kutaki | hxxp://alphahooklabs[.]com/ndhjl

Analysis

max time kernel
599s
max time network
487s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://alphahooklabs.com/ndhjl

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bxzrvvfk.exe	Invoice No 34710.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bxzrvvfk.exe	Invoice No 34710.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bxzrvvfk.exe	Invoice No 34710.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bxzrvvfk.exe	Invoice No 34710.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bxzrvvfk.exe	Invoice No 34710.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bxzrvvfk.exe	Invoice No 34710.bat

Executes dropped EXE 3 IoCs

pid	Process
3644	bxzrvvfk.exe
1188	bxzrvvfk.exe
2696	bxzrvvfk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1160	taskkill.exe
2100	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133590751060954657"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
736	chrome.exe
736	chrome.exe
4556	chrome.exe
4556	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
736	chrome.exe
736	chrome.exe
736	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeRestorePrivilege	2408	7zG.exe
Token: 35	2408	7zG.exe
Token: SeSecurityPrivilege	2408	7zG.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeSecurityPrivilege	2408	7zG.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
2408	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
3116	Invoice No 34710.bat
3116	Invoice No 34710.bat
3116	Invoice No 34710.bat
3644	bxzrvvfk.exe
3644	bxzrvvfk.exe
3644	bxzrvvfk.exe
4352	Invoice No 34710.bat
4352	Invoice No 34710.bat
4352	Invoice No 34710.bat
1188	bxzrvvfk.exe
1188	bxzrvvfk.exe
1188	bxzrvvfk.exe
4300	Invoice No 34710.bat
4300	Invoice No 34710.bat
4300	Invoice No 34710.bat
2696	bxzrvvfk.exe
2696	bxzrvvfk.exe
2696	bxzrvvfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 3240	736	chrome.exe	81
PID 736 wrote to memory of 3240	736	chrome.exe	81
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 4908	736	chrome.exe	84
PID 736 wrote to memory of 1380	736	chrome.exe	85
PID 736 wrote to memory of 1380	736	chrome.exe	85
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86
PID 736 wrote to memory of 2456	736	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://alphahooklabs.com/ndhjl
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f564ab58,0x7ff8f564ab68,0x7ff8f564ab78
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1732,i,16822213413553358196,4620888955456363290,131072 /prefetch:2
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1732,i,16822213413553358196,4620888955456363290,131072 /prefetch:8
  2⤵
  PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1732,i,16822213413553358196,4620888955456363290,131072 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1732,i,16822213413553358196,4620888955456363290,131072 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1732,i,16822213413553358196,4620888955456363290,131072 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1732,i,16822213413553358196,4620888955456363290,131072 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1732,i,16822213413553358196,4620888955456363290,131072 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1732,i,16822213413553358196,4620888955456363290,131072 /prefetch:8
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1732,i,16822213413553358196,4620888955456363290,131072 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 --field-trial-handle=1732,i,16822213413553358196,4620888955456363290,131072 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=736 --field-trial-handle=1732,i,16822213413553358196,4620888955456363290,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4904

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Invoice No 34710\" -ad -an -ai#7zMap29992:96:7zEvent4442
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2408

C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice No 34710.zip\Invoice No 34710.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice No 34710.zip\Invoice No 34710.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:3116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3684
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bxzrvvfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bxzrvvfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3644

C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice No 34710.zip\Invoice No 34710.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice No 34710.zip\Invoice No 34710.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:4352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4068
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im bxzrvvfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:1160
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bxzrvvfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bxzrvvfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1188

C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice No 34710.zip\Invoice No 34710.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice No 34710.zip\Invoice No 34710.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:4300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2308
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im bxzrvvfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:2100
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bxzrvvfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bxzrvvfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e0158b40c621a3914f8c2dcad95e3efe

SHA1
5e57285a0a717f4578f109cb71d57a9e928b2f1c

SHA256
4d526c3de6906d6fcfba9609b587651e7f99bab27ade61a633c18b5d362f7b75

SHA512
2c58674e8279f9112c740f975d4666009406be063d90c1811d134d7f88d0a7ffd7a4f22476ca3c00679121a8d4d7dc044acb6f5a1dbaf8a999664c62696760bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
22e1521ba9083220b8a33a9bf83a58a9

SHA1
eb246df23422139a29258355868e1e6f03cfc9b7

SHA256
de12c7da240e3e0669ff49d46076e922bc95848b1dda1cf3634c0b2a97f49f7e

SHA512
940a1ce04846bc71b5810beac8453cc44f101e972022cd51843de004b0b41cadd160a4a15e37aa792ee889f0eea1aacb5c233e49869a50f031531622cc9034c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0256f51f6f9ac337f765620f67c59aed

SHA1
d5f7c043723d80a3bae7f28755f5bce2fb42833a

SHA256
c53e2e86aa333f6939c4a7b3fb21d8a95a769a6e257fdf9046af8f9a8949f8ed

SHA512
fb4ec5f605c9c68f2731269c7ccc5e059766df027073b9abbe84f738edea64116a60d2be1f4f041a6f85269aa396025d98d0b5c0ed03df1235cc85652feb88c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
18f62a380c692a5ee89563225dc83aed

SHA1
8060b7323ba29c9bf7bd90becd1f08f4d300b552

SHA256
ba7cb0dcb7810bc2718bfa77b51d92f046953e7e973b9e5ab3f4de1af25c4c70

SHA512
b44e0a2bc0c26a225c5eb1cec01e6ddf82b4a450b225260e7469339c6cf68fbb954f6d65a19e3484bb2b628d6599d726a1769b196b6646d9267055eb47454320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
b552e7a57fa2340bebf063024026fe87

SHA1
4bb05217fe9f0b39949b099a6a7f123b749f840b

SHA256
3253be9f4b3bb00304185cd21ab880951f2fbc194dadaab77dafe16cf4218a91

SHA512
59c65c8e86663602bcdd94a94d4667ee7670767cae86ad64b3cf51a43c768b367475bb47a01fac65017eb6f2ba867faf8548a9bb625bd05f7488e8257ed1079b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe579c30.TMP

Filesize
94KB

MD5
ec9586d8aa307673a09e34164698b43d

SHA1
857eee8117da9c0bc3411cf957237bb0ff3a0c02

SHA256
23a938dbcbfe1bf2872e5d9f17f36f5598f11bfbc2361408af4d9d496693f062

SHA512
4cc61fbb7fd3a0b04103c4b489f631340df086b276f81383a7f8297ed43aecbae762eee9a659b6ebc5a3fd1e50a7c781ea9123cb63564c03f0c6733bb279ede6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bxzrvvfk.exe

Filesize
1.5MB

MD5
79ba8864b6d074a08b9d89094586e053

SHA1
5e479cba25467257ac33c6c8a96e1a603ce08dd8

SHA256
e0bc9c7429bae21b038607fab90eb38e50f64b253f3f69d227ac0e207795d366

SHA512
0e5a462f4770b4852c61d32390103992bfa9b09bc07b21316e8a080f5e4ab364b9946c1eeb53d8d2e362304cb295dffaf5eb3a7a1b88a6db7e9537789111247f

Download Submit
C:\Users\Admin\Downloads\Invoice No 34710.zipx.crdownload

Filesize
1.3MB

MD5
c7665862f467465bd8143d5213e53678

SHA1
167898b91a056a7114c99e4ca68824206eb35912

SHA256
9d912b7f175c4bbe72c8b1c801d121b7fda116f8902eb5b3bf4d62aa43885345

SHA512
2b5d19c8a0897a8a9ba529177fe91961f9948e2c299716484e0ec58767ce3802740752168c0cbb7eb00c842a5c7907454accd195c7a366e6f0fffdd25e75ff99

Download Submit