kutaki | hxxp://bhagwatijobs[.]in/SOFT%20COPY[.]zip

Analysis

max time kernel
600s
max time network
492s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2023 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://bhagwatijobs.in/SOFT%20COPY.zip

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 4 IoCs

Processes:

SOFT COPY.cmdSOFT COPY.cmd

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piqlfkfk.exe	SOFT COPY.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piqlfkfk.exe	SOFT COPY.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piqlfkfk.exe	SOFT COPY.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piqlfkfk.exe	SOFT COPY.cmd

Executes dropped EXE 4 IoCs

Processes:

SOFT COPY.cmdpiqlfkfk.exeSOFT COPY.cmdpiqlfkfk.exe

pid process

772 SOFT COPY.cmd
3344 piqlfkfk.exe
636 SOFT COPY.cmd
2196 piqlfkfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4568 taskkill.exe

pid	process
4568	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133340694526947160"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3920 chrome.exe
3920 chrome.exe
4200 chrome.exe
4200 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3920 chrome.exe
3920 chrome.exe
3920 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeRestorePrivilege	416	7zG.exe
Token: 35	416	7zG.exe
Token: SeSecurityPrivilege	416	7zG.exe
Token: SeSecurityPrivilege	416	7zG.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe7zG.exe

pid	process
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
416	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

SOFT COPY.cmdpiqlfkfk.exeSOFT COPY.cmdpiqlfkfk.exe

pid	process
772	SOFT COPY.cmd
772	SOFT COPY.cmd
772	SOFT COPY.cmd
3344	piqlfkfk.exe
3344	piqlfkfk.exe
3344	piqlfkfk.exe
636	SOFT COPY.cmd
636	SOFT COPY.cmd
636	SOFT COPY.cmd
2196	piqlfkfk.exe
2196	piqlfkfk.exe
2196	piqlfkfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3920 wrote to memory of 4916	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4916	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4168	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 2216	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 2216	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe
PID 3920 wrote to memory of 4696	3920	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://bhagwatijobs.in/SOFT%20COPY.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9cc59758,0x7ffc9cc59768,0x7ffc9cc59778
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1912,i,12610258734031162288,1020437382895767611,131072 /prefetch:2
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1912,i,12610258734031162288,1020437382895767611,131072 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=1912,i,12610258734031162288,1020437382895767611,131072 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1912,i,12610258734031162288,1020437382895767611,131072 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=1912,i,12610258734031162288,1020437382895767611,131072 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1912,i,12610258734031162288,1020437382895767611,131072 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2944 --field-trial-handle=1912,i,12610258734031162288,1020437382895767611,131072 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1912,i,12610258734031162288,1020437382895767611,131072 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4704 --field-trial-handle=1912,i,12610258734031162288,1020437382895767611,131072 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 --field-trial-handle=1912,i,12610258734031162288,1020437382895767611,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4200

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4172

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SOFT COPY\" -spe -an -ai#7zMap4662:80:7zEvent27706
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:416

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SOFT COPY\SOFT COPY.cmd
1⤵
PID:3544

C:\Users\Admin\Downloads\SOFT COPY\SOFT COPY.cmd
"C:\Users\Admin\Downloads\SOFT COPY\SOFT COPY.cmd"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4720
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piqlfkfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piqlfkfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3344

C:\Users\Admin\Downloads\SOFT COPY\SOFT COPY.cmd
"C:\Users\Admin\Downloads\SOFT COPY\SOFT COPY.cmd"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2140
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im piqlfkfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:4568
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piqlfkfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piqlfkfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2196

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:3928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f61eb3c9992f7174055bd397b15369d3

SHA1
f14f84f706de49b5160d00611a8bda8c1e2f5d99

SHA256
e05dfa73303973a2e992036a63ed03e556d6a5084e5934441a81a9bfee1b78f0

SHA512
2d81c98d169a355ac09ba3e03c4dd40f5871ebf3e6153ea01bf9fad9937e67cedf5337f4a3841da8107dc33c700e0dfe18091cca42a14cc943c5dcf6170be110

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
653298050c6010466cd9bc12851c91c2

SHA1
b2e8cd50ab18255537c46858f8ccf9bced5c185c

SHA256
250398ea1e59cd51057a0f0aaf20f1d9dee0924d217481bd5bc4708b0e134d62

SHA512
018a630b19fa551e08e848c2f765d29133a9e56cf66e061e950e143941b2fb29356fb1a52cde720bb622450b4cc75f64747e5ca83ef9fe2b62b6c9494fdef1d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
14d8f29dd9e87d55bbf2399c4ad1b99c

SHA1
1fa92a96941b4a239de54528af984e3fe174fe5b

SHA256
3636399b76e74f7eaa5e54c29db6b0b77680e9d51cf871197742e873a023c6c2

SHA512
4baa88cf6f49bde5d9710a16629979d2d30598140d08fe182d22a2d84db36e0bb8a579b408fc8fc643a44d7c5c9d383640f6f6c1ef85ec0d4b371d25decaf46f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
b9542651093bbd864f13854502e2f35b

SHA1
b5876dbb558c3b9f0aa41db783354faef6f540b6

SHA256
5475ebd7c9a890ef47bce68149d0028432b29de0b2c7c48080d79208cddd176f

SHA512
6a1aca42eb548fe44fd7774ce6e78943c9df0391984b7cb2ea56a51d7e0355fdec5569e7c66f066de6d482eb22576b6d685462ba071a277f2457d7543e3ea2f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
b28feb4a21ba94789fbee969b6902ebc

SHA1
474a141fa52aaee9cf11f7e222485bfe8c1d97b6

SHA256
7b409a475b6d95de15b8e227b5f40d725e138030af81e669c8e35473e9e8531e

SHA512
96fc0e229f0bde75e95e912f5c7652deebf4ea84fb46759db4f3701e4c7ab5917cbb8a0cb1c14cb85dc97a682e07784ea29224ebe7c76d0810e6fcb48a262b79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piqlfkfk.exe

Filesize
2.8MB

MD5
d1d69636c7e17e170a0b4e08e91f4ba8

SHA1
0696963cdbf35beebe5e96595daa58bb2fbe42d9

SHA256
febb5a5a9674a449dc2a9926d26664344cc3aaaf1264b90f68309e0a4321c9a7

SHA512
504e83025bb386c7ab772d872a2df0c070ffa5d284946d8ea36dab75165f0c166055e9df3838e256b8086a746beac78408e51afce09d6dd05adec3d0e6d87693

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piqlfkfk.exe

Filesize
2.8MB

MD5
d1d69636c7e17e170a0b4e08e91f4ba8

SHA1
0696963cdbf35beebe5e96595daa58bb2fbe42d9

SHA256
febb5a5a9674a449dc2a9926d26664344cc3aaaf1264b90f68309e0a4321c9a7

SHA512
504e83025bb386c7ab772d872a2df0c070ffa5d284946d8ea36dab75165f0c166055e9df3838e256b8086a746beac78408e51afce09d6dd05adec3d0e6d87693

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piqlfkfk.exe

Filesize
2.8MB

MD5
d1d69636c7e17e170a0b4e08e91f4ba8

SHA1
0696963cdbf35beebe5e96595daa58bb2fbe42d9

SHA256
febb5a5a9674a449dc2a9926d26664344cc3aaaf1264b90f68309e0a4321c9a7

SHA512
504e83025bb386c7ab772d872a2df0c070ffa5d284946d8ea36dab75165f0c166055e9df3838e256b8086a746beac78408e51afce09d6dd05adec3d0e6d87693

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piqlfkfk.exe

Filesize
2.8MB

MD5
d1d69636c7e17e170a0b4e08e91f4ba8

SHA1
0696963cdbf35beebe5e96595daa58bb2fbe42d9

SHA256
febb5a5a9674a449dc2a9926d26664344cc3aaaf1264b90f68309e0a4321c9a7

SHA512
504e83025bb386c7ab772d872a2df0c070ffa5d284946d8ea36dab75165f0c166055e9df3838e256b8086a746beac78408e51afce09d6dd05adec3d0e6d87693

Download Submit
C:\Users\Admin\Downloads\SOFT COPY.zip

Filesize
2.4MB

MD5
ce3514cfcca7ba089dcdf20191dc53a0

SHA1
e3ebedd3400e4772365fa1642de188c83a33c18a

SHA256
49fa84eb7e0100a5ba2160226a8ae9173379f3655dfda70448ab5c28706c2508

SHA512
aaa392afd320bf5551694dd22ac8511755260fd063c2cb9546320d810f26c6a74cdcec9de9447e28a022b93e1a1198298bfc9e1b2cb4f96d4b247d3055ee4afd

Download Submit
C:\Users\Admin\Downloads\SOFT COPY\SOFT COPY.cmd

Filesize
2.8MB

MD5
d1d69636c7e17e170a0b4e08e91f4ba8

SHA1
0696963cdbf35beebe5e96595daa58bb2fbe42d9

SHA256
febb5a5a9674a449dc2a9926d26664344cc3aaaf1264b90f68309e0a4321c9a7

SHA512
504e83025bb386c7ab772d872a2df0c070ffa5d284946d8ea36dab75165f0c166055e9df3838e256b8086a746beac78408e51afce09d6dd05adec3d0e6d87693

Download Submit
C:\Users\Admin\Downloads\SOFT COPY\SOFT COPY.cmd

Filesize
2.8MB

MD5
d1d69636c7e17e170a0b4e08e91f4ba8

SHA1
0696963cdbf35beebe5e96595daa58bb2fbe42d9

SHA256
febb5a5a9674a449dc2a9926d26664344cc3aaaf1264b90f68309e0a4321c9a7

SHA512
504e83025bb386c7ab772d872a2df0c070ffa5d284946d8ea36dab75165f0c166055e9df3838e256b8086a746beac78408e51afce09d6dd05adec3d0e6d87693

Download Submit
C:\Users\Admin\Downloads\SOFT COPY\SOFT COPY.cmd

Filesize
2.8MB

MD5
d1d69636c7e17e170a0b4e08e91f4ba8

SHA1
0696963cdbf35beebe5e96595daa58bb2fbe42d9

SHA256
febb5a5a9674a449dc2a9926d26664344cc3aaaf1264b90f68309e0a4321c9a7

SHA512
504e83025bb386c7ab772d872a2df0c070ffa5d284946d8ea36dab75165f0c166055e9df3838e256b8086a746beac78408e51afce09d6dd05adec3d0e6d87693

Download Submit
\??\pipe\crashpad_3920_RWCQWDVDXHEHCIMJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit