kutaki | hxxp://placedex[.]com/ksheb

Analysis

max time kernel
126s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2023 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://placedex.com/ksheb

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 6 IoCs

Processes:

Invoice No 80659.batInvoice No 80659.batInvoice No 80659.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe	Invoice No 80659.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe	Invoice No 80659.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe	Invoice No 80659.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe	Invoice No 80659.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe	Invoice No 80659.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe	Invoice No 80659.bat

Executes dropped EXE 3 IoCs

Processes:

sdotjtfk.exesdotjtfk.exesdotjtfk.exe

pid process

2036 sdotjtfk.exe
4340 sdotjtfk.exe
4840 sdotjtfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

5056 taskkill.exe
1304 taskkill.exe

pid	process
2036	sdotjtfk.exe
4340	sdotjtfk.exe
4840	sdotjtfk.exe

pid	process
5056	taskkill.exe
1304	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133360930678443843"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

500 chrome.exe
500 chrome.exe
868 chrome.exe
868 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

500 chrome.exe
500 chrome.exe
500 chrome.exe
500 chrome.exe
500 chrome.exe
500 chrome.exe
500 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe

pid	process
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

Invoice No 80659.batsdotjtfk.exeInvoice No 80659.batsdotjtfk.exeInvoice No 80659.batsdotjtfk.exe

pid	process
1664	Invoice No 80659.bat
1664	Invoice No 80659.bat
1664	Invoice No 80659.bat
2036	sdotjtfk.exe
2036	sdotjtfk.exe
2036	sdotjtfk.exe
888	Invoice No 80659.bat
888	Invoice No 80659.bat
888	Invoice No 80659.bat
4340	sdotjtfk.exe
4340	sdotjtfk.exe
4340	sdotjtfk.exe
2572	Invoice No 80659.bat
2572	Invoice No 80659.bat
2572	Invoice No 80659.bat
4840	sdotjtfk.exe
4840	sdotjtfk.exe
4840	sdotjtfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 500 wrote to memory of 1044	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 1044	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 4960	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3840	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3840	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe
PID 500 wrote to memory of 3324	500	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://placedex.com/ksheb
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9a049758,0x7ffc9a049768,0x7ffc9a049778
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:2
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:8
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4608 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3024 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5428 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:1
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5432 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5736 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5588 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3048 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:1
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5772 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5864 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:8
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=920 --field-trial-handle=1848,i,8878542091768364146,9689075231870557518,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:868

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice No 80659.zip\Invoice No 80659.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice No 80659.zip\Invoice No 80659.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2072
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2036

C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice No 80659.zip\Invoice No 80659.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice No 80659.zip\Invoice No 80659.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1268
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im sdotjtfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:5056
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4340

C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice No 80659.zip\Invoice No 80659.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice No 80659.zip\Invoice No 80659.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1404
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im sdotjtfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:1304
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
173KB

MD5
d3d1aff7a71e5f6f4537a0b3cbbd5c23

SHA1
82bbaa35980290986094ec5b2f33da17fe0e1ca8

SHA256
d3ac13e9bebf6119830ea38adf6715f42a193e7cc5834087abcd77bec3c07291

SHA512
9f5a8f657438a49e2b60db1372ced7edca4ca714efc63ff8791ff232d4252178b5a148a02b049f279007f095e7ac5b649367a2fb3dbffa14b39b637f1d30d42b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
20f89be41c8c2d37d9e200580df7e53a

SHA1
4024eb3caf1a624469a46840875fd614f8d880ff

SHA256
696a9538ebd2b937bda4f9909cb4b9d2aa10fa7ba0c1a5bc60c8a9375e8454df

SHA512
31620bc1fa1a8b22cf86c8105fbcc17937120d27aef662be1bb1d23a1cb000ff359677e4e71d45b06d30110c7bd0b046222807164e559592d964a5c712fb7977

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
3a126446d7286417dd85303f67069177

SHA1
7a4549fcecfa005bc77540752d4344031142a552

SHA256
ebe4d42d489fb6aac848dfd4f6c9adecf7876ee743ff44f53a42a59ff84859c3

SHA512
93c9954d8c8f46d71230a52da05de8c3745205ef0dc4a19f706cd2468e91aa7794c31101a511895a1c0d00e59be3f52379b002d97e4a9e1b49d891a503c4505e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
699B

MD5
19f6042cd36166421392f5359ff36fcf

SHA1
9ef20cb108ba7a73fa76fdb83c03b4e5e80d2bdb

SHA256
5d19d86740bd964641663654338781b99424f53188556e9230d3d91539904904

SHA512
fb6e8cd1b45519cc2063238331217877d3ed32568e1ca8f348537161ecec9dc06d1d950abad3ac60af80dabd4c4f2f73fbbdffd09dd8da69ac49fef6554e0d62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6fb9a1109b60d21b6f8c16cf9c2b5653

SHA1
9e45ce965ea1161d4d9f5162bf3d49da9064ec9c

SHA256
40aad95aef82110dbb3499045ae29e41ed1a33464e9d0655e3bc15cab5cbeb4e

SHA512
cb58908ec6bf30f8ebc454106d92f7f09a2413c6295487434972eb2d054a4bb0bfde8a3aed6acfa13a24e0c7e53a1ad33787ed54735b03fb207476aa42496dd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2f37daa89e0b7a2253f68e58ae9d3fae

SHA1
e1260377f5f4c36eee00fd84862c3f3e195d45f8

SHA256
4ca4487accc6fcf5c131db638663f52dfe3c0991040aade0bbbf44be7ddf137e

SHA512
c1bb9f7cd07b48f6a1a9a35396b6e6c3e7a981367e63caea88fe552117852a6113b040d3374b2dfcb59e3e82cb9d1a8f63f9fa3b6048bdebc3788bc6ed98ef71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e929e1a50c1455e90e138cc2d7efba99

SHA1
765b3d6c55f3ec4770537904dd54e54bafb19eb3

SHA256
0d9958572ab8fc28b055e8a93112a65541ee977d8d1a65a3f5ddd8c016be6051

SHA512
e436527070270937d268251b432c41fbeb21b0f86b958513240299d39cd4d6cbbc21be5cec075bcfa4b82aa759ee5a6fc80755b0eb8dab19004c1345b6f8f452

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
46687bec53de011aabf05b5640d08464

SHA1
7c8c3b609f6ef56c7ef8bd9f8f15f38c3ae75dc5

SHA256
a57ba01b3cb5e0e11842cd8da0bd3f80c940fc4743148d5d0b07552bba91dd6b

SHA512
4d46ad8bf1a11f44633c90cae138feb923bf74441e50e813f9a83906f7858bef6dad237d017d8ca2457f8c8e7261313f108bd224432216f0389b3faa23c49010

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5848bc.TMP

Filesize
48B

MD5
a6a042f333e817e7c33928c135530dfe

SHA1
d127c61abd93aa8b99f8bb367dfddfe28c645076

SHA256
f9ebcb2a05586803706d7a87b2c00d1bdb709c570280e94386ac53af0ff7af6b

SHA512
14fb3a299d499884bbd6ca5be8eb192780503ecf3fd9cb79ad83cd1c849bc26ba1901f49b993f5d5f76e601aa3b02dbe23c65db0940252d32a44b3e9c3e5d890

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
d40a3a37ff623235c91f8efa5ab1f90c

SHA1
7ef9875db7d4e7f7f9e4a70bf3db56cb3b869234

SHA256
1f246a11e0d03b99706ddbf24bb9494ea8c2e1f0dd7f97793ff56a6d4ec9334d

SHA512
e58b61e6d25c55130d3607e9e5683e00ac9f08122c56f235c0da8cc2bc8edd0051929a4d8e052cf0a6bd371174f725ad2d0e8022cff44edad447d173665ab309

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
9807395161294103eeb83c99de6ae4d5

SHA1
ec33462ef6ad22caf764368aff0a15f732ce8d61

SHA256
2b42f9824fc55435edfd0819d92f2c07dfbc118d324667193be789f0ef2be87c

SHA512
8c7884a211379bab00cc23e0cdf34785893f66fd500446202af0618ab32e82ca0bb60c49fd80710b05a3d61e1cd6de9563e0b102f703b9b85d0e2f71a77367c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe582b70.TMP

Filesize
102KB

MD5
b265df759a5033bd9c53790db2b0f4b7

SHA1
fa20b3d04a38cfded0995aa69e07b453acdd2ad1

SHA256
ce617edd15c7f296ec75574ed79fbe8eee4295e5dc85608280a7fb40d6fcc007

SHA512
0a41b4e1a3d217c5bb46a64d328a576fe82f70435c859edc7f9bd7b85d980f903b750d890728acf28755839a503f9e10caf8fcdeab237125e0a181fa110681e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe

Filesize
420KB

MD5
faab4fd3a2fe8cb413f08e09435a6163

SHA1
48635d53b9f4e46debc72bebc86b67a8e2fc5050

SHA256
5859447c59da8ccf030681f8e0bcfdce10caf46532c624fa63b6e9009f840c39

SHA512
9db97c93d006540e2c089d9e97836a506af1c24c364b80b2920d5c1a0a7e03e3165496d384fafc978db33657b9cd6fc757203c256233992c80ed10c6e5c31ffd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe

Filesize
420KB

MD5
faab4fd3a2fe8cb413f08e09435a6163

SHA1
48635d53b9f4e46debc72bebc86b67a8e2fc5050

SHA256
5859447c59da8ccf030681f8e0bcfdce10caf46532c624fa63b6e9009f840c39

SHA512
9db97c93d006540e2c089d9e97836a506af1c24c364b80b2920d5c1a0a7e03e3165496d384fafc978db33657b9cd6fc757203c256233992c80ed10c6e5c31ffd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe

Filesize
420KB

MD5
faab4fd3a2fe8cb413f08e09435a6163

SHA1
48635d53b9f4e46debc72bebc86b67a8e2fc5050

SHA256
5859447c59da8ccf030681f8e0bcfdce10caf46532c624fa63b6e9009f840c39

SHA512
9db97c93d006540e2c089d9e97836a506af1c24c364b80b2920d5c1a0a7e03e3165496d384fafc978db33657b9cd6fc757203c256233992c80ed10c6e5c31ffd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe

Filesize
420KB

MD5
faab4fd3a2fe8cb413f08e09435a6163

SHA1
48635d53b9f4e46debc72bebc86b67a8e2fc5050

SHA256
5859447c59da8ccf030681f8e0bcfdce10caf46532c624fa63b6e9009f840c39

SHA512
9db97c93d006540e2c089d9e97836a506af1c24c364b80b2920d5c1a0a7e03e3165496d384fafc978db33657b9cd6fc757203c256233992c80ed10c6e5c31ffd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe

Filesize
420KB

MD5
faab4fd3a2fe8cb413f08e09435a6163

SHA1
48635d53b9f4e46debc72bebc86b67a8e2fc5050

SHA256
5859447c59da8ccf030681f8e0bcfdce10caf46532c624fa63b6e9009f840c39

SHA512
9db97c93d006540e2c089d9e97836a506af1c24c364b80b2920d5c1a0a7e03e3165496d384fafc978db33657b9cd6fc757203c256233992c80ed10c6e5c31ffd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdotjtfk.exe

Filesize
420KB

MD5
faab4fd3a2fe8cb413f08e09435a6163

SHA1
48635d53b9f4e46debc72bebc86b67a8e2fc5050

SHA256
5859447c59da8ccf030681f8e0bcfdce10caf46532c624fa63b6e9009f840c39

SHA512
9db97c93d006540e2c089d9e97836a506af1c24c364b80b2920d5c1a0a7e03e3165496d384fafc978db33657b9cd6fc757203c256233992c80ed10c6e5c31ffd

Download Submit
C:\Users\Admin\Downloads\Invoice No 80659.zip.crdownload

Filesize
323KB

MD5
4c93b99d5b7530817d9c6862a18b8981

SHA1
53f825d197c6bbc3c90672449216de3491cff320

SHA256
8be16ee5e005fbaaabbaf9fb38aec38e1d24d5bdd81a6c503befedbf3e514ad4

SHA512
f83798e6c052cf7fa4dedd71cc41e447020388aa65878d31bf34ae21a2b04e672fd75ec24c0fd31e77443a2f2710d0b297c62cc0b7698c8919e7878918fc1ed2

Download Submit
\??\pipe\crashpad_500_RTMCTVXSCBLFKZEE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit