kutaki | hxxp://opsonin-pharma[.]com/ppolj

Analysis

max time kernel
599s
max time network
495s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
08-01-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://opsonin-pharma.com/ppolj

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 5 IoCs

Processes:

Invoice Confirmation.batInvoice Confirmation.batInvoice Confirmation.bat

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\votjptfk.exe	Invoice Confirmation.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\votjptfk.exe	Invoice Confirmation.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\votjptfk.exe	Invoice Confirmation.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\votjptfk.exe	Invoice Confirmation.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\votjptfk.exe	Invoice Confirmation.bat

Executes dropped EXE 2 IoCs

Processes:

votjptfk.exevotjptfk.exe

pid	Process
1580	votjptfk.exe
3528	votjptfk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exetaskkill.exe

pid	Process
4480	taskkill.exe
2408	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133491544607901058"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid	Process
2760	chrome.exe
2760	chrome.exe
2948	chrome.exe
2948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	Process
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Invoice Confirmation.batvotjptfk.exeInvoice Confirmation.batvotjptfk.exeInvoice Confirmation.bat

pid	Process
2296	Invoice Confirmation.bat
2296	Invoice Confirmation.bat
2296	Invoice Confirmation.bat
1580	votjptfk.exe
1580	votjptfk.exe
1580	votjptfk.exe
3064	Invoice Confirmation.bat
3064	Invoice Confirmation.bat
3064	Invoice Confirmation.bat
3528	votjptfk.exe
3528	votjptfk.exe
3528	votjptfk.exe
2088	Invoice Confirmation.bat
2088	Invoice Confirmation.bat
2088	Invoice Confirmation.bat

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 2760 wrote to memory of 1008	2760	chrome.exe	72
PID 2760 wrote to memory of 1008	2760	chrome.exe	72
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 2060	2760	chrome.exe	74
PID 2760 wrote to memory of 3788	2760	chrome.exe	76
PID 2760 wrote to memory of 3788	2760	chrome.exe	76
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75
PID 2760 wrote to memory of 1152	2760	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://opsonin-pharma.com/ppolj
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8094e9758,0x7ff8094e9768,0x7ff8094e9778
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1704,i,7857693230299720042,10596902812173638893,131072 /prefetch:2
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2024 --field-trial-handle=1704,i,7857693230299720042,10596902812173638893,131072 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1704,i,7857693230299720042,10596902812173638893,131072 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2712 --field-trial-handle=1704,i,7857693230299720042,10596902812173638893,131072 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2692 --field-trial-handle=1704,i,7857693230299720042,10596902812173638893,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4652 --field-trial-handle=1704,i,7857693230299720042,10596902812173638893,131072 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4800 --field-trial-handle=1704,i,7857693230299720042,10596902812173638893,131072 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3152 --field-trial-handle=1704,i,7857693230299720042,10596902812173638893,131072 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1704,i,7857693230299720042,10596902812173638893,131072 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 --field-trial-handle=1704,i,7857693230299720042,10596902812173638893,131072 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3596 --field-trial-handle=1704,i,7857693230299720042,10596902812173638893,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1704,i,7857693230299720042,10596902812173638893,131072 /prefetch:8
  2⤵
  PID:1720

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice Confirmation.zip\Invoice Confirmation.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice Confirmation.zip\Invoice Confirmation.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4996
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\votjptfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\votjptfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1580

C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice Confirmation.zip\Invoice Confirmation.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice Confirmation.zip\Invoice Confirmation.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1444
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im votjptfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:4480
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\votjptfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\votjptfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3528

C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice Confirmation.zip\Invoice Confirmation.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice Confirmation.zip\Invoice Confirmation.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4916
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im votjptfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0d440176-bed4-4b3c-bd53-b0c0a08ab180.tmp

Filesize
114KB

MD5
55121c81deb92e9b7831fadc9d8aa8ba

SHA1
e4fbc3faa0ac1c1ba188e1a2c809c5a7833c0961

SHA256
24c7f5ae8c241b65d6582bcb74cd1b199652be7a903669cc7c490868e9369aad

SHA512
776eb0b57b203580262152526eac527aa2d62b65445eff9efe78f4582da287f1be3a11870565c87ee8c88ef8e2253684eace172467fabb706437fb1f9dffacc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d32d5b812d2fa4df2078d85836f450a6

SHA1
b5ae3fd0ce94fffc3d76d468f03f0362ee68ee63

SHA256
0fcd80de36aa5e6184372fb6ed30ba9e346cbe5b211a149283449cb7cd35ce95

SHA512
85e2ef0afcd957de754c2e91d6300af8aeabb9985eb361e20a13c79baa835902d35d88b4cec7081c923bd849c77afb8c6ba69a6c198f28df92824fb0a6e6e7bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
5afa9e43126a8b4a0294923c5b806149

SHA1
4a184a3be0313f6e913d25dfeec26b0b9e4b4aaf

SHA256
7ec6621e268ed885fe628b4ff2f530efd1e3a8c3795e4ec0ae38463bd4ce5aec

SHA512
5578472533acd858d2d9e8aa2acd8363c080b0cac6ff09f718adf971bd598009559d781e77e50d3db006a1472aeacce9950b8f17bdc6f08c31b9ef8f63c41740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
32c6494452761da6f6d83135ae89f4ec

SHA1
a9bf8e9774b6a79464aad2d3e50096d3f01ed4cf

SHA256
aa030cc18f1c51a484eb9d26ab24d3af2bce3fd7c6bacc374d4020429be597de

SHA512
9f333e5ef16bbfb24fb38d0260f481c63dcc7e63b4bb9b83ee00b2d88f3db1aa12c15832e8bf20d9f5a0f007d9d0892956af357131f1729626a51d1361c7b6d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8125216f9267193ca809c8466959b0fa

SHA1
f232a409bbc2f147f67d5ff921630260623e7995

SHA256
456c762536d63335fb29576d64587ebdb051e8f2cac3694b702d7123bd30da8a

SHA512
d1ada4d41c293cbe4daf6d01a887eb90aa2aff3f59c99f26665c3cbd51af8b0d1f6f86b73554093871dd25819637740ebbfac11d68b2ea772574c3470505cccb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
39590bb6769bc198c5cd136910fa9662

SHA1
90d76826a73a62c024982b233e666abced15d4d9

SHA256
f8fe6935b4c603a7eff27b5896129f630a919020ff744bdf6aa8075cda76a047

SHA512
82f07fae1130d90dfa98c8e77915144c30e173380ea7b2a542acdd786cedffe5670d93db596eeea6324f36d02e40c2e61b5e8ec5f4e1597868b857d5c9f4137f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
1fb1edc593e5df5c033af86fca312478

SHA1
8356d567d52fab3e026136d93d37d9f463bb3657

SHA256
95f7e6813aa709f022f5145b45a1b25e2c49645e212d6f89f39b0639df5b3531

SHA512
9322d73ecacb55b38498964bf74124b07ea26446f02eca4af79b2704d6a19f3414f43b515acb5e051e3c633fe725788ececa95b3ca38ec8995df4daeb8e84e1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5ff5e2.TMP

Filesize
105KB

MD5
8cbfd585f61ebfb1627a1ab97ca13802

SHA1
96bc42a712fa30234082a3af9961a438319c9d0c

SHA256
c80caca365fe8addfbeccc595653390b2f85818576a1874f6a5530dfb8fb4998

SHA512
e6f92b1cf9516614a6d0270b3203e714f20ed00741c165f8e45c113096f0520bbbf9884fc0917e4a72e54f7c0242c416030de74e46fe7ab73193e84b29303538

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\votjptfk.exe

Filesize
607KB

MD5
bc5a84255968254145cc9c31d5e86374

SHA1
87835cd054c0bf65be2d0da8d5ffb225b24805e6

SHA256
f73c5f8f779ef5494d3ca63542a175a1e94789d6b492ef369a7d3307877d8a34

SHA512
4a97a09c1e2072d2690acd26a933ba0e74c018c44670776440786b5da4bb12e05e6d6dbb60b0062e0c6678e0e11b8ca86920e1044df806f16a3ed2d6a223a517

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\votjptfk.exe

Filesize
1.5MB

MD5
150a203a1ac560c5a120d4d9e1220c2e

SHA1
8c39a8e8aaed6d23186d6e687e6fce246166233d

SHA256
52d83997a77422cc56bc39736fea704c0bde2aa188a1fb6b48813c42c868b721

SHA512
fd0f803495b5bb687445c9a71d22b6ba6b3aefdfa5468b511687c4a66140465011dda2d3357da5562fd9ee4b40cf2c912c9641ba38327937b5ba0fec438de7ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\votjptfk.exe

Filesize
135KB

MD5
6af12a0fbefd10c996b8ef82ad026c6b

SHA1
09b89381f034b25259450fb5edfe4b00f2a93fdc

SHA256
926ce052798f8931c949c2e633bfdd35c1a2df4457afe28df2a577e7a49f3227

SHA512
dc9fa6d0863b9c12a351b6917511231cae15cb1562175d082b9d92fc8f7a35cc1037d1a3dabd64151b78a764842e89b7b2e04064a9660ea05b46adef2be37998

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\votjptfk.exe

Filesize
2.4MB

MD5
b3100da3064447ace17a61ac4897f89b

SHA1
3cc0b9007be5ccea74a544a03e24d11deddb4186

SHA256
b12c73c9847daaafc6c13bcd69ec5b9f3812cbd8f5d734974c96fd773ef91e8e

SHA512
d839dac974580641b0c986aef9e5df650c7337af0d4592e01d7d8a972d67ec84bd1e19ceedebea0285ac72809a5ed305e0249b9489251fe2e28c0965944b5612

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\votjptfk.exe

Filesize
1.2MB

MD5
042c5468df4f9b657cf64503d101e981

SHA1
104c472509f1382ea01af474f4b43071cbcd9aba

SHA256
0d34efdf82b5ec8a4659b708884782257b849f228cb8cc6c5789d73176554067

SHA512
8c9254cf20bcffa022072a80ba9379b1a1d2b1efabc296019f0c20c72c7fd053a9397cfa379fa777808c1bc3af1aa760ac75eb0d31fe6cdd54cc07b20f2afcf6

Download Submit
C:\Users\Admin\Downloads\Invoice Confirmation.zip.crdownload

Filesize
2.1MB

MD5
669c208c6a04a7bbbf9b4216b2a34aec

SHA1
023066adcd01ba46a839bee8b9d0b91d8910fd3e

SHA256
b18c2830d025f3c2e692b4a23e6337f07d3ec89bf3fd091ae44512817ff5bed4

SHA512
844d4747c2409fa57eca4ee4228e20c2cf0bd09e147a41d66419956a3b5d717337f9f2ba4b790906b434945cfb79f30b8afb67229a052562cbb0bee38de1f987

Download Submit
\??\pipe\crashpad_2760_CXZDACKAVICUSZUE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit