kutaki | hxxp://drk[.]net[.]in/others/tools[.]html

Analysis

max time kernel
269s
max time network
272s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://drk.net.in/others/tools.html

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133518559566392535"	chrome.exe

Modifies registry class 34 IoCs

Processes:

chrome.exechrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000f9aa35e8552fda017133fb9f5c2fda014c71be4e6c5ada0114000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid	Process
1084	chrome.exe
1084	chrome.exe
3768	chrome.exe
3768	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid	Process
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

chrome.exe7zFM.exe

pid	Process
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1884	7zFM.exe
1884	7zFM.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

chrome.exe

pid	Process
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

chrome.exe

pid	Process
4804	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 1084 wrote to memory of 1604	1084	chrome.exe	83
PID 1084 wrote to memory of 1604	1084	chrome.exe	83
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 2328	1084	chrome.exe	87
PID 1084 wrote to memory of 3860	1084	chrome.exe	85
PID 1084 wrote to memory of 3860	1084	chrome.exe	85
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86
PID 1084 wrote to memory of 3712	1084	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://drk.net.in/others/tools.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd9e79758,0x7ffcd9e79768,0x7ffcd9e79778
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:8
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:2
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4564 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5644 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5868 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2728 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6004 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5648 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5816 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:8
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5568 --field-trial-handle=1880,i,9618831719918923269,15928094097552431141,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3948

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Debit_Invoice.zip"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Debit_Invoice.bat"
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
193KB

MD5
7fe2c36271aa8065b034ce9efdbd2a07

SHA1
e22ee654cb122d0d62393dd8d6753d2bcad148a3

SHA256
02cf672988303d8fbdbc7625f54596ece6d83c78152ca6e1aa332fc8c75d5c34

SHA512
45d53a09ced29138e2f99e0e8a293322050f8032e006df06315ac9af2f1ab64d1c767ea5db53289bb5881a4866061299e5a60cd83753fe6ba88e8de7562706ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5743ac7f9def28c27899e8db03028132

SHA1
46b50982f40af8582953e5e7c38d860c49e6b053

SHA256
2e54ff6a10c9dac1220e051bb550861902712e6ac64fda23bf791524d271dd5c

SHA512
bc1b5119bc30ab42361b595bb0733ec815f75e85acde86b6ff4c0013ca710be4de99cd5f9a5ccd83610e23d8d1634f6a5917b78695b36c240eeb57a25f30f8f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
6e347766575f0d7c3e294f8436783905

SHA1
0e5ea70bcb0fa1623083472ca59c362eccd6005a

SHA256
9c1bbfe5b667945ee145e7700397952c61b44c52b527817cea080777342d3fff

SHA512
7fb13e76498046c10d0123db5d2235c983b709780fe264bd124c599846fb741cb1b7d201c061c70062308b281fcdbfcc70a9dbbc0b72cc825efad3fc83e081ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
726fa6eb97c0ac917b71ade8c7ffcd4f

SHA1
028fd33de472dece083c036195dd7510bdc8165f

SHA256
2733ecff814a8ece8b26654340b47691f04f8d0ce2b09f7b3b61ad6a2171eb4f

SHA512
1e9c19d783c4fa270517a3194854ee8061e5e456d1a37a48cf85d8732d01919f4e5eb7d1db45f5d685803156de2c14113b3266488a51c961efb11e2f1f9a290b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
299af3dfb63f78b657301707a89d7c22

SHA1
179a96c4f45d63e9678de8ecbfeca936e34c8a50

SHA256
76083cc151f6bd96389e811be9d3890b671a4e51637d0f5b96fe1f50758a4467

SHA512
ef0fb496053a67058e02bd0166b6737f141fe9157f5648448c9c20d0dd3e3d39ef644f59cb5d2d7b6e566ea7d0955cd5fc67eedbcdd50e6f8579c6d44bed4943

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
cb8cc677c9b772a474ffa249738e61c7

SHA1
954e760391f83a04925f353c65bdd1ea8db60ae1

SHA256
9687c9cc6810d1bc5591a52084494e0a22c96cf4207976690aa6744c99155d9b

SHA512
7f51c9ebb79ffe720c0177bb3f75de3c8daca67e2a4ca08ad3fcd9d8b4cd6f32aa6f9a843aac05bacea2731eddb80826961b7e670b7ce093d25252f0e05100c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
daf48e9d311a1826137577ae4b2398b7

SHA1
3358bf57bbe5aafcdcc923e8a601c117b12d1a41

SHA256
e8fcefd37397ec4401a0f769c30cfeb49058aac002066239f6a7041baed622d3

SHA512
d1b1034450e263c377827f52146312bddecf10d60668971b5a60d03eb4dc12980c35ea8154864cd1b62991e3ba91ef1d481971463adc693312d127c33e444374

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
4fb8a7b9b68ddf37a132a0e8b92f5e0c

SHA1
2e4399dc029dbee57b1c4394ab112ab63cb61b78

SHA256
6b15f21beba1f533af2d49e2ab7e84d498ce7bbd25a16c5fd1e9d33c92ec459c

SHA512
9abc658e035e804124e1c271b35e59f5d5d76cc5b36f3d45ef70891ade0478e9076eb25ae621c43cb6c83eda9eaf168dbe23182ed143111e869d4686c61747a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bc158359691ca3fc3b21355642db0d49

