kutaki | hxxps://valudas[.]com/prc%2072912

Resubmissions

18-04-2024 04:30

240418-e4wslacc9z 10

18-04-2024 04:26

240418-e2xbcaah98 1

Analysis

max time kernel
110s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://valudas.com/prc%2072912

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

PMT_3678920.bat

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aoqaoxfk.exe	PMT_3678920.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aoqaoxfk.exe	PMT_3678920.bat

Executes dropped EXE 1 IoCs

Processes:

aoqaoxfk.exe

pid process

4972 aoqaoxfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4972	aoqaoxfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133578882241813384"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exe

pid process

944 chrome.exe
944 chrome.exe
944 chrome.exe
944 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

944 chrome.exe
944 chrome.exe
944 chrome.exe
944 chrome.exe
944 chrome.exe
944 chrome.exe
944 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe
Token: SeShutdownPrivilege	944	chrome.exe
Token: SeCreatePagefilePrivilege	944	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

PMT_3678920.bataoqaoxfk.exe

pid process

4736 PMT_3678920.bat
4736 PMT_3678920.bat
4736 PMT_3678920.bat
4972 aoqaoxfk.exe
4972 aoqaoxfk.exe
4972 aoqaoxfk.exe

pid	process
4736	PMT_3678920.bat
4736	PMT_3678920.bat
4736	PMT_3678920.bat
4972	aoqaoxfk.exe
4972	aoqaoxfk.exe
4972	aoqaoxfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 944 wrote to memory of 724	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 724	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 4508	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 1124	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 1124	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe
PID 944 wrote to memory of 3656	944	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://valudas.com/prc%2072912
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84ef4ab58,0x7ff84ef4ab68,0x7ff84ef4ab78
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:2
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:8
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:8
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5084 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5048 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3124 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5300 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5288 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5564 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5572 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:8
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 --field-trial-handle=1896,i,15598392454278670846,3426293537626903108,131072 /prefetch:8
  2⤵
  PID:1868

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2196

C:\Users\Admin\Downloads\PMT_3678920\PMT_3678920.bat
"C:\Users\Admin\Downloads\PMT_3678920\PMT_3678920.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:4736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2536
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aoqaoxfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aoqaoxfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
198KB

MD5
319e0c36436ee0bf24476acbcc83565c

SHA1
fb2658d5791fe5b37424119557ab8cee30acdc54

SHA256
f6562ea52e056b979d6f52932ae57b7afb04486b10b0ebde22c5b51f502c69d1

SHA512
ad902b9a010cf99bdedba405cad0387890a9ff90a9c91f6a3220cdceec1b08ecb97a326aef01b28d8d0aacb5f2a16f02f673e196bdb69fc68b3f636139059902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fd2a6aa066068a96570ab4cd0771cb19

SHA1
e549d3f8093bf8a2579387ad37afd42d8af1c24e

SHA256
ed3babb6a97787931e4fef62b4fe41aa944e1d1bc04b427219005b863f1ac31d

SHA512
ebe7582b203bda5dae751e2a19832a42fc5b4963523e104cc38f35f50ea5c0ec44406bc6d6a07e51edd883298d60672c87b7d75394b52059a3c0b674dc3ff55f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
e29500e672c11ea4a978173de9503753

SHA1
4f5efa4b1402d3a74eb2664bf7778389bca21df2

SHA256
6fa78bd19e9726f466487d100371df38fd4c337b553536df93ad563714d2c4fa

SHA512
192a15c16a9ccd668187b5ede7b314773cd49e3b0a9efd5e1927aecfbcdd1541c5e7c45c24f5917b1bba19401d80ea398ed8f1d439a860a682650c66992002a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fc6b7f2cada5d91da15cf18cb3be12e3

SHA1
17c121060c10505fd52d3a5df0b5120011247e4e

SHA256
8be42327e8aa216a9fcc62962c4307584c4d70da753f2fd3b61e00ba1b8fcc02

SHA512
2f59ef5ba8112ad3b45cef36a83f03026a2db7a22520ee4db43ccf9a099661ebdc23bef3ea1211e3ff3c30e2c9412501f2e509e28bd3873698c4862770a13b53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
e6cbb9bb33e149afaa8ffaa5c81c1be5

SHA1
e41f2c56c618ac67a226b99c961d518aff67c090

SHA256
0a1bcf3a88e1b9f060560731d94cd453cd456d27dcc6ffbc7d86b6427494c565

SHA512
d18cc45ceb40ef5c631b67e89096593fd1dd1bdb8412eeab8686e026486f78661bed099be796a54e6e5b651227bf018c431c890e3cda96ac69880aad3b185102

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
563ffe5bccc7da8504fd3759d74b2009

SHA1
01790a8a94c28848abd6c72541eb5ceef2fbae55

SHA256
003f61c75fb31f59f4d698782d17c7bc08e17c7d687c18aba20b057c4e596655

SHA512
4659c4795db59be5dbe0344f08ace174c6698b24858e45198558f1f43978e845ac515924a83b6cf522713442f0fce856eaecb67e6e4b690961842ef727709a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
34349897f2d960469d3a0a15bdb3a7a1

SHA1
16cb29ca8e70a833d3abadaf9e5c394102d9749b

SHA256
6b0812a0b2482d08b435e12aaac2c5ab3a85ab2cf8de8aa904e1a3ba41e4eada

SHA512
a3df200959c96bad7d3412cdec202ca49526141187d710ed40908f83460e917ac2e47dfe52d208709d2ff41c0fa7ca8b2372364ebff8cd44cedafc407a448df2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d2f6c4fb32f3964f446f9da5855e5ed8

SHA1
3be524504bddb330b3c81210aa3ec45504aa79d4

SHA256
e3d005569e20c9ad891a1cd6b8c336a4177281893f46697395f9316ce47b6b72

SHA512
c0bb2259a81ff4c8550a2469022bc457d77faaeae13cd26aa52b0302419632e9a6d99fed079be2cf8226e51675884c5b560de7f7dd2daa63536342fd2d0fa655

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d205.TMP

Filesize
48B

MD5
a98812a6d5dc7be8c75dd7d32ab5694d

SHA1
c5eac34e4b50ba19d4820652ab2f4d77d352f93d

SHA256
40aa53592058ca8f11a106b98d0bda7ee6e51ea8e91a41bbc4e408cf960bd01e

SHA512
6cd6e46f3507f2b75f7210ab4f14d8e1d8abea08af7e15f5d208e539ce885704769202119f14c8cbebc926b8b8059a4fa688d5239ee5d3639631990a659eec56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
c221d1e2738a15be98ce2154c207b679

SHA1
01458d3d4fa378bba6d1c90c44c314e283aaadc3

SHA256
8579c71de9576154f4ce9b4837fc2f41b8efed0deb0aef85ef204d18f21cf6ac

SHA512
c7e0cec7362ab218b16a3f288976678398b6387db2ba7c491f9c796c87574b9eb530903912a66e37c148f4ee466e27041f96c21a5d3ef2949fcf5fac37e0bb7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
e6ca43e8f3b46698d80b2edc45fa8c8b

SHA1
43509daf55d9ecaf63cf684e7990165110d88270

SHA256
d365002d99fe64f9c439ae475d26d300f60d51ab3ae358d0eb6d4ce72880286d

SHA512
e58b49e7bd0a68b304506e704aa3de73ee96b84960b3381d96493ad15b042815e0e28d363288498777353f9932e10cc6b22c175e99413020625d5f035dd8be83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
0eaa893db619b89e1a5f9a973bef6ea4

SHA1
6a0e39eda8004921aebfecac9c19eb5f03c7cdd5

SHA256
e9b3015e350f715ebb170af9599d7a923e3c32e382d1b1e0011f97116cb2364e

SHA512
5835beb063f7ea8b4bcd328f967bf4305ef527e479b2a465667abf744a1bad17c332bbf09cf6041d5c9d351b83ee81623b059043e749b773802069387e29670c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
dc3ce9b15679e5164e69e2cf99b6d9d2

SHA1
cbeda6dda6b79b21fe021fff0388d71af1103443

SHA256
9775cd3d960aa5e238139ee6bb1143a8b8463a07d90436d4fa604f63b7769c62

SHA512
40019919f966390c07eff5d392262ddc256303c9df3c3a45fd0b45ff69e6a83a3998116b98157f39d1ddb29193ed4cc7f61d01d11fde70a62c2885ffbe21e835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
149KB

MD5
8f6ccf3a1ac9e66083ed3086844cc5bb

SHA1
96474b9d3bf40a4ad73249ae3553a0c6c5ceb4be

SHA256
62f3474897810d1e621f6054834216ba6f7139f81604d9f8af1c2c8a02c7481b

SHA512
25ca5ccc646b9fc6b1a733385c61ad6177b31c637f0d343565e29d8154aec1e800f36b9113a8d8d212cd80b4c670263e1eaad18df3b1dc2d712fa3b38cb05d82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
12bf960f3b18104918f7a533b48d3bf5

SHA1
48ee9303c9bab3d932f12f45be2d99f0ae7801ca

SHA256
9de59e77ec6f42e42ae1401c1e045168f3d95e35974028c80745c637bea134c3

SHA512
c6172c116ba51c0f71f567016e378722e5cc8562542d847e8f8956b1e67002a75564263a2da973983c6a9e4cfede51ad3ac2fd1c00e519fbeb86bc7628b28fa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d4b5.TMP

Filesize
94KB

MD5
345f8d61d57016b28e7b2f3689def759

SHA1
e28c991cafa7db778f41f59a1040a737f6b6dbbe

SHA256
7a89faf13b5cb0eb8207aaf25e3b707ffbdd4fe5459d0c7db8f95e273f755966

SHA512
80492ee7c0f50cc21c95e29e8b69e49f9332a4b2f5c5cb68379d8d1717d56ba9e4aa91c2cd5fbed167c0ba6029c84de85820ac25d37c610da210f049f43f4f92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aoqaoxfk.exe

Filesize
604KB

MD5
8223a085dfe39b71d64205c552461845

SHA1
f674d9956d5ed20adbaa95258c4332a4dfc0191f

SHA256
197ae170be0f4ea2b9e7c8a2c177a80f02e67b7aff700371d1d7a9178bc08d24

SHA512
eea60fd455d06cc754543acc86e09dfacbe23bf176486214de84702da4aff1c9d04811c944ce8325e0ddfa61158eccdc65c4f404e68f05c40fdf760e3b98110b

Download Submit
C:\Users\Admin\Downloads\PMT_3678920.zip.crdownload

Filesize
361KB

MD5
675f4d1a54e4ce5a61d57988e07eb9a2

SHA1
caa2171391472e790c3490b94d539ca9af78e82c

SHA256
8c7cbe15e3af132d7069c664b399e7864c19957734bbe13cdf9ec8304d0153f3

SHA512
cdf982c8ae8d7ccf9264b7b76e1701dce6bd140154329e3b452eaafc52c59dec4d1ce4fc08dcc124e320ccb3d4bbef69ae3f2d20ca3a0f604d9b8ac6ab32dc91

Download Submit
\??\pipe\crashpad_944_GBTYLXUQMVJGLKSU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit