kutaki | hxxp://milavado[.]com/dijej

Analysis

max time kernel
308s
max time network
276s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://milavado.com/dijej

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

Tracking Info.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qryfnofk.exe	Tracking Info.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qryfnofk.exe	Tracking Info.bat

Executes dropped EXE 1 IoCs

Processes:

qryfnofk.exe

pid process

3644 qryfnofk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3644	qryfnofk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133570067159102350"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4932 chrome.exe
4932 chrome.exe
2728 chrome.exe
2728 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

4932 chrome.exe
4932 chrome.exe
4932 chrome.exe
4932 chrome.exe
4932 chrome.exe
4932 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe7zG.exe

pid	process
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
3864	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Tracking Info.batqryfnofk.exe

pid process

2748 Tracking Info.bat
2748 Tracking Info.bat
2748 Tracking Info.bat
3644 qryfnofk.exe
3644 qryfnofk.exe
3644 qryfnofk.exe

pid	process
2748	Tracking Info.bat
2748	Tracking Info.bat
2748	Tracking Info.bat
3644	qryfnofk.exe
3644	qryfnofk.exe
3644	qryfnofk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4932 wrote to memory of 2732	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2732	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 2772	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 884	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 884	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 4868	4932	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://milavado.com/dijej
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7fdb9758,0x7ffa7fdb9768,0x7ffa7fdb9778
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:2
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:8
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:1
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4612 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:1
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4824 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:1
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5460 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5808 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5984 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6136 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4756 --field-trial-handle=1708,i,14070136610617103988,9012916646023549841,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2564

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Tracking Info\" -ad -an -ai#7zMap4692:90:7zEvent24162
1⤵
- Suspicious use of FindShellTrayWindow
PID:3864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:1192

C:\Users\Admin\Downloads\Tracking Info\Tracking Info\Tracking Info.bat
"C:\Users\Admin\Downloads\Tracking Info\Tracking Info\Tracking Info.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:2748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4372
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qryfnofk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qryfnofk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3644

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Tracking Info\Tracking Info\Tracking Info.bat
1⤵
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
eaa96ea0f8a643aef9e2476bbafe12b3

SHA1
1d4687bcc80d2dc348373be4398ddf2cb5c6ff14

SHA256
10ba0fafbe5e0f5f51f6132eb9df0029389de3fdc80e09e65ffd2e9056d21cd3

SHA512
f1631496c5b8e006239b5ab4ec2d5aabf8a698b2cf56b9d2946ef35d9a63677bb2d23009c8a11361791a7c8291aa6da20134aec25c4321a5fb348905491ba3d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
701B

MD5
89b62e1942b37fb83e7c363fa2b56563

SHA1
a8ef0644bacdd64bd45565e981f3e8a24af1d1b9

SHA256
40288afbca82c8edf558870755867e748bbb2a0d0ec48133d8a8cb2753c09d85

SHA512
83e82367c931c35d2f8c5533c28492effc8db73e24372055a022965396865f968848697ea26506dd9b284e3d14c01d9d6e63da90ac68e046a375bab58c9e7bd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
699B

MD5
624af615569015ed339b5b7f7c5e7cbe

SHA1
77a8792ea4a045da76023a3e02ac05ff26fa0820

SHA256
3b20a37ef6501d9d4ead447330b19c76b14301888eb523e6bb327d935adc5142

SHA512
60b802b95facd447a2153eed26cfe13dc1cecf693ddb030bbd38753d4a5d9d0cf58efa77e9bf7db0a51d263c3708110c1f26f2d93d3c25a1f17d62f60d8e3ee5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dc9af52946dc190cc7fe92b104ea3829

SHA1
aa1b7b10ea7f510783602ef66cddc7015aa85d8f

SHA256
df018782d2f4b340150c33a362ebac27fb2413630b29671d319873218ece644c

SHA512
9938e4d6acefa5890e6a51b577d3a40892f0e9770a349d83811a41c9b46e2cae5223b6805bf61e4a9c72014d0a8c95b219d5c6de32d570230ac1a60656365e5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
17a1905cc835e85b419d9601436e4006

SHA1
3f2cccadb32427a9902d94b66e8ac2a50c566c76

SHA256
2097bcd74868e8d47e2d9eb8497311f14c9eeac428c83a927aa0e76d4b6cebf8

SHA512
4b99ca390839b678745acfbd32655f87e8859805c7494092bfc3bccb3eeb8592894c450004c52f6f915a4af004ac7c94effbc833ace5e0e461722f8f43696c64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
7b3b7df207b1a9acc7a6231aa61521b8

SHA1
9d0c4b40712d1a0e4113391c958c9af9c081e6c7

SHA256
a92aa49e5ef9170a9be6bbc6bb18561f6b99ea318f9c9e30ab86822b15544959

SHA512
1a72a09f44ae11572d556d6f1bc25da91ccbb7a0beb3443b1386c65b15d68738966e43696d856d361a3fa46f6014f317d9df292ba048a1dfb0607e1d2928ece8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
e6702a2fc94b99ea665f7c2c1272f8e6

SHA1
cf9532b17c7533ca89ec9fe851af6f3923e68e06

SHA256
c482f4ba94852c60309c8715a220a12c7763cdbd9c5d9dfec098d1bef6a3b982

SHA512
6760b2848934568652ba37c5fa92bb9c4960a78b972f1b1f05d9f1ebbea75d5da46eeea2fb9c0e206019c52870cbe44f5f7f9d8b83729a345d2a72ee032427be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
a47ce26504c7ce01e6c4718d872a904d

SHA1
f24d5d73815a660455ae8f2dbd52ee35791390e8

SHA256
d185a53ba6862f1aebad7aa8f4216007c5e5cd5503fa7c0321ab4574189349b6

SHA512
f6ad17db260a8d560b403fd3a4f7f93cf6a6448b9b417ef67d9878fb642e03675a3dd0f24b7889e5662c462794426c21dfc1f63cad60542c7e1dd49638f62db9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
30f53f0eeeeb12421eb02dfacf54c878

SHA1
5045ac6bc6c0090224c79256f7e90f4f7fa4ddaf

SHA256
b948f38ad8ad8f704edaf0ca115f275168d2dcbeea668a3f21191a466e509050

SHA512
5d8bb8ad3a2bff39499088c73891277ea04a2b06ecba86f87d8a636e7afb539a623326d93c89e11878902e8bd56d10359031b7c29100b6e3fe8f442eea51e223

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58dcbf.TMP

Filesize
103KB

MD5
db12c078a5220b4955ddf96f2a4107f8

SHA1
53df6beb5bb961867b344dacace2f8cf730f2a23

SHA256
6ebefee17e1309ec2d60204449a4fc9c4137a32d068e9a7b68ed1744c30778e8

SHA512
c5a188d8dbeafdc5c8eb668298271ad656c2675fe3d7c848c3029c0b3d6114b95ca48226adcd86951862bb3d84f4b384c1e3bae1576a26c37284551dfe535545

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qryfnofk.exe

Filesize
468KB

MD5
e7aa11f840cdb5f9e3d365cad47882e7

SHA1
168936fdc3b92cd17d12f3ff4907d0d5685f9886

SHA256
6cb622e12fd1a29ef17c90666a03f467207b22753a7c3d50c411d1e3f9c392b9

SHA512
6bf9efabf71aacc9a0402db9ef3930af15996c60972f1515e1cf2ce9617070b64df6f75123802f1dd6179f9003dd1660e0a6fbab70f3e3a59d40c29cc32462e7

Download Submit
C:\Users\Admin\Downloads\Tracking Info.zipx

Filesize
325KB

MD5
84f858c6c0774861c9ffa4f62c9b9bba

SHA1
feb11559a76757426097c6422d6960e6cebf2697

SHA256
6e6dd23520a4b3466bb6032c3352cdd81fd80dc54e00ef2da5a6df0a2cf9016c

SHA512
d98ef671d400d51adde07bca7e3e01245196cb347f3542d32d8a24f3b3b4b709541a305fa627d3bf64cd0e9fe79aee78dc192d9f283cf66fed9af671e31db1df

Download Submit
\??\pipe\crashpad_4932_VZBWDPTTEVZOZNYV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit