kutaki | hxxp://nkwaterproofing[.]com/gol

Analysis

max time kernel
103s
max time network
95s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
25-09-2023 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://nkwaterproofing.com/gol

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe	HDFC_9530.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe	HDFC_9530.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe	HDFC_9530.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe	HDFC_9530.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe	HDFC_9530.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe	HDFC_9530.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe	HDFC_9530.bat

Executes dropped EXE 3 IoCs

pid	Process
1580	oajldbfk.exe
4004	oajldbfk.exe
1420	oajldbfk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
352	taskkill.exe
4340	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133400787615086765"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1812	chrome.exe
1812	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1284	HDFC_9530.bat
1284	HDFC_9530.bat
1284	HDFC_9530.bat
1580	oajldbfk.exe
1580	oajldbfk.exe
1580	oajldbfk.exe
2188	HDFC_9530.bat
2188	HDFC_9530.bat
2188	HDFC_9530.bat
4004	oajldbfk.exe
4004	oajldbfk.exe
4004	oajldbfk.exe
3968	HDFC_9530.bat
3968	HDFC_9530.bat
3968	HDFC_9530.bat
4532	HDFC_9530.bat
4532	HDFC_9530.bat
4532	HDFC_9530.bat
1420	oajldbfk.exe
1420	oajldbfk.exe
1420	oajldbfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 4764	1812	chrome.exe	70
PID 1812 wrote to memory of 4764	1812	chrome.exe	70
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 3420	1812	chrome.exe	73
PID 1812 wrote to memory of 4632	1812	chrome.exe	72
PID 1812 wrote to memory of 4632	1812	chrome.exe	72
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74
PID 1812 wrote to memory of 168	1812	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://nkwaterproofing.com/gol
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd403f9758,0x7ffd403f9768,0x7ffd403f9778
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1768,i,5690833229306915160,12982845715476658086,131072 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1768,i,5690833229306915160,12982845715476658086,131072 /prefetch:2
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1768,i,5690833229306915160,12982845715476658086,131072 /prefetch:8
  2⤵
  PID:168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2712 --field-trial-handle=1768,i,5690833229306915160,12982845715476658086,131072 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2728 --field-trial-handle=1768,i,5690833229306915160,12982845715476658086,131072 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3908 --field-trial-handle=1768,i,5690833229306915160,12982845715476658086,131072 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1768,i,5690833229306915160,12982845715476658086,131072 /prefetch:8
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2940 --field-trial-handle=1768,i,5690833229306915160,12982845715476658086,131072 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1768,i,5690833229306915160,12982845715476658086,131072 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4576 --field-trial-handle=1768,i,5690833229306915160,12982845715476658086,131072 /prefetch:1
  2⤵
  PID:3020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\Temp1_HDFC_9530.zip\HDFC_9530.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_HDFC_9530.zip\HDFC_9530.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1052
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1580

C:\Users\Admin\AppData\Local\Temp\Temp1_HDFC_9530.zip\HDFC_9530.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_HDFC_9530.zip\HDFC_9530.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1528
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im oajldbfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:352
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4004

C:\Users\Admin\AppData\Local\Temp\Temp1_HDFC_9530.zip\HDFC_9530.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_HDFC_9530.zip\HDFC_9530.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2540
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im oajldbfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:4340

C:\Users\Admin\AppData\Local\Temp\Temp1_HDFC_9530.zip\HDFC_9530.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_HDFC_9530.zip\HDFC_9530.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:4532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:8
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f6f471a27f4fd9f096031f017def3393

SHA1
ba9133d76087d0bc45295c3dc1c1b747e2a1ed82

SHA256
d1c52daba69c6611f65c0c884b8151c3e756f8658406d555b9c42c4a095d6d78

SHA512
d07c102d7cdb99455a12a3f0df73f858b6fb8628d1faec7232d9a3b9176ef8480e8b64f515bb630aee614a4c26ef6a6ef57dcc170d2f4b859daf2b186f235b2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
28136218163a4ec6dfa657ab1afb210d

SHA1
2f18d5e853482a0d74e1fd79b84a0b086bc00fcb

SHA256
a1ead8c270a639e69f614a704d4617226cc7beb2672556a402763e9a32bab6b7

SHA512
e58c0b9c6fe1eca2127afd4c8c5108055b795d09077b41c5dbadc668ffc4640ca21971847fb546cb196b7720af7143fdc6a3f0b66c23f3810b6d22127edc8374

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a198ad0914c29c67bbdf8589e15dd7d3

SHA1
1ffdcdc942fbc9dd3e2e181a0c798650be57fed2

SHA256
4f449868b487339ee9f7ce28f75b32f0126c28198b5e331d48fd25bfe4d1493a

SHA512
609fb6872c21571772970715cc590d2e08e4c58c9501254d7c0af7204ff2457d7f696c216e6fcf28eb758a91da55cc7e2fdada7cc9f40daf4b1c0df393187b5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
62b7f635206db612eef132852203b7fd

SHA1
56bb753b21523622498dac3d794df80fbe7da3dd

SHA256
2272bc016c499bb1aaa478f5974a95adf270cbfb61e52a0778cb3a9137a92cff

SHA512
eca611dabb63a1583e427dac2362135048c97e78d767fcd905303b6eb11bedf2deaade098abdbd1876e7f24938e2756a308138f9c60b6e512b48d00a94a5871a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
46339857af4049b87a8a04254371689f

SHA1
229736fb70fa8efd4c7c7ff97f2ae2f06c16bbfb

SHA256
b75812b159449f9c868e88c33b55dbb9baf4630ad838f934879142ce90c9fc68

SHA512
49252a8443c55d2aecc27d3293bd46832ac4397b4f209e1c68fda4a1f07128f2112ad17d337b8fca576bdbbfaa2bbbd8051ff1f15fec1c80f6a1fcdda0b70ddb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
85e99cbebb599121472ec257819044cb

SHA1
4b3dc809df4b1f981361dd528f5e74382bdb0e95

SHA256
16dd1d158b2b3d1a82efced76eeecd8ce395134475874c987681818c9b8071c6

SHA512
2d837cd4a4d8169b89d2010ef3be4837579f41eecedd523e01f828395c8d4b793fe662ea5a00506ebb3cd50f42884518426f50ddaa72e5f6b44b40efa241fdf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
ce29ebb22b216bd2c3d1df74ae5905fb

SHA1
6b59fa467d19b725ebf312ce1cf181a15a4b3341

SHA256
946d334109e38576ae831d0aa8d844c67c4a44d95b6f6929f6d6803e92a289dd

SHA512
efab8a3bb83b0918bc85fa64b3a4fe875f3006f2674ce7a92b5b75ef7f33a37a819f728ada7b2b4b3c494cc821b5bf19fb05c0e12b105c153b434dfea6b3d091

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe

Filesize
2.9MB

MD5
c8259cf08039e670e470edbb886f4dce

SHA1
ea0328fb5f777cd5ada12746d9e1d3ba087ddddf

SHA256
4e0cf82c796f432952a47ae7572e7ff1189627db4c053974e613c2b79ee5737f

SHA512
edb780458a109b3a39f50a9f319a5a4dbd748351f87ddc4815a888da5d069d87701a66e5fbe417e45786adfc5aef68c44bae510e6e83faaeeea9ec7d450249df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe

Filesize
2.9MB

MD5
c8259cf08039e670e470edbb886f4dce

SHA1
ea0328fb5f777cd5ada12746d9e1d3ba087ddddf

SHA256
4e0cf82c796f432952a47ae7572e7ff1189627db4c053974e613c2b79ee5737f

SHA512
edb780458a109b3a39f50a9f319a5a4dbd748351f87ddc4815a888da5d069d87701a66e5fbe417e45786adfc5aef68c44bae510e6e83faaeeea9ec7d450249df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe

Filesize
2.9MB

MD5
c8259cf08039e670e470edbb886f4dce

SHA1
ea0328fb5f777cd5ada12746d9e1d3ba087ddddf

SHA256
4e0cf82c796f432952a47ae7572e7ff1189627db4c053974e613c2b79ee5737f

SHA512
edb780458a109b3a39f50a9f319a5a4dbd748351f87ddc4815a888da5d069d87701a66e5fbe417e45786adfc5aef68c44bae510e6e83faaeeea9ec7d450249df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe

Filesize
2.9MB

MD5
c8259cf08039e670e470edbb886f4dce

SHA1
ea0328fb5f777cd5ada12746d9e1d3ba087ddddf

SHA256
4e0cf82c796f432952a47ae7572e7ff1189627db4c053974e613c2b79ee5737f

SHA512
edb780458a109b3a39f50a9f319a5a4dbd748351f87ddc4815a888da5d069d87701a66e5fbe417e45786adfc5aef68c44bae510e6e83faaeeea9ec7d450249df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe

Filesize
2.9MB

MD5
c8259cf08039e670e470edbb886f4dce

SHA1
ea0328fb5f777cd5ada12746d9e1d3ba087ddddf

SHA256
4e0cf82c796f432952a47ae7572e7ff1189627db4c053974e613c2b79ee5737f

SHA512
edb780458a109b3a39f50a9f319a5a4dbd748351f87ddc4815a888da5d069d87701a66e5fbe417e45786adfc5aef68c44bae510e6e83faaeeea9ec7d450249df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oajldbfk.exe

Filesize
2.9MB

MD5
c8259cf08039e670e470edbb886f4dce

SHA1
ea0328fb5f777cd5ada12746d9e1d3ba087ddddf

SHA256
4e0cf82c796f432952a47ae7572e7ff1189627db4c053974e613c2b79ee5737f

SHA512
edb780458a109b3a39f50a9f319a5a4dbd748351f87ddc4815a888da5d069d87701a66e5fbe417e45786adfc5aef68c44bae510e6e83faaeeea9ec7d450249df

Download Submit
C:\Users\Admin\Downloads\HDFC_9530.zip.crdownload

Filesize
2.6MB

MD5
f3d1811977175d4d6e593401b6595e29

SHA1
bc8e9442033381369b6210a4764d30acf53250f2

SHA256
c033db4e6584d8d0bc475b6b717ce1401adf72f2ca6ff2b8cff4049e9566bebd

SHA512
40e6368402d8b86db45f58d368b148ddee27143c53b7d4c2273375bd3203c36e88c843790952f3942ca635bd4fe966ebf47256f0a29701b72d2611d7562c7682

Download Submit