kutaki | hxxps://nlockl[.]com[//]Riverfront/fonts/losm

Analysis

max time kernel
168s
max time network
163s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-09-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://nlockl.com//Riverfront/fonts/losm

Score

10^/10

kutaki discovery keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

TRANSACTION COPY.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tnpyrvfk.exe	TRANSACTION COPY.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tnpyrvfk.exe	TRANSACTION COPY.bat

Executes dropped EXE 1 IoCs

Processes:

tnpyrvfk.exe

pid process

3772 tnpyrvfk.exe

pid	process
3772	tnpyrvfk.exe

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

TRANSACTION COPY.batcmd.exetnpyrvfk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSACTION COPY.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnpyrvfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133700185418220124"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings chrome.exe
NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\TRANSACTION COPY.zip:Zone.Identifier chrome.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

2008 chrome.exe
2008 chrome.exe
4564 chrome.exe
4564 chrome.exe
4564 chrome.exe
4564 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2008 chrome.exe
2008 chrome.exe
2008 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\TRANSACTION COPY.zip:Zone.Identifier	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

TRANSACTION COPY.battnpyrvfk.exe

pid process

3044 TRANSACTION COPY.bat
3044 TRANSACTION COPY.bat
3044 TRANSACTION COPY.bat
3772 tnpyrvfk.exe
3772 tnpyrvfk.exe
3772 tnpyrvfk.exe

pid	process
3044	TRANSACTION COPY.bat
3044	TRANSACTION COPY.bat
3044	TRANSACTION COPY.bat
3772	tnpyrvfk.exe
3772	tnpyrvfk.exe
3772	tnpyrvfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2008 wrote to memory of 2908	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 2908	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 4596	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 728	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 728	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 1708	2008	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://nlockl.com//Riverfront/fonts/losm
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8209fcc40,0x7ff8209fcc4c,0x7ff8209fcc58
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,1085680220544441305,6270537725941574660,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2060,i,1085680220544441305,6270537725941574660,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2156,i,1085680220544441305,6270537725941574660,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2324 /prefetch:8
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3040,i,1085680220544441305,6270537725941574660,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3052,i,1085680220544441305,6270537725941574660,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4388,i,1085680220544441305,6270537725941574660,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,1085680220544441305,6270537725941574660,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4576,i,1085680220544441305,6270537725941574660,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4308 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5064,i,1085680220544441305,6270537725941574660,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4564

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:72

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3872

C:\Users\Admin\Downloads\TRANSACTION COPY\TRANSACTION COPY.bat
"C:\Users\Admin\Downloads\TRANSACTION COPY\TRANSACTION COPY.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tnpyrvfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tnpyrvfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3508

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\TRANSACTION COPY\TRANSACTION COPY.bat
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
df0cb674758530197ba2a46aba67921c

SHA1
adfdcb3aeb64c30353128f53855c846a281d2907

SHA256
d03b28ea2e0e71723db244dc73de2f8f8a04f56730d9f86c086778fd5de69e02

SHA512
f20bb2d79eb32e08fa13af46a073c1d268f14f0f9790358dd573b18d5fee9b26891d524236dc7add608ea0738da1281547a78aa5005ffb88231e458bec6948e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b5e7cac05c53efdd80697633ed0874f4

SHA1
72000db3e28642176d6e54b28fed56cd0935a04c

SHA256
9d0d8aa4fc37476ff7e17c5f24d974714f48ae05cf9b2f60a31c5f9d8695e902

SHA512
a56fe4dae0d434fe5fb69ffec6f34385f38dfd451828f12e0accc63472c29886572098c95bbe4b195a5fba193bcce3b4d0338e938a3c3a3a01a556c88d3c610e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
7d4d8d7757a5665e2e72ea519789f63d

SHA1
fd860e8e7659604260636fd540269227fcfbcc53

SHA256
00cc6dc8c22b6d5a7fe7e0ac5d425078d19d8c7fba4577fe7619db4e5a5a4873

SHA512
91499fc1031db929b8255270282f03a3ce12d4e270a60131ad1ab53a7c6fe052d8564fccc2ea3c175b9933c97116733ab7a77bdc5af872067f12dced20f1dc0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8bfb8a7380440494fd310b0fd36c8f17

SHA1
b41c4f6e95640ae0e2f37c16663cb55117e44133

SHA256
deb8be194c31d5c37e5e3f20317ae0f2ff648a95b3fd92adef83e43615b4f6da

SHA512
af8f47851289766d3814c5eb0613876375f4d6e76f57739d0ccd243300dbaab7198a85149bcbf583b36391d7deada58a23b0389aaee8668160660bc7596249a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed38c706300f6886bfcbc25f0bf7f513

SHA1
726f3b4cd8b4281dcbc19d325ad5315d79e7a6ba

SHA256
015819626368842f8c370d9a7c75f4eb4feca9b15d693fea0176ba407963ecc1

SHA512
990a7a26ce5a7193075134a1c9eb8983427bd427d72a7d4bd9c8002570dba56b04f35dd57ba91c353f036c3eabd18aa6489cf548cc7635fa3541cc504cee9214

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5f7e54ef53a4042b2c8e8adf7a9c38fe

SHA1
51492a5a7aeb1cd51946e6f2bb005a68ed68f967

SHA256
352cf82ab9c5827285e8edeeac8fd15bf7537bde32fa03b73b7e224ccdd367ed

SHA512
162c20904cc6471e6b3dab409ae5b563653fe7ab597373b150744c0bf6f42c259fb631316be193cfabcbd12789e35db1ea0f051d9c65cf9c8b3db1d6161a4c0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7ad7cf766649ae681f8624f176726e82

SHA1
1e4bb1019d88eda94f5ca312d0a7f0953acff4e4

SHA256
c1ff0757b05f08c2b57ae84acfa091bebd726f730d0ef030751b37220288fee9

SHA512
7e0e6ef033fa2a9d9b3b19b14ffc29396c1716204eeab4563fb8a7c378506376be5fcc8aa0f9e27f6ef2b6328144acae89f0b695188c11cf37123a2c5fe7f01d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a4724c210a1efff2074f4218df17ded7

SHA1
8dd626f7b3711ccc05d4277cfb5ed7f520f4499a

SHA256
56dd55c2bd3055bc7cfb2e8bd010acf2f22eb434fdaa77f197f3bc9574196d1f

SHA512
81332cc4099033ed7e8bfabe6012f589841d7e9f08b72cc8f2998989e843774e8fbd132cbf696bf0aaa2cbe10ef93f13124a7a13431d316b1318420c94094d08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3734e850f171793aad816f683ccfae1a

SHA1
32a5449f560a1401150f0124ca0b247d96ac59f5

SHA256
17d6551c9480c5791bedb9b8edc26961ec0dc444f3b09f28d309c98e73a03460

SHA512
d583e2d7c2231bd3db869a6a6bd2f008af250b335fb273d16d06ade219496f95ea8993a8ce399e495f3736aa4ef5edaab740faf5337e81e0847a23ec394ab7c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
92086cea3ff29559016258ba65c25ddd

SHA1
b0ec3d5c99bf7961342b8bd09876f1bccb06e40f

SHA256
44c040fd30e6899f3cbd7d9a1b8fbf4035e9e7cfe2be62ab64cbf3e3b030ebc5

SHA512
dfe9d924752b88ec033639dbb71d06ce6e88318baab637521fd439ed1bccc09bfd8e40972d02d369dd2f55d7589db2177b06f78aae5e61d8155be5c31b77062a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
56a8e67a5194f96827d96fd9123749d1

SHA1
6c799b8590d4c2ad844e1424d4d70e75f8d28f6a

SHA256
815243696da6a16828eb095bfe765051f659f55864cdb93680afc121da152aaa

SHA512
fc381f1deb28cebe2b09fbb5df133b396520141da9915ec958bf726535f19933bd20f9f5e83f8375e6befd8059b02c1a14241bb95f487c8b7500316f80007512

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
829814fce776324ca75efec9da30ce53

SHA1
610ae6056c93883f39b563767904bda789d024c5

SHA256
e850163b09ff83de4a61fa33b046fed89928344b56854a62c32907d18099bf16

SHA512
bcfca69bf1b1dfbb4d66317ab35d1e783663ae269a5a140298f5f81140ca980449b143005b633036d4793dd98dada0c592e64be9622d8264014a5bbd3e1980e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7e506b6b8430f692d0d053f2c29ce534

SHA1
2c1adfbbb23c5e1223caf374c18ab169ef2eaa65

SHA256
85ecfa1d0ae40ba92ccf63532de4a6c70e3929fd16b5b338b4949928aad37a1d

SHA512
0c0ac2503a027955076891c055723d9fada1184b595f8f5e47e08c03ca37ee699a5429c80bf9b05c36c7f509c5a475ed140cfc24d5ddfe744941c654c1de17f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
859b69e4e4a1d7a58b36658e44583dec

SHA1
ea2be93e2badbda41909dc7f96f4a98a6df2922a

SHA256
c449d55c5c0d0861eced015edb927a9925f432e5ab4aa4cdd7a90e96849390dd

SHA512
8e9776418811c8640781449642ef76463b33301d4989366330c392a8e3df7d2ab830f9d52ffa60ab7e03bd392eecddbfa63036a5d6e5b05a48771e3c2b8ef164

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
08a78ecda3d78dc09730c62a168e92d4

SHA1
d379e641c06a78533c99d94f0905b833ffbbac28

SHA256
a16211deebd1dd0523aecd601853b70eb8fe53a5fc30ed72167d8cb3e7493719

SHA512
82ab948db063d35079761af528561d1386f532dee5ba606a71f51c64ee04323881e16dcb337f5114d4eeab25e4347e9e7ca7d17f020678b70d87ee24bb28acbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
c65861d5fd102f9617efab78571bc390

SHA1
f63108c4c30c4fbb8c189b3b82c090310b628413

SHA256
d51fe4424c855864f7570446316ab2071b7b35a6ae44d33ee5841a657b215b66

SHA512
a1c7b96720c29867a9cb287a6562afff80d29c8ca3604746e86268773752ff9b4c975f53b2f8431a4e230b91dfbb4251d91ecaa4cde4bd6e51dfee230f41d937

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tnpyrvfk.exe

Filesize
520KB

MD5
8fa44bea759fdefdc8c2a6cf882c6d2e

SHA1
6a289f0cdb5b77130670b64122416c3c9ef5e534

SHA256
bbefcbcfa9d149047d2538e01d9e013f55a51b08045d0b6f10a438dee6a5b35f

SHA512
74a67a3a286e581519d0fb6cbf77f421d15bee948ba23227690a5eb1813c137c11d15e8ab1e98fc07ce2a920463d1c1d048b49353496e2064eabeebcda92325d

Download Submit
C:\Users\Admin\Downloads\TRANSACTION COPY.zip.crdownload

Filesize
342KB

MD5
7357c6b5ddedee32665c204d7ea403ce

SHA1
f2f966b41c7a2380a03d0fce752d90bcb96566b3

SHA256
e6d80bd94b1ae0447400815ddb4b3db4737ce17962f4471410d892306a4f8133

SHA512
91bc5d6a34a70a3ffa49a6191290997c04db2418e4f52b903e7d6c98aa24ff9bd7a471c22aa9a86417978aa46c0d3715ead4a577ea61d8624bc49cb80712a0ef

Download Submit
C:\Users\Admin\Downloads\TRANSACTION COPY.zip:Zone.Identifier

Filesize
326B

MD5
fb0681c4801fdab2f88b00879c735f89

SHA1
42b8357d44c42d65d697ba10606cb8d53eeef6f0

SHA256
dfccc319a50bff4b2a58875d4eb8d3c9acde8b801d11dd835d892912ab0d43a0

SHA512
a13657da95d9c3d7e19c741087c85c79df406dfcd4f94927b1f8037affa820de84efd6022b9cc31d80a177fca3a15f0f4316cb615acb2c99d425fbee20a3ae16

Download Submit
\??\pipe\crashpad_2008_UMJWOISQKVGNWMMX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit