kutaki | hxxps://skgl[.]in/[.]well-known/acme-challenge/tools[.]html

Resubmissions

12/03/2025, 22:22

250312-2amn6avwgw 10

12/03/2025, 22:11

250312-14cklswnz9 3

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2025, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://skgl.in/.well-known/acme-challenge/tools.html

Score

10^/10

kutaki discovery keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki
Kutaki family
kutaki

Drops startup file 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe	NEFT.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe	NEFT.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe	NEFT.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe	NEFT.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe	NEFT.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe	NEFT.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe	NEFT.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe	NEFT.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe	NEFT.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe	NEFT.bat

Executes dropped EXE 5 IoCs

pid	Process
2848	utqjypfk.exe
3344	utqjypfk.exe
4732	utqjypfk.exe
4748	utqjypfk.exe
2724	utqjypfk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utqjypfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utqjypfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utqjypfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utqjypfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utqjypfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NEFT.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NEFT.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NEFT.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NEFT.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NEFT.bat

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
3692	taskkill.exe
1652	taskkill.exe
2180	taskkill.exe
3456	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133862917861745020"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
4512	NEFT.bat
4512	NEFT.bat
4512	NEFT.bat
2848	utqjypfk.exe
2848	utqjypfk.exe
2848	utqjypfk.exe
4368	NEFT.bat
4368	NEFT.bat
4368	NEFT.bat
3344	utqjypfk.exe
3344	utqjypfk.exe
3344	utqjypfk.exe
960	NEFT.bat
960	NEFT.bat
960	NEFT.bat
4732	utqjypfk.exe
4732	utqjypfk.exe
4732	utqjypfk.exe
4208	NEFT.bat
4208	NEFT.bat
4208	NEFT.bat
4748	utqjypfk.exe
4748	utqjypfk.exe
4748	utqjypfk.exe
900	NEFT.bat
900	NEFT.bat
900	NEFT.bat
2724	utqjypfk.exe
2724	utqjypfk.exe
2724	utqjypfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 3364	1436	chrome.exe	85
PID 1436 wrote to memory of 3364	1436	chrome.exe	85
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 384	1436	chrome.exe	86
PID 1436 wrote to memory of 4036	1436	chrome.exe	87
PID 1436 wrote to memory of 4036	1436	chrome.exe	87
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88
PID 1436 wrote to memory of 456	1436	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://skgl.in/.well-known/acme-challenge/tools.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd7fdbcc40,0x7ffd7fdbcc4c,0x7ffd7fdbcc58
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,7823929606098624111,11876615656571295574,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,7823929606098624111,11876615656571295574,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,7823929606098624111,11876615656571295574,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,7823929606098624111,11876615656571295574,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,7823929606098624111,11876615656571295574,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3872,i,7823929606098624111,11876615656571295574,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4904,i,7823929606098624111,11876615656571295574,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4404,i,7823929606098624111,11876615656571295574,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:3328

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3728

C:\Users\Admin\Downloads\NEFT\NEFT.bat
"C:\Users\Admin\Downloads\NEFT\NEFT.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:916
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2848

C:\Users\Admin\Downloads\NEFT\NEFT.bat
"C:\Users\Admin\Downloads\NEFT\NEFT.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4368
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4340
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im utqjypfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3344

C:\Users\Admin\Downloads\NEFT\NEFT.bat
"C:\Users\Admin\Downloads\NEFT\NEFT.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im utqjypfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1652
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4732

C:\Users\Admin\Downloads\NEFT\NEFT.bat
"C:\Users\Admin\Downloads\NEFT\NEFT.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2744
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im utqjypfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2180
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4748

C:\Users\Admin\Downloads\NEFT\NEFT.bat
"C:\Users\Admin\Downloads\NEFT\NEFT.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3224
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im utqjypfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3456
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
26b341c94cef38617d79fe11ed4e4448

SHA1
71eee0c9faa745eddf25de0ead1c35c402de9d9a

SHA256
60ace50b94efa22c192908691954b75e038e92a4284fc51349824e81fb9a5a41

SHA512
526e5e21f5987e62d25acac9117e753d31ec36ad5c6740ca37cabe5b3de7a54ce5cb8bcf4b487e64d252507a2f8d67ea4d15e400c92afb71ff32fdcf4d970ea8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d156701c7fc28e027f2b3428dee7fc29

SHA1
4292efd635b5214aaad6c65c1afe690b16e25302

SHA256
b5c60591471c1674aa86532efca39400e006a6735519f159119a7a0f9799fa2a

SHA512
de2212ae34b0e48ed12f8bd8f278897b4d06d6e49fae43fef5276cec757f3e8176551c5536b25812d990706f4d7eda918d4230ca355590a7b3b3bfa50440ea2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
ce47c3a36823d3164673c55634eb4711

SHA1
dc3edea77ec53a34709b8966a35e08b0c8f15e47

SHA256
35a2118e1473d18778ac202b8aafe0e4997fc0acf699ce50a293d2b1f55300a7

SHA512
a5d55940b636f7a4f70cf28426c21c234e73996a24337348c026b74bfd92fce3d81470ea1c02e6de1e2e975025263e43c820ff599e2e95a5d2ea6b3d683469a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e9520f0fef7f9661fb04e8134af11ae9

SHA1
c0444b673478ec7c7f9f91657be46938275df5bf

SHA256
8d00d5cc0dc94bba84b2be809ebb85d960e10070312d2e63ea233e6cf2d33985

SHA512
5e185422c967b3eba2d5b21f8f911ef44705152e5e0beabd18a6a1f8e372ff7709dd7bad5441da3b5ce06f90191764ec591ff91587a9165455aaba79c8ba4504

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b5c1a26c3d895bc64f67da563d2a1d4a

SHA1
edbfd44146efa531344cbb53e3baeae9c4e62413

SHA256
ef280a24e98f25dd2fb2bd52932af7dc5c84c113342cba8026ed781d5f1afad2

SHA512
7ddb9c21954ec12b8d017186420352dc58e08b431f8a85db99095b85f8137db6a2679e5b5ee119233c24a1556a9a4bba0b40d36f401b277bee0622b5d84f9726

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e1247de64a551bed0180d2479372154d

SHA1
d7c1be9f77110c31bb136301aca179b731483630

SHA256
9b83ed561d3deefa1488a2554c1da8687db48ef8877dbc96f38d9591f62354b0

SHA512
59b10ab665f186751540c5b5d19a030f4213d2724f30ab960ed1dcd763b8c686af06082492c13d5ac0ee1ee6e6bb366ff3564dee413b9d1b6f41c4bef1092185

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d0d93fd7216e1b174985610b9e3b14ff

SHA1
245182693c1ad88ee71b34f5661fb3ad4b61dee2

SHA256
9f753e75cb920c4496ac04e74dba5731a4494c5e786fd835807784855788c782

SHA512
7c6e3c0bbe43c537fb7bd96f6b6c32a260aa84de7d4aa6453f43aa8a23451af500a1bddc3d4a88f48e7c86e7dcf7e7ace0ee9d23a11dbda868b52936022d4514

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1e32da5f07f22fd2569c3dc6c9e10c3f

SHA1
c6d07046fa017113f3dd3f10c6687cdebc3ce6e0

SHA256
3c210404c2d12b8e0f5d34a5235fdc3490b9a51c6c7c81bfc35b6d81064b4914

SHA512
42095ca18cc26b2ca8f5060f5d9c673c0b6da269a8a7e05dc76f9b7afd1d936a15db8c75a7f76c9799327bd380ee634abfa45bbc89338d76017c9cb4c289e005

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
a71383193c8f35bceaba044a48e9923e

SHA1
edb15a03c46b7e4a784e2d9cb39ad7a84488ec32

SHA256
8eeb96885e1ff281691774d33f10604ebd5ee8fe99053cd646f5a460eae85901

SHA512
7d5bc1d80d458c87a6601ee7edbf45152cb3484660c56f24368cab095db460019e808df3e30e92c00353bcdfdf54bd8a285e3f951f0481f4df94e31375c45e47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
af03eedc63462359876c2ada19e9e71a

SHA1
0fe3c8b10815d7a42e80dd26c133de1254982244

SHA256
9a9c477d6c687217eafc32e248380e64861a14dd72948e7947222ba69f5dce20

SHA512
a759dc770a4fe099044db23407c909314a6f3635e265c898fe419645099737d7e54d25de5573d687b9d72c5949abc1a2aafae48915eb558b027e6d9ec6df5e68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utqjypfk.exe

Filesize
752KB

MD5
9dbd964a2bc35d8520e2a02d2a126482

SHA1
1b681ceec5e4598a6212071374277a5eedf98e3d

SHA256
94056903a54419a77beada550c2582de99ab9215f647949dee26cf5a5aa270b2

SHA512
f0f3a66d784615fa52819f6998b2bafc336474533fc5fbe2ab165e3d66d54c4342ad824ee305e194b2692707cdd6df9464dd987ee8961b2f903a456ccc1b4c5b

Download Submit