kutaki | hxxp://planfoundation[.]in/Zyr[.]htm

Analysis

max time kernel
149s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
22-03-2024 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://planfoundation.in/Zyr.htm

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://linkwotowoto.club/new/two.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dxxzjnfk.exe	family_kutaki

Drops startup file 2 IoCs

Processes:

Tax Payment Confirmation.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dxxzjnfk.exe	Tax Payment Confirmation.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dxxzjnfk.exe	Tax Payment Confirmation.exe

Executes dropped EXE 1 IoCs

Processes:

dxxzjnfk.exe

pid process

2812 dxxzjnfk.exe
Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2812	dxxzjnfk.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133556132879866852"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exemspaint.exechrome.exe

pid process

504 chrome.exe
504 chrome.exe
4520 mspaint.exe
4520 mspaint.exe
2756 chrome.exe
2756 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

504 chrome.exe
504 chrome.exe
504 chrome.exe
504 chrome.exe
504 chrome.exe
504 chrome.exe
504 chrome.exe
504 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

chrome.exe

pid	process
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

Tax Payment Confirmation.exedxxzjnfk.exemspaint.exe

pid	process
3604	Tax Payment Confirmation.exe
3604	Tax Payment Confirmation.exe
3604	Tax Payment Confirmation.exe
2812	dxxzjnfk.exe
4520	mspaint.exe
2812	dxxzjnfk.exe
2812	dxxzjnfk.exe
4520	mspaint.exe
4520	mspaint.exe
4520	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 504 wrote to memory of 3472	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3472	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 3900	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 1752	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 1752	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe
PID 504 wrote to memory of 4504	504	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://planfoundation.in/Zyr.htm
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff982249758,0x7ff982249768,0x7ff982249778
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:2
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2604 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2612 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3568 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5260 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2936 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3132 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2848 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:8
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3032 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3596 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1744 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6124 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2400 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1456 --field-trial-handle=1760,i,16939799144278223304,14440689613549403122,131072 /prefetch:8
  2⤵
  PID:4892

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Confirmation.zip\Tax Payment Confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Confirmation.zip\Tax Payment Confirmation.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:3604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  - Modifies registry class
  PID:848
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4520
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dxxzjnfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dxxzjnfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2812

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0e019065-8129-4e4a-acf9-dd35b9f4cfed.tmp

Filesize
6KB

MD5
6a8aacd6980e9cb7b414b881eb378183

SHA1
cda2f83a2dca3bd0af2a6c8be17ca2bb4e7bf1a9

SHA256
da2ed0998ece763244a6cd8970a356321f6e2c3859f649431b11b32f9d4aae31

SHA512
0ebb5a3a74178c033404eac18dffa6ec44ebbbade0d9060d9cc32003005050638948592ad145cd35c370b6b686b03af43e6684a9c52e3dedf2ad0847233235d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
e78c85c53e731dce6bee101334b4343e

SHA1
0fb418f6cdc323970a4707d4bc694e5669fd8dad

SHA256
1fb48deefbba412b78a693ced939d6c8df7514a643b133dd5038a49ef6019452

SHA512
b2bfbb416386ce02834c9fc1c67a3e67eb0b48a3a5d8246f55fe953b7b0f5331ad165bb5217bac6bb6163864cb0375af63344deed3a21742de429aac9163acdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
310c6f400e60e8478dd02de7cfc64b02

SHA1
1392697526299b0adb57396cbb107a8e77da99b5

SHA256
e40cd7b22d73491784169f20ffa6fa70100468c21b868b7b0af45fd9ba759f8d

SHA512
4a90a126d1cb35e5795bb59f76f66d722bad76e94dcab3efcca3a4779c5033df69937a1c678f92d743c9c9c8aa9b98fb050bc3224580f31bbf93cf0a333ff5a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d5aa7118-de1e-44dd-b121-cdc3b3ba54c1.tmp

Filesize
771B

MD5
0f618cbe3d1cba3ae316a51cb66976eb

SHA1
03f47efbfe5d0095b9287dd0612b6906dd1dc3ce

SHA256
ed714839bafca9fc6190c4b1fb094cce8e75991af9f74a2201933375eadb0875

SHA512
9b846a244d1afbecb3b5864d7b4c95ec9a5e8c8efd327ec3fcf829befcddc0f129401ad26142d3b57decc96c53e64972e7364568d410b3caf4c56aaa7c79e1d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
afd7381574ec14f7ca3a9ce5201d6993

SHA1
c8241015d7abf0af56cc63bffdfb97a8f4b2fc35

SHA256
4202426fae6071706f1bb36fe4daa0fe07a2740b9b8c3e9bfd288c76c3ab0454

SHA512
4960e9ee143b6cc26277463101609e6384eca0253f8185bddeefd46f1da1437a837a5e96aed25b01d02fb910310d4a26b65e3ffbdea0d83193e26ec6f4fbae59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
330cfe856c08f5aa8be636599e321ff0

SHA1
c534f139bda0362ab8eb0dd15661b610a53a66d8

SHA256
cbac5d2a1cc130fb33380a8c658bc4d1d2465a8d660ee9bd4c9003a349e1f1eb

SHA512
0a8b0db4bbfe6dca76d657297c9b94c11aba5d67b32ee91910290382f26e260d539857a427e0109af229971faff0bf139c1d85a1228608c5b08af5e7cf26f21e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b1389bd0032eb120f1633c78b32435f7

SHA1
8a73a30caed37446e0358b839f206409aa405649

SHA256
b89baa58ab3586547695367f5cff7db6a7753cb5dfdd99b827d936470d3eb750

SHA512
2806d532eef81fbf20ee5f949d170d3d77cb8ab8b0c303d12ad5e4a43ed91e48f1e6613103eb0d998af48970f9862fc27472867a84664863af3678b3dc620096

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
a343168119c90005b641909443afbd35

SHA1
eebdedfdd0e0658f3bfff115761c8e6a3176864b

SHA256
8fc6c5d1dc664e5e5ea6fc4c0edea0cf6beebb8987b34fbcd1408bc5abcebce8

SHA512
a5d0e15a13a3eb50983d2765be7de3e5e3aa729f954dc0b9b8e3c8695205f6b63ddeccc6b3e62580b2dcb46d6897d743850e391164c0536ff765ef6625fd3696

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
b473afd0bd1921f60ec12d44221806a8

SHA1
652ded3cab4d8247a2a4703968b45e41cf099f8c

SHA256
62555c4331395cea337af5ea603ee9549ee79ad6440be850fa31e06da5483bf9

SHA512
442f3d2defa82399efddd376eee6a7a710993c06aa332d80ad31085506ce367e006ece67d983a2431f9ab407385ebb6e989063b4033a8cf485878b2ea001752e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe582a09.TMP

Filesize
98KB

MD5
4816e66eaf608678c3a021c60dcffe0c

SHA1
68e32661f27849d87e25187f7d32c304c5609582

SHA256
1bb4ebd91e3ab9f35b2926db12639db3e18fa6ad922fab7e97fc51a160fdedb5

SHA512
86cbbf610dd4eefcd254f604bc7c48a852e2a0c0b17b6e7669c7bb9f21806f968c8220f4387188a2c56a7bb76429d18f39b4f24bc6535aa7d05f20a817daa97a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dxxzjnfk.exe

Filesize
805KB

MD5
ff22cbacd681684e683e3cc90b5eeb49

SHA1
ff242e78602ea1c38bf81830932858188a682040

SHA256
026fd16b5f3c3d9d23e9a9dbd29af68d89e6ed4d8cadc250e00d798fd489d74a

SHA512
d012ee702f1566fd99658bc231ddb5152001c11f665351c6a269293f00a5d9d67ade90e3d342f30a4b709067c59e7d01c4eecf5d418f0ea638d1857f5f0c3b25

Download Submit
C:\Users\Admin\Downloads\3f2a2c80-b4b5-4814-beaf-b4024c9f7ac9.tmp

Filesize
419KB

MD5
915566ad14965b9d7a87f3395fdc9e29

SHA1
a2eb6497100e67b3db5590ebcf824a9a8d222f40

SHA256
1eb21ae164e0edb9711f7b103100c846ff3eef0f5ce560a6d4582233236fd09b

SHA512
ffb3934ad368afbf5d58fc6d98d55cc3d4da56394d36a94ac31b67eda841fe298b5824fa007390cd8e96232f56b24361af4866ee8c46d8339dea7e115c6f7f33

Download Submit
\??\pipe\crashpad_504_ARXGUMEEFGGVMOCO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit