kutaki | hxxp://architect9[.]in/[.]well-known/ITR[.]htm

Analysis

max time kernel
109s
max time network
114s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
05-10-2023 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://architect9.in/.well-known/ITR.htm

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 4 IoCs

Processes:

E-FILLING FORM.batE-FILLING FORM.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\augkgsfk.exe	E-FILLING FORM.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\augkgsfk.exe	E-FILLING FORM.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\augkgsfk.exe	E-FILLING FORM.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\augkgsfk.exe	E-FILLING FORM.bat

Executes dropped EXE 2 IoCs

Processes:

augkgsfk.exeaugkgsfk.exe

pid process

1036 augkgsfk.exe
3640 augkgsfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1036	augkgsfk.exe
3640	augkgsfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1840 taskkill.exe

pid	process
1840	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133409478439064541"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exe

pid process

3768 chrome.exe
3768 chrome.exe
3768 chrome.exe
3768 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3768 chrome.exe
3768 chrome.exe
3768 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

E-FILLING FORM.bataugkgsfk.exeE-FILLING FORM.bataugkgsfk.exe

pid	process
700	E-FILLING FORM.bat
700	E-FILLING FORM.bat
700	E-FILLING FORM.bat
1036	augkgsfk.exe
1036	augkgsfk.exe
1036	augkgsfk.exe
2680	E-FILLING FORM.bat
2680	E-FILLING FORM.bat
2680	E-FILLING FORM.bat
3640	augkgsfk.exe
3640	augkgsfk.exe
3640	augkgsfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3768 wrote to memory of 4716	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 4716	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1584	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 4832	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 4832	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 3528	3768	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://architect9.in/.well-known/ITR.htm
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffc0a59758,0x7fffc0a59768,0x7fffc0a59778
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1784,i,7897843110392171932,12379714142073890748,131072 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=1784,i,7897843110392171932,12379714142073890748,131072 /prefetch:2
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2656 --field-trial-handle=1784,i,7897843110392171932,12379714142073890748,131072 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2664 --field-trial-handle=1784,i,7897843110392171932,12379714142073890748,131072 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1784,i,7897843110392171932,12379714142073890748,131072 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3952 --field-trial-handle=1784,i,7897843110392171932,12379714142073890748,131072 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1784,i,7897843110392171932,12379714142073890748,131072 /prefetch:8
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3012 --field-trial-handle=1784,i,7897843110392171932,12379714142073890748,131072 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1784,i,7897843110392171932,12379714142073890748,131072 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1784,i,7897843110392171932,12379714142073890748,131072 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1784,i,7897843110392171932,12379714142073890748,131072 /prefetch:8
  2⤵
  PID:4344

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\Temp1_E-FILLING FORM.zip\E-FILLING FORM.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_E-FILLING FORM.zip\E-FILLING FORM.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:5028
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\augkgsfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\augkgsfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1036

C:\Users\Admin\AppData\Local\Temp\Temp1_E-FILLING FORM.zip\E-FILLING FORM.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_E-FILLING FORM.zip\E-FILLING FORM.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3884
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im augkgsfk.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\augkgsfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\augkgsfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
956bc87a5186f995397a4247e52bb3b2

SHA1
c911ff96e47db6ea8ba7db537ab20ce66a167bd3

SHA256
46783460bc2480a0b2260a5888cae01a8ac98bb5f5625a62dc424448cb48777b

SHA512
b3a264b5bb562d77cba44eccd54eb73477e839da4337ad1ba6bc3d6a28e4908c1c2f2414c9fe4447f6d2ba1fbdceaa0c627786efa18bb7d4eaf3401735680240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
703B

MD5
b7893aac3abf969559f563acea1725de

SHA1
46b51f0d9fb53f5f414f9288d672fd350f6dd08d

SHA256
8ef0ab12c99eea036fc9bb14e50fb2e07af85d42af12ad4f8917bd403fe1535d

SHA512
85527847bfdf7eba93776fa3ee61604251c3b6b52635e8aa6afcd6cecdddb3c0e5c291f5dc8380c59152293305f8b3423231e5392fb4a4bfc2142631ca6c88ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d68c302af4214915477e89c7155c47e4

SHA1
6aba330510006b614626e26deaa483636392615a

SHA256
fc6a853aba8c30977c29a24918e6dde352ec0568ed623896fe17ad400f1c1af6

SHA512
0324eeb537da00190e89d3a08be55b73436f70b7ac8baa1aed9424a9fc73afc8102f2cb2676979a8799a6becb70d694a19df28af70e8bfe38f656fcc0014e149

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f13317bd9b6e9a02c623611d8fdd4ff1

SHA1
c57fe2a139528c1e5ce60abd27bcfedb747da0bb

SHA256
acc382ced72e4cd402aca3d1f7b4342e22c708ead6dd9071ddd55f20ac7c1d2c

SHA512
7510ed159e724749a05a31ed7efa027ed480581f91f74b3d6d6af1a63837a9bbaf1da1cc7ab2ae37249f46c4a3425afca0c8edd39d9389c01f6f49abf6a3e931

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0804750d23be447c0560136a78ea437c

SHA1
e0f5605b8ee4fab0f82152448a3644bb0859b0e1

SHA256
43ab0bead24ecd1a68a59ed5a30299501555afbd60048a56bf7570f5dab82b27

SHA512
fc2a4c67e69ee85d7bb6be62937bfe72a2d8fa3eea207d4e88430ca5933e89e45aa55704bab233d995621bcea43273785650893045df962a5c8096e795984c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
104KB

MD5
7e149fa54fb8802ef317edc714d517f2

SHA1
8b99b330748c20f3305abfd34322e4d625a7b825

SHA256
977c1b808f1ed80eb40200b0f54c224141d8ea18ac81270630528619fa8fefeb

SHA512
2cdc78827561ff7bc337116a02aaa08adb1e4b0a75155abada19b4894f7c10742d07a5788d57becb6de59d4976a77e9746444a54c992885a48996bb674b3fb01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
a50a8266d308dc77fa174afb0f242926

SHA1
0a28a988b9406c28b48f3a212f97f52ffb67b88d

SHA256
d73c6f26e383c79ba79555f686e105e68666d68616ecaa9e713f9786f62a6f85

SHA512
250a641981bcd841b68bba22a53315c201814f1368f111a41cd6d89e2d2c74235d6dc55c4a8b08b6cafb68b063a6a9f0d8b1f8bf3071e200c74bc307ec1d9d81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
103KB

MD5
78ff95d3c5c1e9e2a1cb1c72563e87fe

SHA1
c2d8a4092ed128ce148d31f0a663773f61a1ae0f

SHA256
91b27c8b9ebf2516642424c986931883047922cab050e910d63ed972250fec58

SHA512
2ee0b614967c4e280c981cf42f7c2adfb512c20550b068d5cddf0268bc6ef29911ef43e6370db112665dfeea835575f6e5da4291739abf1cbbde0587f4b4ab5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
103KB

MD5
299d62f2384dc5e09adc09a1e7202510

SHA1
2e422dc2c073e7e39a62a1dbc174235c28563bc9

SHA256
9bd3a142ea8e0472f17b9ac0368a062d96613479be727209ccd54ff9d424c761

SHA512
ac1207177f765c7c87091ad564b0dd85762c6ce197aa5b830bbd63cb3588feb1f8d677502f8d439db2bf62055e29c12af1ef8bb9e6e03284189f692f9e73838e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\augkgsfk.exe

Filesize
2.6MB

MD5
838e596edc2b94701ce52ab9950b49db

SHA1
3fc3b85dffd9f1bf945dc90d1d42eac050862f8a

SHA256
212cc3e6d8c896b268c63ffcc29d19a2c64cba6dcd0a268a2f5dfd1788a069e7

SHA512
9ce3865af9450504c6601c1323b185b53a30cbc07de0e2d73106f64b8a217552679ea91faa3ef0c56a726329109d0a55fe4af89fbc69ea2205cc4a9184a75f1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\augkgsfk.exe

Filesize
2.6MB

MD5
838e596edc2b94701ce52ab9950b49db

SHA1
3fc3b85dffd9f1bf945dc90d1d42eac050862f8a

SHA256
212cc3e6d8c896b268c63ffcc29d19a2c64cba6dcd0a268a2f5dfd1788a069e7

SHA512
9ce3865af9450504c6601c1323b185b53a30cbc07de0e2d73106f64b8a217552679ea91faa3ef0c56a726329109d0a55fe4af89fbc69ea2205cc4a9184a75f1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\augkgsfk.exe

Filesize
2.6MB

MD5
838e596edc2b94701ce52ab9950b49db

SHA1
3fc3b85dffd9f1bf945dc90d1d42eac050862f8a

SHA256
212cc3e6d8c896b268c63ffcc29d19a2c64cba6dcd0a268a2f5dfd1788a069e7

SHA512
9ce3865af9450504c6601c1323b185b53a30cbc07de0e2d73106f64b8a217552679ea91faa3ef0c56a726329109d0a55fe4af89fbc69ea2205cc4a9184a75f1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\augkgsfk.exe

Filesize
2.6MB

MD5
838e596edc2b94701ce52ab9950b49db

SHA1
3fc3b85dffd9f1bf945dc90d1d42eac050862f8a

SHA256
212cc3e6d8c896b268c63ffcc29d19a2c64cba6dcd0a268a2f5dfd1788a069e7

SHA512
9ce3865af9450504c6601c1323b185b53a30cbc07de0e2d73106f64b8a217552679ea91faa3ef0c56a726329109d0a55fe4af89fbc69ea2205cc4a9184a75f1c

Download Submit
C:\Users\Admin\Downloads\E-FILLING FORM.zip.crdownload

Filesize
2.1MB

MD5
6979a716fc32dd0958278b769a0dd06c

SHA1
496b631b8518532d786742211c9ea5fa306d8e27

SHA256
ac0c628c6c9a3ab273d1db6bfeb9e565c8515156ff7070df1c73e590ccaac839

SHA512
eb7b2b9f98247f1af038147f36c478fe64d0ceae80e48778a16561ed56b66a442bfcdf8518eb3adeef3c147e5b1e850e6cd77b3ea9f0117bd7d0fce875cce396

Download Submit