa68cc2b7ff2541cb003732a592561c40e6cb1523eaa3951

SHA512
6f034d3c6eed4574943b3e613fb4c9f30d4d03a131d95f80d3c20002414235870c002cd54101c9f503569f72385ebac960635efb9d3d6148397868e2bd885c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
799b6b9d62348c7df5b6ee99be332713

SHA1
acc492978b7174e8811b2bf08316855f866aae71

SHA256
9eb0dcf9712663cf4953a027c0f47f192199abb997e30eaf1103e256897a9646

SHA512
ac1efbab545f42a45a8aa2ac50aaa1da9425f22532c7b2acf9fa280bfc3a37e06bf88449a43301263ae0999d7f9bfcd24f1ba827f4aed8399b70e41fc925c96c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b0274cc25bd0ffcf7089e00bd01cceed

SHA1
6f329f9e6d4da95850341ef955fccfd54076ab63

SHA256
497035298c18b225af1123db78b3c298a947c43d67812ee4ad92382fe49aafb4

SHA512
728780f6d6dcc47072f12c18360c5969660490662e35a0a4239e4842436158507d60370d2ef9a072d9640d90a67629c0b6e8e653f5b30a2f0bc611560cd5f8de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0593430799ae5c6b2b93ac76359d6f7e

SHA1
9217f24716f6beea9e7427ff025211d5d0ed1f83

SHA256
14c31c0fc11d1ee706f36a78b37777789d23ca6c1bf02c790a05becb4b3eb0c9

SHA512
82611f72f8fd8ebe2a5f2e9969d56ba5652fe70af7682de4aba08d2fb283d92657a2a2ec8da90d9bcee81e6c03f8e601dd955256fffca1b8d15da182f7f18b08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
24229ea9a1f23905cde7be268e13e475

SHA1
2304ecbf1212b3e6485149689abac11205b5eb8c

SHA256
03c61a3815442500a84c4fac06b4b19f64f3d98df7c91d8c613ec622055c960e

SHA512
2993ec18713af40795e8b65f88d04881248f4cce6773bd66daebc18fe2bc4481c6a7f9cb9e75954b994c0759407093261b343821e2ef5d4c9f5783c06d0552c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
687B

MD5
59ffff6900f00b35dcf5ed34d895fe69

SHA1
12d99dad3d2e2e2681a4641b004c20b781934d39

SHA256
754e745376f7aea53de93bd1459f7f95241df03ef75fd82028608174c0084fad

SHA512
847f024d5b445360e646274dd321505a35a3b84f0ac53f48d92bfdf9db6e749e47f7f4dd6f63a4f1bdf8e931354589b398e50e9685266bf4bd98638bdede1043

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6554717e0824bb6182455eab6686a2aa

SHA1
3be457a9b13957c913a73ed3f04ae54183236d90

SHA256
2233d5b51315e4e595b711923de8dc58446dc1c43635d0281ade977100864290

SHA512
5ca7d4247a502cc060c7a3ac103f31ed5fa20d2f936072f933576a5f15a3b948fc2bf52b9c73a1eefe52e69673fa4954f4341df078988ceed57ece7f70443294

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4b1648f9d1e783a85ab2c14391eea68d

SHA1
9dca03ae0c5218bdae472fcbad04b2b91db2489c

SHA256
1991c5c590cc43bbeec5e38310170a912a3b20bf522e7d54119efcfec9272eb1

SHA512
069603b6d2c9ba5a4c43a240355d46aa93488dac7494e4174b65b61a5c2bb6c4a137ed6ab265d4dc0f4f41e97d39030dea250522076a7fed56db4f6bcac7aaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a7e1967e03d4d17f4e8d9fe2e3e312a8

SHA1
dfd68e2252bbf72c7513186e449b4427779f32d1

SHA256
eb20bd9acb084d3cd3fc3f2905802c4388672940b3933387e2c04bb5ee7fa50b

SHA512
0ab62c118f0492e01ab63e2006ddf394e0e22ad1eafefef7adc78654a8d448d3fe1d9c01190df520255522f43b1912ac7f31f5080c0518c6fa5bd790d1086e4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fc2b8a7facdebe2f0f0621bb9334099a

SHA1
06e313e03864e6751600799c2512b9a9a90c2c6a

SHA256
34b5275f518016f9bdb3c8721ca95d547e2bacdc7a133770413683c637ffca36

SHA512
c0262ea39ea478dbf0fff419c11c74bacf11e1a946b7f63ac31953ec1f2cd44c4d820fb324b56790f7a9648ff3b026e165698ac2b19a011349d34382da11618d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf76cdab.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cd13b63e-6594-4ba3-85af-d5c7d5577be8.tmp

Filesize
7KB

MD5
08ba88a5e9414a2a5ab6b96e118a9da9

SHA1
5862f7a2413ee10be959f69fbb0a8a5e7565f359

SHA256
ed49c105f835df7772838aff645e515877295b388a562b4378fa9a0bdd320e5a

SHA512
3033e6dbde622c635ee055aa3f66e2bf0abd3f1b2e338b8e69ba9a7be2bedc3deace5eef370a33943ae17f6e3dfb461ca450ceaf606d6e230918c4d0a3d975ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
82KB

MD5
dc4f3c8a718110daf193810ee1491cbc

SHA1
d0489230872b2139a49778ada1e8b22365b41005

SHA256
0b3bc322fc51e4baadd7361f92b2c8793c2bc13b861d403aff5e4623bc17f320

SHA512
64dd32d5f1a16ffa7d9ba604838a8637729f4cde0981849b7eb0143a97afa80570543c41150f13a092a947e38e23b3c790664cb4e97c2fd7c674190983a9047c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1D43.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1DE2.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\Downloads\INF_Note.zip.crdownload

Filesize
2.1MB

MD5
d417484674d484761d1c45e4ffea735e

SHA1
d4afb397751a815ab9622cbe607ee3fb1ed0d4d6

SHA256
f46ac581f22cc597480f20b3615fa164722338004846eb446f05de8db62a0321

SHA512
80c7ec748971581afa2177efa46cdca4c6ace0ed76fe94b97e7570c10d88e28e2ee1d2f8fe0c5c1988177b950d94f6182d941538c802cf2c43ca8986b78c1ac3

Download Submit
\??\pipe\crashpad_2532_WUWCKZXJDHQWGWUW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ldxdqufk.exe

Filesize
2.4MB

MD5
854c9ba84f8ebe6cd8a5dc006b5380e6

SHA1
eb58139157e3802768f2b824225cde2ceaae02b4

SHA256
f438cf72e19388bb5d496e91c188d62ae52aac834d26cb1bcbde0ba6eb311f23

SHA512
f488891e7baaa0a9c266de052e0e7c5260969e7436c61ad1c71822db96f44a4d09f17e9152fafdfa889ec2cedd0148730a1f9d2f2c78886ff33c11eb060c8660

Download Submit