SHA1
1c7041ec9a70c8010429c4783ac67f72b152a85a

SHA256
d54acbb47bade39a747e38f7d464bb2e7ce9b4717cc7b80a182b363c2cdc776b

SHA512
192d6d8e0097d66d8286a56b1f1ad9697e54b68737fcabc39f51a2ec62f25a77a87566cd337c98b2c15874258af148c4d2bdde8e8d5c313210f0628466727196

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
74b3bbe9a45ab21b1d528508ce364b9d

SHA1
1732f1817522839de55c93ad001ddf3af19e9fc6

SHA256
89910df590c5db122cf467e98b76ff5eb0d7c3e408c428aaa0228dca575ea914

SHA512
b3af4e7efa83efbde62ef1cabba24a1179e4ea0d6fd4a7b67d4c727cd5164c4b7351fd6f1f2e2942f6a101b71b707851e189ee0027d7237387b28e22f2c561b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
53494c6a56f94c74f367238f8c63e269

SHA1
9e7e587e96f7cedee0df3410d9b1d8e906a7032e

SHA256
2be12234c3e568d3cd94bf158af5f7ce2316e2724a620948500756a5da162588

SHA512
5d0ce41eba83619db7250fc3098f226c55ba34559e5e165ba6942c42de0db5d3fe0f69ff1dbf1ce36d8c2dcab13948ff2072077f306815ee1744a067c7cc2547

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58a36f.TMP

Filesize
48B

MD5
724f6911480d5802715972f3bdad4bdf

SHA1
418293dcec9667e42319a0b9554332975788cc2d

SHA256
f7070bc368ec7f029abff52b739e36692ac633d866e9d262c4de0ee8bc9de492

SHA512
f97e65129223c0f86cc12a89597eaeda8499069e41b0376af2989563dea90c4d22875988f9f58c2c802108031587ddf1e7c3e71de28f6ab84cb8acc8dfa3f05b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
17a3dc31a798441a2b439a3e2ed2799f

SHA1
64b8ee39bac58ef66bfb9488859ebc516f001bf8

SHA256
3201848a72d1d48409778550e9b6d284bce2c1fa42b96739c6edd6a455d3caa1

SHA512
0c3107ea0d0987b59077cc98cb04893d1b95bcc358a3fb0c5eb38ab62735eb8f35c339636f78c23998b70e1dace7947927d4178f2d1d1f188ad70a4219438a8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
2bea82d37497fbf95bec3ca7acf846b9

SHA1
90a007114b40041dca31179702ba4bfae343b02f

SHA256
7d0881be28666f92ecf57ae9a3109b86745c4529039242479d0141a45765cdb1

SHA512
66714c0fea0b6a4371ac86e62aa258b10d6d8b6a992166258d1e328f94090041ea287da029f25edb7f5d53d607ec0a7bf97922027df5e89c7090dd1863c711b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
0043e13061fcdf4a080202a18973f7d0

SHA1
444ec563eecabde4bca8ce696cb8bbdceda59abd

SHA256
356b899b2e0021817bbbd0b680394a65cb55cad78e9d27554dbd7456efa5e051

SHA512
9b121d61d09d66181a54377b6bb135d15809f316d64fc2595086381a4b40e775f74f54089e0a478111e4d6dd1adbea5dc80a56d93f75548156dbff8c6919607e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe585a60.TMP

Filesize
107KB

MD5
22eeca30b948b45a32d070c37ae78bc8

SHA1
d274722b25117409a20787a4086ec41b9cf3be46

SHA256
3f49c5a3ab88ffe1ec2ac3c4b78af73a7f24688108771c0a9b0bcd40164a87dc

SHA512
903664ae5a454b7ecc35a43b04b10fc9a551459e9200c3c2d3f2dca3cbbd54d230670b0198074c8d883917a52c9c4b20c11fe1a690a9fd9abe487a096b16aa2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Debit_Invoice.bat

Filesize
193KB

MD5
c78876d9420df098bb64ef3a3e2fd354

SHA1
9488556e8545c68faacbc936d996b3f767eaaf77

SHA256
08d4337a44c65e0df2bfa396a2044c2d2208abc6aab7cffe813479639f046942

SHA512
3124f05e3a00cf3d7ed2e2e1b404d7ed5a04076d62842079ef4badd18b951e6fb4d7d44b12b932c54f8bf9ce6c15095ca2a603510a5c6531ab146aa68c91ba18

Download Submit
C:\Users\Admin\Downloads\Debit_Invoice.zip.crdownload

Filesize
328KB

MD5
f2ebd6423b3199cb5ab2396306fd2799

SHA1
6e37842c86bea3b5d15e892153f935e1191f8e13

SHA256
6031a52e0045f4eb9a3b0ef37eaaba79e633adb8a3d8c00b24b00be729bcd85a

SHA512
ab6375e51d4d0a2acf88b870e61762d3321c1d9edd0b6b5e113ee5db4805f200746480a79ec8794e1885a71b99dc9621ff9f0aba9922311e76f6009508df1819

Download Submit
\??\pipe\crashpad_1084_ZBQMTEIFGIGBCJVJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit