kutaki | hxxp://placedex[.]com/ksheb

Analysis

max time kernel
144s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
10-08-2023 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://placedex.com/ksheb

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 4 IoCs

Processes:

Invoice No 80659.batInvoice No 80659.bat

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeoeuifk.exe	Invoice No 80659.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeoeuifk.exe	Invoice No 80659.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeoeuifk.exe	Invoice No 80659.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeoeuifk.exe	Invoice No 80659.bat

Executes dropped EXE 4 IoCs

Processes:

Invoice No 80659.batzeoeuifk.exeInvoice No 80659.batzeoeuifk.exe

pid	Process
944	Invoice No 80659.bat
1616	zeoeuifk.exe
5056	Invoice No 80659.bat
332	zeoeuifk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
4600	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133361164984185658"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid	Process
4416	chrome.exe
4416	chrome.exe
1340	chrome.exe
1340	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid	Process
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	Process
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeRestorePrivilege	632	7zG.exe
Token: 35	632	7zG.exe
Token: SeSecurityPrivilege	632	7zG.exe
Token: SeSecurityPrivilege	632	7zG.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe7zG.exe

pid	Process
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
632	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

Invoice No 80659.batzeoeuifk.exeInvoice No 80659.batzeoeuifk.exe

pid	Process
944	Invoice No 80659.bat
944	Invoice No 80659.bat
944	Invoice No 80659.bat
1616	zeoeuifk.exe
1616	zeoeuifk.exe
1616	zeoeuifk.exe
5056	Invoice No 80659.bat
5056	Invoice No 80659.bat
5056	Invoice No 80659.bat
332	zeoeuifk.exe
332	zeoeuifk.exe
332	zeoeuifk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 4416 wrote to memory of 3164	4416	chrome.exe	69
PID 4416 wrote to memory of 3164	4416	chrome.exe	69
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 3484	4416	chrome.exe	73
PID 4416 wrote to memory of 2872	4416	chrome.exe	71
PID 4416 wrote to memory of 2872	4416	chrome.exe	71
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72
PID 4416 wrote to memory of 2828	4416	chrome.exe	72

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://placedex.com/ksheb
1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8d5d49758,0x7ff8d5d49768,0x7ff8d5d49778
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1780,i,777818044464258590,8499638546766105414,131072 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1780,i,777818044464258590,8499638546766105414,131072 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1552 --field-trial-handle=1780,i,777818044464258590,8499638546766105414,131072 /prefetch:2
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2712 --field-trial-handle=1780,i,777818044464258590,8499638546766105414,131072 /prefetch:1
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2692 --field-trial-handle=1780,i,777818044464258590,8499638546766105414,131072 /prefetch:1
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3516 --field-trial-handle=1780,i,777818044464258590,8499638546766105414,131072 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1780,i,777818044464258590,8499638546766105414,131072 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1780,i,777818044464258590,8499638546766105414,131072 /prefetch:8
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1780,i,777818044464258590,8499638546766105414,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1652 --field-trial-handle=1780,i,777818044464258590,8499638546766105414,131072 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5172 --field-trial-handle=1780,i,777818044464258590,8499638546766105414,131072 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5348 --field-trial-handle=1780,i,777818044464258590,8499638546766105414,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1340

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4756

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Invoice No 80659\" -spe -an -ai#7zMap28940:94:7zEvent24908
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:632

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Invoice No 80659\Invoice No 80659.bat
1⤵
PID:3984

C:\Users\Admin\Downloads\Invoice No 80659\Invoice No 80659.bat
"C:\Users\Admin\Downloads\Invoice No 80659\Invoice No 80659.bat"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4316
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeoeuifk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeoeuifk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:2648

C:\Users\Admin\Downloads\Invoice No 80659\Invoice No 80659.bat
"C:\Users\Admin\Downloads\Invoice No 80659\Invoice No 80659.bat"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im zeoeuifk.exe /f
  2⤵
  - Kills process with taskkill
  PID:4600
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeoeuifk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeoeuifk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:332

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Invoice No 80659\Invoice No 80659.bat
1⤵
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
814B

MD5
0e3294cbff5131e2e6b08a1c29c99304

SHA1
36a69a3e0eb6516336b5a01a4b4c38acd96877a5

SHA256
c3a56a87896e44e8789f0625fc4ec05f807ea93dfa45d8f001320c8ff43bce1d

SHA512
fefd0c337160640b17d9863a3edad9bce60d610af0c7319f52e0c4ea0339cd7818cb9bf93232c47571e46d27f64a6007083aba3f13fc5f1dc472407fb7ab5fe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
61cb985626a33ff6b0360f1684886524

SHA1
53618764ca5fb5ed0fe636e08f08dd37a80298ad

SHA256
e74eff25cab2f015c9a1ec26280aeb0a780e0b272eaa2f8dbaea50760297cbcb

SHA512
5d26e0aba377457db9d04df12d3270eca7fb44c7c5714ac972b01a2e2449fc4ff5f1a2f169751ae9438a84fdfe5b261f9da337b6e92e353cbd77379fa20bb74e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4f2d788134bba7dd1db2836a1ebe8952

SHA1
3ddc535fffa6f0a4da8e9d8948caf854732a68a3

SHA256
b08d048f0339f9f810dcee80936d3569880f8ce09e64f4155a6224a5c7422e14

SHA512
f1a62fbd75c3a6c8a56edcca18e3733a8703ace1bd5ca83ded0f1d6cc2981668b74a30e8e4947a1561e3764f5c02ab33185336782b71f3edba49a2f9372e2403

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
acd2230b3c3579a9099c5baf70941ea7

SHA1
96cff9bf2e928bbaadc0cf5d093058b881f00c3c

SHA256
3074a3140e4c4085d8bc407a7aaceb6296a0ef529e7bceac84f1a0b940a9d3de

SHA512
1fe08b030fc41b9cce99fc92e6a0dccb9d655b555cd4f4451c59709771752949d02576024b4f56f0a066c508a3c74130eca807ae13b6815d37ecd33d82ebf2cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f80198588600eb85fcbc6abd68f89c23

SHA1
a8bee4b4b728fe54e25db2368b679c52aa0c7c8b

SHA256
ab5e902a835f741232133266102e7042e126d23c5e28118a1937b2d37b8c4e11

SHA512
827807674a1d5ef77d70c76ad1b4c39d304ab08cbd81ef38a47b83457ada66abb06b48307ec866bea0f876adab440a3f42dde8ff6e23108a98494136ae32e3d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cad0948c-c46c-4df8-aa35-3267222242cb.tmp

Filesize
6KB

MD5
00737d075704aade7ec6a7167469a9de

SHA1
c924ffaf07b8c70586a598720c3cddbd70cd6be9

SHA256
889c2af569b7d076c3b13ad43b9c0bd9f22ed35fa885a32910fb497c8e52b3a0

SHA512
e7d770a445009ef3e2b905255f49ffb86e46e3cb9e2dc24630399e52b552638409eca77c36ff45216caa6931257aeda1e1675f6cbb19d29e6f7c32517603aba3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
a16052ca97a97ee3c97b093f423be538

SHA1
27eab48f8dcb0d995012acbb5ee31af6b203c023

SHA256
392394fc3776e365adf85706fbee6383f6f308965331abcb6eafe1311f83f982

SHA512
ef32994b493acf3def5f3cc0590af4cbe3d20bb91396ab5d5ff5317d9b36a15ac20771562f6bc2dc8b1aee65c8420006572bdc9a3a3f28a7ea80c628eca9c79d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
5fa0073d58b5fcb89d638dd8922d8c68

SHA1
dd1cf109fe24124532fa79ad433a70937187c5a4

SHA256
09cc3fc7a09ce42b99923e4fee730dbe4c2448c55a16963a86b81b99b65ba566

SHA512
4b343be034af1e91d5aa9e4911c47d50fe3b5f91668160732553ec96015e1d54788f885222086d3e71cf3faf5a2193c8582ab0bc2f174771093ee86d71a1064e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeoeuifk.exe

Filesize
420KB

MD5
faab4fd3a2fe8cb413f08e09435a6163

SHA1
48635d53b9f4e46debc72bebc86b67a8e2fc5050

SHA256
5859447c59da8ccf030681f8e0bcfdce10caf46532c624fa63b6e9009f840c39

SHA512
9db97c93d006540e2c089d9e97836a506af1c24c364b80b2920d5c1a0a7e03e3165496d384fafc978db33657b9cd6fc757203c256233992c80ed10c6e5c31ffd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeoeuifk.exe

Filesize
420KB

MD5
faab4fd3a2fe8cb413f08e09435a6163

SHA1
48635d53b9f4e46debc72bebc86b67a8e2fc5050

SHA256
5859447c59da8ccf030681f8e0bcfdce10caf46532c624fa63b6e9009f840c39

SHA512
9db97c93d006540e2c089d9e97836a506af1c24c364b80b2920d5c1a0a7e03e3165496d384fafc978db33657b9cd6fc757203c256233992c80ed10c6e5c31ffd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeoeuifk.exe

Filesize
420KB

MD5
faab4fd3a2fe8cb413f08e09435a6163

SHA1
48635d53b9f4e46debc72bebc86b67a8e2fc5050

SHA256
5859447c59da8ccf030681f8e0bcfdce10caf46532c624fa63b6e9009f840c39

SHA512
9db97c93d006540e2c089d9e97836a506af1c24c364b80b2920d5c1a0a7e03e3165496d384fafc978db33657b9cd6fc757203c256233992c80ed10c6e5c31ffd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeoeuifk.exe

Filesize
420KB

MD5
faab4fd3a2fe8cb413f08e09435a6163

SHA1
48635d53b9f4e46debc72bebc86b67a8e2fc5050

SHA256
5859447c59da8ccf030681f8e0bcfdce10caf46532c624fa63b6e9009f840c39

SHA512
9db97c93d006540e2c089d9e97836a506af1c24c364b80b2920d5c1a0a7e03e3165496d384fafc978db33657b9cd6fc757203c256233992c80ed10c6e5c31ffd

Download Submit
C:\Users\Admin\Downloads\Invoice No 80659.zip

Filesize
323KB

MD5
4c93b99d5b7530817d9c6862a18b8981

SHA1
53f825d197c6bbc3c90672449216de3491cff320

SHA256
8be16ee5e005fbaaabbaf9fb38aec38e1d24d5bdd81a6c503befedbf3e514ad4

SHA512
f83798e6c052cf7fa4dedd71cc41e447020388aa65878d31bf34ae21a2b04e672fd75ec24c0fd31e77443a2f2710d0b297c62cc0b7698c8919e7878918fc1ed2

Download Submit
C:\Users\Admin\Downloads\Invoice No 80659.zip.crdownload

Filesize
323KB

MD5
4c93b99d5b7530817d9c6862a18b8981

SHA1
53f825d197c6bbc3c90672449216de3491cff320

SHA256
8be16ee5e005fbaaabbaf9fb38aec38e1d24d5bdd81a6c503befedbf3e514ad4

SHA512
f83798e6c052cf7fa4dedd71cc41e447020388aa65878d31bf34ae21a2b04e672fd75ec24c0fd31e77443a2f2710d0b297c62cc0b7698c8919e7878918fc1ed2

Download Submit
C:\Users\Admin\Downloads\Invoice No 80659\Invoice No 80659.bat

Filesize
420KB

MD5
faab4fd3a2fe8cb413f08e09435a6163

SHA1
48635d53b9f4e46debc72bebc86b67a8e2fc5050

SHA256
5859447c59da8ccf030681f8e0bcfdce10caf46532c624fa63b6e9009f840c39

SHA512
9db97c93d006540e2c089d9e97836a506af1c24c364b80b2920d5c1a0a7e03e3165496d384fafc978db33657b9cd6fc757203c256233992c80ed10c6e5c31ffd

Download Submit
C:\Users\Admin\Downloads\Invoice No 80659\Invoice No 80659.bat

Filesize
420KB

MD5
faab4fd3a2fe8cb413f08e09435a6163

SHA1
48635d53b9f4e46debc72bebc86b67a8e2fc5050

SHA256
5859447c59da8ccf030681f8e0bcfdce10caf46532c624fa63b6e9009f840c39

SHA512
9db97c93d006540e2c089d9e97836a506af1c24c364b80b2920d5c1a0a7e03e3165496d384fafc978db33657b9cd6fc757203c256233992c80ed10c6e5c31ffd

Download Submit
C:\Users\Admin\Downloads\Invoice No 80659\Invoice No 80659.bat

Filesize
420KB

MD5
faab4fd3a2fe8cb413f08e09435a6163

SHA1
48635d53b9f4e46debc72bebc86b67a8e2fc5050

SHA256
5859447c59da8ccf030681f8e0bcfdce10caf46532c624fa63b6e9009f840c39

SHA512
9db97c93d006540e2c089d9e97836a506af1c24c364b80b2920d5c1a0a7e03e3165496d384fafc978db33657b9cd6fc757203c256233992c80ed10c6e5c31ffd

Download Submit
\??\pipe\crashpad_4416_ITHZNDBHMKVMUAVV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit