kutaki | hxxp://raagamayuribuilders[.]in/kautgk

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2023 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://raagamayuribuilders.in/kautgk

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 4 IoCs

Processes:

NEFT_Copy.batNEFT_Copy.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\urdyrxfk.exe	NEFT_Copy.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\urdyrxfk.exe	NEFT_Copy.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\urdyrxfk.exe	NEFT_Copy.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\urdyrxfk.exe	NEFT_Copy.bat

Executes dropped EXE 2 IoCs

Processes:

urdyrxfk.exeurdyrxfk.exe

pid process

4544 urdyrxfk.exe
3312 urdyrxfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4544	urdyrxfk.exe
3312	urdyrxfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

796 taskkill.exe

pid	process
796	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133379267303189673"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1444 chrome.exe
1444 chrome.exe
2556 chrome.exe
2556 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1444 chrome.exe
1444 chrome.exe
1444 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

NEFT_Copy.baturdyrxfk.exeNEFT_Copy.baturdyrxfk.exe

pid	process
916	NEFT_Copy.bat
916	NEFT_Copy.bat
916	NEFT_Copy.bat
4544	urdyrxfk.exe
4544	urdyrxfk.exe
4544	urdyrxfk.exe
3360	NEFT_Copy.bat
3360	NEFT_Copy.bat
3360	NEFT_Copy.bat
3312	urdyrxfk.exe
3312	urdyrxfk.exe
3312	urdyrxfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1444 wrote to memory of 1216	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1216	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 1852	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 3988	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 3988	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe
PID 1444 wrote to memory of 4736	1444	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://raagamayuribuilders.in/kautgk
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffeb3109758,0x7ffeb3109768,0x7ffeb3109778
2⤵
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1880,i,12856117168432595091,6033205210492207873,131072 /prefetch:2
2⤵
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1880,i,12856117168432595091,6033205210492207873,131072 /prefetch:8
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1880,i,12856117168432595091,6033205210492207873,131072 /prefetch:8
2⤵
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2668 --field-trial-handle=1880,i,12856117168432595091,6033205210492207873,131072 /prefetch:1
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2660 --field-trial-handle=1880,i,12856117168432595091,6033205210492207873,131072 /prefetch:1
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4496 --field-trial-handle=1880,i,12856117168432595091,6033205210492207873,131072 /prefetch:1
2⤵
PID:3372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1880,i,12856117168432595091,6033205210492207873,131072 /prefetch:8
2⤵
PID:644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 --field-trial-handle=1880,i,12856117168432595091,6033205210492207873,131072 /prefetch:8
2⤵
PID:660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 --field-trial-handle=1880,i,12856117168432595091,6033205210492207873,131072 /prefetch:8
2⤵
PID:4320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1880,i,12856117168432595091,6033205210492207873,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\Temp1_NEFT_Copy.zip\NEFT_Copy.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_NEFT_Copy.zip\NEFT_Copy.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
2⤵
PID:3660

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\urdyrxfk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\urdyrxfk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4544

C:\Users\Admin\AppData\Local\Temp\Temp1_NEFT_Copy.zip\NEFT_Copy.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_NEFT_Copy.zip\NEFT_Copy.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:3360

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
2⤵
PID:1184

C:\Windows\SysWOW64\taskkill.exe
taskkill /im urdyrxfk.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\urdyrxfk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\urdyrxfk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7411666d-8b73-4e3e-b502-f0c054cf9cff.tmp
Filesize
6KB

MD5
8389607123d1edebc2370e184744e2f8

SHA1
debbebd57f62583df170540718da1c7f46758d9c

SHA256
326d42246918251cbae93c5801d0978a51322d84e6fd33dc6f535e06fde835b0

SHA512
a4543ed7cbf532013dcfb983658dad557850fca9411bf999f69262e3bc03eaa8a197800a462d0568cd388ef7511ee6f9b5991d63decb4e15aa03f0be5c96abad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1007B

MD5
a542983db51d3e57b72e655f01d7aa55

SHA1
192e311052409e7454d998a310c1bfcefe165231

SHA256
eaa20942ca2112f07b2388a9bb917f81d56e461235d7cb711039fc46e6b8d7b2

SHA512
29daedf077148587f93fddb1abcfc2d2fe2dc15480c8caff27c293619b4462b73c880539ad9bdd603f0ada7bdb471cf3775dc4d666e695df8f777b4028709368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
3a93160d02837ac300e8803b36448119

SHA1
314d7bf009324326b6260f8c514e6e16b48cc134

SHA256
c2b1b7ac24bec938538035e9c878eacf2ce1c57c0bb75894d793190b4bfdf98d

SHA512
d998dd22083696567bb1b0e3a88012fbe4629d16771d3471db184684173465445f2f4607030840f3b45741e7d2cc51f75b9ac10bd5fef373b2e5e4b977b08eeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
87KB

MD5
e506df3b52eb6d681ab6b782bf4ef171

SHA1
06585c50a929a0e4cffd5ada6817ef93fbd902f8

SHA256
b37f76423b208ad02c66129f68f7109e312cc6db837b140625f58548156901a3

SHA512
e0252a71b8a4eb4d5c277263a658f8fbd664d43390e648e77fed3789b0dcc940a9336cfe049a7150578769645dbeb126bc97a1f70b020fa6c3b935edd9e4bf9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\urdyrxfk.exe
Filesize
2.3MB

MD5
9c153ac25f02739019b04b0a8ce82c4b

SHA1
64136c4238d140a6fb1ec542744ff90aba5bac09

SHA256
83269040e4f510f11a327807b23dda45d98386676fc309e27b3eebd9cefa8416

SHA512
a7a9bb1eee5470bb4939d61df33c3840fe69e8503e792d474d7fa273f4c77dd42c84a8e6bdd78b3b157b7aadada401c903e46d3237fa5fcfa6f7b27c477bb4de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\urdyrxfk.exe
Filesize
2.3MB

MD5
9c153ac25f02739019b04b0a8ce82c4b

SHA1
64136c4238d140a6fb1ec542744ff90aba5bac09

SHA256
83269040e4f510f11a327807b23dda45d98386676fc309e27b3eebd9cefa8416

SHA512
a7a9bb1eee5470bb4939d61df33c3840fe69e8503e792d474d7fa273f4c77dd42c84a8e6bdd78b3b157b7aadada401c903e46d3237fa5fcfa6f7b27c477bb4de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\urdyrxfk.exe
Filesize
2.3MB

MD5
9c153ac25f02739019b04b0a8ce82c4b

SHA1
64136c4238d140a6fb1ec542744ff90aba5bac09

SHA256
83269040e4f510f11a327807b23dda45d98386676fc309e27b3eebd9cefa8416

SHA512
a7a9bb1eee5470bb4939d61df33c3840fe69e8503e792d474d7fa273f4c77dd42c84a8e6bdd78b3b157b7aadada401c903e46d3237fa5fcfa6f7b27c477bb4de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\urdyrxfk.exe
Filesize
2.3MB

MD5
9c153ac25f02739019b04b0a8ce82c4b

SHA1
64136c4238d140a6fb1ec542744ff90aba5bac09

SHA256
83269040e4f510f11a327807b23dda45d98386676fc309e27b3eebd9cefa8416

SHA512
a7a9bb1eee5470bb4939d61df33c3840fe69e8503e792d474d7fa273f4c77dd42c84a8e6bdd78b3b157b7aadada401c903e46d3237fa5fcfa6f7b27c477bb4de

Download Submit
C:\Users\Admin\Downloads\NEFT_Copy.zip.crdownload
Filesize
2.1MB

MD5
d0f2c2de0407cefe7a24c8eb22237a61

SHA1
a46ba89e46a3d04fd9c919837441625ddaa4febe

SHA256
23d3f3b9c74b6707db237bdfa797d7425f18938614051ddb633712a42e7f3c96

SHA512
c59e010a958a1f714bd064592d6b0f26619b2efc879a1b8496d6132a598aa5edddec2e6537c34b1944893926f7664a989bf8df752f8bfffeabae4d3f7fbfb3e3

Download Submit
\??\pipe\crashpad_1444_NRWXYCMXAOAKSCJR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit