kutaki | hxxp://virind[.]com/[.]well-known/tools[.]html

Analysis

max time kernel
156s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://virind.com/.well-known/tools.html

Score

10^/10

kutaki discovery keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki
Kutaki family
kutaki

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tzqjbafk.exe	NEFT Payment.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tzqjbafk.exe	NEFT Payment.bat

Executes dropped EXE 2 IoCs

pid	Process
2148	NEFT Payment.bat
1652	tzqjbafk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NEFT Payment.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tzqjbafk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3732	msedge.exe
3732	msedge.exe
4032	msedge.exe
4032	msedge.exe
4800	identity_helper.exe
4800	identity_helper.exe
4852	msedge.exe
4852	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3760	7zG.exe
Token: 35	3760	7zG.exe
Token: SeSecurityPrivilege	3760	7zG.exe
Token: SeSecurityPrivilege	3760	7zG.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
3760	7zG.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2148	NEFT Payment.bat
2148	NEFT Payment.bat
2148	NEFT Payment.bat
1652	tzqjbafk.exe
1652	tzqjbafk.exe
1652	tzqjbafk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 3168	4032	msedge.exe	82
PID 4032 wrote to memory of 3168	4032	msedge.exe	82
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 2996	4032	msedge.exe	84
PID 4032 wrote to memory of 3732	4032	msedge.exe	85
PID 4032 wrote to memory of 3732	4032	msedge.exe	85
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86
PID 4032 wrote to memory of 3684	4032	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://virind.com/.well-known/tools.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb91b646f8,0x7ffb91b64708,0x7ffb91b64718
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6648 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,589154355782685296,4781734780171939208,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4928 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3236

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NEFT Payment\" -spe -an -ai#7zMap17132:86:7zEvent19543
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3760

C:\Users\Admin\Downloads\NEFT Payment\NEFT Payment.bat
"C:\Users\Admin\Downloads\NEFT Payment\NEFT Payment.bat"
1⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3852
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tzqjbafk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tzqjbafk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
907525f06e4dd9b6cc436396d834cd81

SHA1
cb4dae71804a9cc60e889df2c929f88c410c4ecf

SHA256
493321b2c84f1a0286f11077083e252547e2608a2749ecd09cb0cb9c91e7c17b

SHA512
5627abe4d1e30dc6eed215e02e955e158697f0537e75e87b0360eaf5a8b2fca7a9b8760e27ff50904c84dfb5f4b1cff6718955612d3e377e601fbd62017e8f12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
755f55ffc32a064de97441bb284ae560

SHA1
660826c4319cb506bb823408cb90371be62d28f6

SHA256
aa676642398ea189de9f88f27cdaed65c2148ae67841269195f7d2d091ca874d

SHA512
aafc75b709e30ea8ae7dbf43262d68e3f05cb95dad88a213a99d2c11e20758ac252bc755c26d875954e9fad4ce8954ff03a06403351031f052b1e514712fd2c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
073750675e7c819fca95491f886298d9

SHA1
6755e7263f2116d9cdeaea583944dae216905023

SHA256
06fe4b66a9c4abbff4e38408420941018b2d508ec47351ae9fdb9c1e1e8f7617

SHA512
48e06aef34e0fa2732884ae6f39264b79db2f01db7209892147873fb0589181587b8259970e2cc36c8d0c298040ec5982597b30ed92bc6fe34af5b548bd65cd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
11bc1ee9cc733a54f880e9649dcae340

SHA1
cadf3cb78e70d339e8f91e26d8ad91cc6f314d24

SHA256
5d4d849b1a4d828215a1abb83ad18a64db1ef70431f6c8ffae43e316355963e8

SHA512
965a61743d88c08e8144b920a06c78eb8febfcf2d7d0a339f6e551975008e87c61a4bf8a70040a531995960f09322ffad69efc473d30561b8629c9fda7bb4d03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ee67846d9a5aab687c339124f55a03f4

SHA1
998857fbeffc87875c64008a3db7677bda3cd1b1

SHA256
d88770e7755f4d5a9eb1f5f18848193e5967b5a837f51dde034455c49395f293

SHA512
ca91f360f71e3a4900689a2259d86e222ed4b8bb2f8a8ed19da9331e6c9f2910a728cf556cebf619433f45dff7ed98e51441aafd91d037a329055a6992eb46cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e9c76e45ed13f2ce99aeeb3cbbe7bfdc

SHA1
c33a3b9a1fb197c4ed2265239cfffbc1013a1245

SHA256
ac1ac6768d0f74a78fd97f1188704cf34f3f6f715f088a28662339afaaaa9090

SHA512
d7d85b7072b6db868b654e1c1550643e9e7de04f7a686bfc1f5cabeadd3218a52dbf509c522eeb5270217c2f1042e21dfb4ae83e0f67d6d51594c079c109228b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a2d76c50364a84d66575408729ea9075

SHA1
358fed398789994e3ec2c1448cc9849aff6d6409

SHA256
8820f29290a1ece6e1d153b9ddee7015a94e0b2438805ad3c652af382f39e913

SHA512
5ca48a4078982430015d7aff4fd14ecba0518f702b805fecba2e32a2996da8e59a7e33be4719d4120514ac85f54712f1ecfb7cb9948497934c4b30f22e05c5b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f892f90377b45360d5d49aa9dce27b77

SHA1
f8fb6aa9731af6500083e37295920ac0828429a1

SHA256
afe65aa05fa821651da3737b63d023b810222ed4c733205e46dc2bcbb8d85a7e

SHA512
c20a3c352c94456b39a7578370849fff3b032e8dbb412cdbd20748f4ffa9c8f59a07d4e3dd1366d4e59241dec5482c2e04baaf5b5ffc639818176451552e2d0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8d2d72e8c40c1ddaa9e7cfafdbf5e29e

SHA1
98ed35ef7db22898dc0fa3fdfc5ccb269751a80b

SHA256
c7b19023bd81db22958e378b8c180d362f0aa1547cf5224b60e43c2997694e0c

SHA512
f94db7b948e82b406c7e2b5b443326ab28cd99f3ca167e00379e93d562089284924f96ccd8f640a9a5c19e6d63c9d7382942707783ccea3af59151ac0ea966dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
4343ef58e6bf6914227f4f98052667a8

SHA1
f55d4657cd753ca6887c43a5f7b16f6587a194f2

SHA256
3723e9efb55cb7d401e753cdacc8e23666ff413c9ae81cf4258998c0bcd93ce8

SHA512
127a2193736f6c3f51fe64b47a0909f06e7adf8ccd3a9395b125955a061d0b0144fd164d161c60f0d13f45c39f68520bca9d904dbb8afd29a015a6ffc434c938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58878a.TMP

Filesize
48B

MD5
aac543953b84e54fe5718f3e8cc38e1a

SHA1
702441a225d3a22b63c7bde76b27b11e6deebb41

SHA256
87994bf88b18ae8ae31e3dcc659cc6bcaf9e6855d9b281b0308d93445962f6e5

SHA512
bb9831d24c974905f65ea7b36cb47fe45fa14e181b4b2e74944ef6605dd1f0f1e4673660e9938a6c1cdad191b38fa6c5393b220f37acc5f29731fcca01bcbcca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5d746417bfca6a14c8e9a1a742b380ad

SHA1
3a3f52401473d7cfe862fae3f3435b436197fe52

SHA256
dfde7dc9641641205c5a65131a656a9c111a583b0343901f6d8b85a3d3a545bd

SHA512
ad7b83f7b543786f8fe95c00933f3d4c842fdb038ed251581d110ebfdbad956e67b9a3891d61c9eb637a44e99a5cb34ed2e0c93590b3484a794f117e6b7a774f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584bf8.TMP

Filesize
370B

MD5
96d22527c76d8204dca5ceb0063e43c3

SHA1
144bdfef0e93b7aeb7871f0d6355d1374800d45c

SHA256
8382d7805436487ef5f0fd05e2250f4ee8a33f614b907472ee9fadf24062fff7

SHA512
696f357bb198c3879c5f5d3738a1bd63bd731c60a4eeed849af13512c2579abd71da9af1d20ff3c7e943c0901beaa11313688df91f5e5eb06e4784b0e9249ded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
76f495828c30d3ef69f683b5d2b335f0

SHA1
2599b5b5d4b67965e75dbfdfd639bca453d37032

SHA256
410a4d57639a17fc805957a438d9c762a73e413e209f601a1e7e620851a8618b

SHA512
d0d001f73b622d77da7b5bf8b0f8d402653a288e0d776a0da3de38663bf23cfe3a45e95c7511ce6cadd65d559971c92c53d15678bd098f7fa41ca32cd03dc877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2480d72db436acf45f84159b991fa1f7

SHA1
695287b184da79d572dbfa930c49a46df969edaa

SHA256
c1ecbedd46a088d6648725fdcee6c89131262331182c3d49f7f16b1fc47cf45d

SHA512
697b6ccad2158bb30b1bc5de4c7bd7d43d96da56506b38e1ec71038cf2dfbaed12e45bff08c483acb1882fd04128b0593fd513d9d9517e43b88d9fcfbb11dd91

Download Submit
C:\Users\Admin\Downloads\NEFT Payment.zip

Filesize
360KB

MD5
7bd5da97715641adc53b0fa9734c1cb4

SHA1
786493c1051e472464fe6b090febc84f408d83b7

SHA256
35d53fad9779cd59f42ad1d90e7f1c5248fc09a470534f410f2cc36e96a053ec

SHA512
bf584cd4bfc9176eea94661379942031ab954de5990d37252d5e6bea45be43ba3973d289faa752bc13334a0724262de35ea1039fa8821478a8187e69ca87c1d5

Download Submit
C:\Users\Admin\Downloads\NEFT Payment\NEFT Payment.bat

Filesize
588KB

MD5
eb2c8e790efe81735b233cea1588ce5b

SHA1
9677e334dcf3be113f2989d356c04d1633401464

SHA256
f1a959a8ac860d76631dc42ce43ff4ba097e624e22f93317685e9b9a54d307b9

SHA512
5d11731cabfa829bba74e998ab4c54062a2578a4012f70a0ac0550bbacdb3333f8d3d6f1862233ea809ac591704f4db38260e452cd46ca7833a4cc323ba035fd

Download Submit