kutaki | hxxps://raamee[.]co[.]in/ght

Analysis

max time kernel
494s
max time network
485s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://raamee.co.in/ght

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 6 IoCs

Processes:

RENEWAL.cmdRENEWAL.cmdRENEWAL.cmd

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pazletfk.exe	RENEWAL.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pazletfk.exe	RENEWAL.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pazletfk.exe	RENEWAL.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pazletfk.exe	RENEWAL.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pazletfk.exe	RENEWAL.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pazletfk.exe	RENEWAL.cmd

Executes dropped EXE 3 IoCs

Processes:

pazletfk.exepazletfk.exepazletfk.exe

pid process

5976 pazletfk.exe
5140 pazletfk.exe
4484 pazletfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5976	pazletfk.exe
5140	pazletfk.exe
4484	pazletfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

664 taskkill.exe
392 taskkill.exe

pid	process
664	taskkill.exe
392	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636935353851089"	chrome.exe

Modifies registry class 64 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "5"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

5088 chrome.exe
5088 chrome.exe
4472 chrome.exe
4472 chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	process
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe

pid	process
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

RENEWAL.cmdpazletfk.exeRENEWAL.cmdpazletfk.exeRENEWAL.cmdpazletfk.exechrome.exechrome.exe

pid	process
5812	RENEWAL.cmd
5812	RENEWAL.cmd
5812	RENEWAL.cmd
5976	pazletfk.exe
5976	pazletfk.exe
5976	pazletfk.exe
6084	RENEWAL.cmd
6084	RENEWAL.cmd
6084	RENEWAL.cmd
5140	pazletfk.exe
5140	pazletfk.exe
5140	pazletfk.exe
4720	RENEWAL.cmd
4720	RENEWAL.cmd
4720	RENEWAL.cmd
4484	pazletfk.exe
4484	pazletfk.exe
4484	pazletfk.exe
5868	chrome.exe
6004	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 5088 wrote to memory of 3376	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3376	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2748	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2568	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2568	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3256	5088	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://raamee.co.in/ght
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff4a3ab58,0x7ffff4a3ab68,0x7ffff4a3ab78
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:2
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:8
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4024 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3056 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1544 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5092 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3948 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:8
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5184 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:8
  2⤵
  PID:5180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5256 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5096 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3148 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4388 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5268 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:8
  2⤵
  PID:6000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5596 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5076 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:8
  2⤵
  PID:5760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 --field-trial-handle=1912,i,6343194822422329183,6481820540781960719,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:6004

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4596,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8
1⤵
PID:5668

C:\Users\Admin\AppData\Local\Temp\Temp2_RENEWAL.zip\RENEWAL.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp2_RENEWAL.zip\RENEWAL.cmd"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:5812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:5924
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pazletfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pazletfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5976

C:\Users\Admin\AppData\Local\Temp\Temp2_RENEWAL.zip\RENEWAL.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp2_RENEWAL.zip\RENEWAL.cmd"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:6084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:6124
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im pazletfk.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:664
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pazletfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pazletfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5140

C:\Users\Admin\AppData\Local\Temp\Temp2_RENEWAL.zip\RENEWAL.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp2_RENEWAL.zip\RENEWAL.cmd"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:4720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3260
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im pazletfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:392
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pazletfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pazletfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4092,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
1⤵
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
204KB

MD5
081c4aa5292d279891a28a6520fdc047

SHA1
c3dbb6c15f3555487c7b327f4f62235ddb568b84

SHA256
12cc87773068d1cd7105463287447561740be1cf4caefd563d0664da1f5f995f

SHA512
9a78ec4c2709c9f1b7e12fd9105552b1b5a2b033507de0c876d9a55d31678e6b81cec20e01cf0a9e536b013cdb862816601a79ce0a2bb92cb860d267501c0b69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
7019510232d3f9206c6139380809c870

SHA1
c78dc48678819bd46efe9536ab9deaa43920ae73

SHA256
9642ad3cce2949ef573cdf2c1b2980fe2a5717657ec69c32d7f8464dd6e8af06

SHA512
b34e2d940473144995be72fe2264eb988c16d50b93b12a50ab9e2e0ec723cab23bb602481f02c17e697790b86010c555be1b2ce0b9041269b041558dd97d5191

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6fbdf6fd25fe7d58abe3d0d776ba9c15

SHA1
d9ee6d4c2de965d75bdac09d8c3a91bb2d2ef195

SHA256
241ace4f99d6ec08d1109ad7b154fe036be40015ebf88f5578e5d77bd29cbc9a

SHA512
6fa76f807fbe512e6ca2555c61350034f038b3dfd535c36c05e935d270fbdf3f39ba456ba5295ec312ae6a0cd8eb8f53629ef450076fa07cc23f900c2e561c40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
525e900eaeded9b04a0860bd9fe4a1f2

SHA1
6b360b79a675170a2d995e09a79b04c870c975e6

SHA256
cd6b0a9faf7951601460921f97449b85fffa993bf76bc49c81913b43de0f71db

SHA512
963d0a323a7e0fa75cb462330208ec21177c7c7f00db6d09e4ba4c7c3bab6f62d73371caa8729b25a25f2dfc4ea3fc3581e632bd1a2baec20c45e84506629bd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
aaf8e594227b779d3913a21f3dbf3fd6

SHA1
ad0db99375ad1cce7e5de71dcd89d8baf8655902

SHA256
242eb1eff9f23387387482206b110e054caefb5a630cd3cd7e38664f4fe1b1b5

SHA512
058d33017ce8d9bb5dc20fcb1a5ea2729eda4dbe880683245dd7365280f4fe334c19138065300d18a3ee6a1a7531d2817cc0519a63621e73df0167025cd456ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e971a83d18be0bc8215319f80d5dddd0

SHA1
c92679c52648ce928e565c6a2648de824ee7ef03

SHA256
06b990779dfa3e2d7092ec329890746b83a14bc1bb7e163ab53087df845fb56d

SHA512
89957b4e66dc0c2011608b86130f41583174f1ce89b146d5f2cc0d39f8f78b2761ac5114f76b778f20bd2bf3acfc8866f14c8612a66f4d4ca77c7ee0ea861eb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
a9885b555989ecce75f11c808d7ee0af

SHA1
8aac2beb519cb1dde43f81a2780c1efefc1cdc4e

SHA256
b79d97b7d52994a3a5ae779ed3e88b1f691f6806d17ff8dfb4fffac211060b09

SHA512
95667996e0e6799aade7512555ce98eda2d475df72f644c9843ae8326714d7507b9f0e3ee7b5e0faa0aa4d7f38b82e0a7c3f2e3da025483096ac3334769e055a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6faf284d1d3f8a48d7b9d72b5b852d96

SHA1
2ce26c88c09a8abd306e6f490cc932d03c8e149c

SHA256
ec8425f7da6f57bc3a127240c7b40c51107dbfb2b13251e962229051d292f877

SHA512
75705b1cd1a7267f8fdc111c1e3de769639c3a8132784a98e11862c45b5a9ab3e481c7eef10d9da05ca72c45b80ae7fdbc238f90d5146b15b147a0ec395638d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
f52865a0b8875b641e9415ccd6d12d3b

SHA1
b2ec20dcb9a67ac7e921d0b0a4c1c8686d5a34c1

SHA256
e99ea7ba56c67f6bde424938dbfbaf7e6e283b08fd2ea64df8114da35e511ab3

SHA512
284abd7917aa9c1118ef6107890503f17fe0648c2dce8088c63a1d5ae318d6dd6d8c9d6ae622ac57725c44b32d2dc1939508d0e6fb4f8bb8e0fc0339d24ea2ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
e961c33e92fc8ed2ec677ed9753b35ca

SHA1
bb804c795b71501a06ad50d9b287e945158a144d

SHA256
98a7dbf06885b0ee686e7eb8e497928a8b8436201fc8dfa7ac0656e82dbcbcbf

SHA512
946585dccb8da4135446bc87c0bac1e33efe5f5ff433182d14fc89edcc743f70a155988617fc39c87b5b849a27739790cd98d64c08091d69ed37b65ec8ed769e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
9731d196cdf88a9cac6af9f1c1a5ebd9

SHA1
b5fe09895ba67032c183bb4b10b689ab3dc501bc

SHA256
6f9e61ac4d0ad314f41facd41972c0c03d3dc757880da7a20dc80756a483af9b

SHA512
2d786f1784435e72d580c82b3d652214e93dfe7e3071b1732991a8088b33c3d81e5c9560b887eccedf08247c4cd2191e2ebb5ac7b76e8867c6fbd55d64baf92b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d2474100b852979f882952ee31745446

SHA1
8afa865bea4a56035266af67b9845b35fbf97394

SHA256
25438f78fb2723cab4b88f70a6f710da0710c38aca3422d4ce8ccbb0ab21559b

SHA512
9533e8cec9efa02acf67804aa47612b226846d186d37f7f973194161b0e398b5968d3c6b5f96472ed98b1e45b802a9ef8aaaa2bdba90775a966b29a4f7f0e95b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b0b41f22214c8cb4fc0d8103711d60ef

SHA1
31143d21f1226cabbca373f1e9508f3c1df0d742

SHA256
e9f283f954a93237b817cf10466e58966801e1384d6828dbff7383459c998a09

SHA512
8cc2df37b5d48c3d846023134e3d0392d80361689c2bb88b79eadfa6fb9be68a969b3feee58b20ebf6b728eeb4b5fecc857ee38cb21cf54a16198c40a38d00e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
a8bf66a486c6ef10fba6796fb5482670

SHA1
4f51716f39f11fde1599fc687b848e05d4c4b127

SHA256
b64a614463b56034bcad8891bbf7daa3d1bc71712bec2a1739cabcc65a81d68f

SHA512
a20767f733f5d1e53e1f1b38af55fa27b4b069bc4535602b5526255332181b522bb8c5541ee222e3271b3ee154ca2f7f6f30dc1ec0a6de7382713902001bebf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
faff5917058eb4876b99fc7435731c91

SHA1
c36a9ad7397bcb6d868b8740be06f0ca4042aa06

SHA256
d03a2a857ff0f365525aa769f6a8c1b88303e7a24ebd7209888dcdc68e5f768f

SHA512
bf4beff1ed6c5c59ccd9b34d51fec02d321d0f184d26d40a0304eb82dc322299107f40d91d4e70bbc9320c21d55c50c7dba786df708b210a4bde194f06cf7b57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
01b2b66222e02a0b555e1281bcb9aedb

SHA1
da4460df3314027427eb95d7b28c2c555c89443c

SHA256
7c927d10d1c41118f94e9ad2b14b2e7edea4cecaf0891b1e00090fcb122d82c7

SHA512
7cea93a707cd424390345ffc291d9c96cbddf02ae47315783f5fdb74da61e9d8ab7e7c1a4a7936f5676e32cc27290f6e4ef424137b9c6a5aa5776b2d7eda5431

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
94af34a837a02b081dcbf74cc9fb439d

SHA1
a545e6adf5b218fa864ba0f3fb3185b5c483a01a

SHA256
ecb778218e899514cba83c42d986128e464e5996c6e864172b90445cb6c71b32

SHA512
1531a120b4f8dda4ad79c5c52faa6d7731eefd22f8fb83b9e19d7c8aa1596b37f43f8450a19c9683169233eccb77e662bfbc73502f2618be5492982fdce3c358

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
47f77296f81ba3fb9b263ee084d3a78b

SHA1
c29bbbea2e25b68b86a54265f8c877e8f0a45d58

SHA256
803a2f96477dcad07730fdeab56832c1ad03730361fd5c2ab09f55af114aa7bd

SHA512
2310a322e26667c725f14e1ea5bbb391008aad0ac545816384fb47e49ae37b2bf2473fe5384f9aaaccb7a56b7e48aa6f1136380c8a5ed81e813a52df68785f48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b21d76d5b38374ec2c0a7c11862785db

SHA1
0c24c18fe76ec35b77b0594f2668537e3864295b

SHA256
dd8507c313c30c81e85aa9911d3235e0124e4aa3f8710e009f941e5117b9aa22

SHA512
45dabf522ddfa6df15c57e662a94024597d91d9aef8b3d0f3a1885d9f3c9616c94bb75fa3609b9fffbcf3dbc710d5cf8f3eab89fa2f37023311310c806d30c09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
4144bb0254e9d384172ae6ce0cecd6cb

SHA1
f923fdf49de79c970c1c98fd1669a2999ec3b4e5

SHA256
bf6c3e8640009bf75eb962e43ff9cf7603e853db2f3a332e397ae037720e8a98

SHA512
7a273bdf1f183891cda4b9f20fdb9525ee750a1ff5dbef539226cfe5bfe18a685d9eb583e582eaab41db31a5ea9a7acc2272e87bbd488a77564553494c20846a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
74091dc8735b51483f302746130b92af

SHA1
faee57c9fbdcead0531a2d39265be1392b453955

SHA256
857b7628fe803754419ff79ac9c41e1dd84a837332db72cdccdb2917cebfffc3

SHA512
a3970400823daee43aae4c0e6b8d8142d7d82a95b38dafc1d50653d8add879622e73e89a820d2faf34ddf8f2ba37e0541936283cd61c57e46e07fb7c25391d36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
cf6753f49915ca6934087b7865c0a22b

SHA1
ae60b98cb3a7b7e67ab251e84afc6dd2c19aad7b

SHA256
49db4ead58207944609e1706794a2e393dde07502b144e755e0a006a126bd3ce

SHA512
a015fd3a0a4be247b371969756d897be121d55747d1d7040ceb183df3beb6f14a009cc19d3fa442b480bc65205b1d97b740049ce46a69365af04bf5210b66466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
f78b313dc04d96fa5404d922d42bdc45

SHA1
a885ce47964b1059f43284956910c95e74a8c78e

SHA256
d5da1ffcb3f5ca1b8f0e686c124b93f7d9e8d45d00f8d5c0c0f16032545ec8f6

SHA512
0bfd34f468e905b675a341d6ec6da838760a93940011d7696d8b19d401a0c5417acbe0d011f60650c3a9f3e9914436d5cbec4465b4e2b2b761a3d598590d5ddd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
6d818f2b9ea42e9d55c4714242e66929

SHA1
45b609f49a1e54d20674d1ad6cbd4c6acc7ad459

SHA256
ab6d134f280241a0ac5503b0a943891f874b9777dd5b2010e5db6a88cbc237a8

SHA512
68f916a215971d7d5af15b45edc91e4525b5b8e5f94b6aeb23e48979e2c00fd7ebbdc1b05266c860db8575b10520deba2671e8e0d0cce928327931fba9af2c21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a56bc.TMP

Filesize
97KB

MD5
5f44a9ec4e8e4599cd7d3e3f522ef031

SHA1
d51c906c94537de709521947dd9b904cff3590e2

SHA256
13537a051d578f1d2e0a0033b0d4f61d1bf1828b1820a65062f1672ec05770d9

SHA512
3190502dfdc0ed2395ddbb2a104bdad626692847af11775302cfb5911919a91802fe40f53588869211437390b9fa600431749e92f9057f49bc190f60ec32b72d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pazletfk.exe

Filesize
600KB

MD5
4e4cc60c61385734a7659d23bd1ed53e

SHA1
58c625f04d82a54daa5a8387b55adfee7d4c11e2

SHA256
f376040216d0d216f8b80b501795078c504c20988c3c9a5a07a09bca8909b9c5

SHA512
650da44440378ac41dae83b99f10eb79d9bcf2268507093324eda48542d213b80df5721f5ed4a77e7f56dd39491d2b65a5adb7f04dc56b6f747e71bd4f3ff678

Download Submit
C:\Users\Admin\Downloads\RENEWAL.zip

Filesize
364KB

MD5
cdb85d64a6df5f48477931ec3c2df14e

SHA1
72212e655058222424b98960edc45d349568ce33

SHA256
e101746b116f24163e6f8c4b280eb3c424c6ac913a93b91f1afefda941f78644

SHA512
6d6fe8b855eaf6c3ea9e4f5c5bd5fe9452d138a786e4d75ca8ba354e36f7d4a4989c5667e538185fd80ee6be469970fde14f7fe3f44efadad6db8ea47c7be8c9

Download Submit
\??\pipe\crashpad_5088_RCNYKNNMMYUDEYVH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit