kutaki | hxxp://quiropractico-df[.]com/kklsj

Analysis

max time kernel
199s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://quiropractico-df.com/kklsj

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

Invoice No-99531.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\otygkdfk.exe	Invoice No-99531.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\otygkdfk.exe	Invoice No-99531.bat

Executes dropped EXE 2 IoCs

Processes:

Invoice No-99531.batotygkdfk.exe

pid process

5536 Invoice No-99531.bat
5756 otygkdfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5536	Invoice No-99531.bat
5756	otygkdfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133594166423754992"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exe7zFM.exechrome.exe

pid process

4460 chrome.exe
4460 chrome.exe
5380 7zFM.exe
5380 7zFM.exe
2916 chrome.exe
2916 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

5380 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4460 chrome.exe
4460 chrome.exe
4460 chrome.exe
4460 chrome.exe

pid	process
5380	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
5380	7zFM.exe
5380	7zFM.exe
5380	7zFM.exe
5380	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

OpenWith.exeInvoice No-99531.batotygkdfk.exe

pid process

2632 OpenWith.exe
5536 Invoice No-99531.bat
5536 Invoice No-99531.bat
5536 Invoice No-99531.bat
5756 otygkdfk.exe
5756 otygkdfk.exe
5756 otygkdfk.exe

pid	process
2632	OpenWith.exe
5536	Invoice No-99531.bat
5536	Invoice No-99531.bat
5536	Invoice No-99531.bat
5756	otygkdfk.exe
5756	otygkdfk.exe
5756	otygkdfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4460 wrote to memory of 3996	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3996	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 1172	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 2204	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 2204	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe
PID 4460 wrote to memory of 3792	4460	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://quiropractico-df.com/kklsj
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb2a39758,0x7ffcb2a39768,0x7ffcb2a39778
2⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1848,i,15375787219960321505,15274080467716188132,131072 /prefetch:2
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1848,i,15375787219960321505,15274080467716188132,131072 /prefetch:8
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1848,i,15375787219960321505,15274080467716188132,131072 /prefetch:8
2⤵
PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1848,i,15375787219960321505,15274080467716188132,131072 /prefetch:1
2⤵
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1848,i,15375787219960321505,15274080467716188132,131072 /prefetch:1
2⤵
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4028 --field-trial-handle=1848,i,15375787219960321505,15274080467716188132,131072 /prefetch:1
2⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3232 --field-trial-handle=1848,i,15375787219960321505,15274080467716188132,131072 /prefetch:1
2⤵
PID:1504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1848,i,15375787219960321505,15274080467716188132,131072 /prefetch:8
2⤵
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 --field-trial-handle=1848,i,15375787219960321505,15274080467716188132,131072 /prefetch:8
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1848,i,15375787219960321505,15274080467716188132,131072 /prefetch:8
2⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2628 --field-trial-handle=1848,i,15375787219960321505,15274080467716188132,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Invoice No-995319.zipx"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5380

C:\Users\Admin\AppData\Local\Temp\7zO405E49E8\Invoice No-99531.bat
"C:\Users\Admin\AppData\Local\Temp\7zO405E49E8\Invoice No-99531.bat"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5536

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
3⤵
PID:5684

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\otygkdfk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\otygkdfk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2928 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:5624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
7733ac499f83ed33f9ead9dbca7c82d7

SHA1
b751efa2a36e9e6b75e2c9b7a798c0264fb73a88

SHA256
f56674e3d33fa56a5f0d7b3c85bc62191c5c5c450c6406aaea17597fe8c38250

SHA512
dd5643102c96de6fb29c63d64b2ef2ce9632ef81a227858a73f3940086656b50dda1a4a8fe79fafc5514bd0085fd817851413a6a1302a9acbeaac80498de6c2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
967B

MD5
08b4c37858386ab26e3f5bed4411074b

SHA1
626e45b43c6184f06187ddbcea132cb060f0d2d0

SHA256
501bc6844c79e93a404811126ade930ea0c2ea83d759d55483eefdc7b22e9df4

SHA512
99d2c0c048ebc019d4e3591fe86fcab2a04ddd7f41f1514d1763b5b4c15cd2c7aaf024693ad112bbb4d9b3d796b6c903211ab6b06e1048b406c830a9d7020ce8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
703B

MD5
9396db1fea7a811a6d9d35828f7feb32

SHA1
7e051ffa9e0fc1ed77e81e49b501183b21b933cb

SHA256
ddc483ab25b8908f839fbca8d5a436ca1351da29942df649a927bc46b72fec7e

SHA512
4dd11555ccba383553500fe884d5278121e9a90cb47adf4f2b9a1781e236a90f863b3e6fea77224eb80aabfb901603e43a813e69efa5f96555e26682018fdb82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
703B

MD5
0863761f9e633760cb261b617c9f9924

SHA1
8b8912264040978a67789b1fba5c76c538dd26ce

SHA256
b977b26290caa0b03ed5b5af62ec3ba3b39c5b68aa0619b1ae2c67589087e353

SHA512
df87b01fca93b3153c90af0b85290d29c5e9772e64df4d560ece62142787f3632adb73acc62ccb4f523241baaf10b83f922987c13a5f998f3cc094836cc2e000

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
703B

MD5
32fdd935bcaaf29dac87e83dab88826c

SHA1
dd74688394596c17c592738ced00df0f8f4e53b3

SHA256
02cb112204d6ed15d7c75dc7e0a4d5db87376b56c0ca57a7e7b6eae3b21f4598

SHA512
f1365110775856d06a051620267dd51f42e367f3e531491e15b3a7667145b74d161d5ed30dc807a926b22a55f5c203f35dc772fa00fb98b926a16726ac789cf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
703B

MD5
b159c977ded1d1cd453a8c29d40cbeb8

SHA1
de40847ba9dab45c2f0635e5f0197340106b814d

SHA256
0a860b863f3e4abb1fd8346da63945c3950749aad03216412b5bde3375973698

SHA512
ad6bafdbb404678b373b23d679595be3b563a2aed9aed3565f35c7de14a18a0e96c1bb278afefa737d726a6e193b2c44e3e55ad3dbc6c9b4331061a587c4ffff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
703B

MD5
b1af53f84240741ab27bbfeea03c6bb3

SHA1
13e474722aa9aed5cf1a4393ff09da9aca1d685d

SHA256
5f5d079538b4e6841db121f65d144e9a8d06d8de0ab09359fdf734d5aeefcc16

SHA512
724be75b9831d6d836dbcb1a9a42860cd57ad63e89e40f69c9af4c29f5e83ee8cfe1023e24b38d82c38262ea663098137a86d3c2d0c2a4acefdf908b33c6a9d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
703B

MD5
13c94666a8c9f0901e4a356556f64e96

SHA1
f2cd5fe73cd5a3c2221578b9f8f1f705ef881172

SHA256
5a190d093ae025c88f6c2545493095328f49d5e3815d344a9977f19b661a8ef8

SHA512
5dad8754120d3f8957b60c0dde397bd31d3e37db28b39fb488623545a2f137708e4ae356e275c1f5568da2ef05523cefe1b9c14ae321d2529a281771e54408c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
1e8e32bf4ee142294a571beb7b923d5a

SHA1
fed72ff7aebff4a61ee80e864bd898fe8d64a78b

SHA256
10b99e2b8dbba4f090270d883520a1450758f421f76bad51e5ece422c62cc60f

SHA512
61997b73509cc0c6874a5c091398b9d02a1949e40d6ac6883dc7e38272bf77f61b4ec4f0cec761bea84937d8def2ce25ceb080bfeb7af274b08dbd346e46496d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
836ad24229b280baac9e7295046e4459

SHA1
7f3c45e8a310645bbdb9a2234bd23df24e0be571

SHA256
d4c5eda45a6f3960409fe46f6c29aa89c4219f0e350b3f2ae0f056d0f0516619

SHA512
4685b978267681c4d8966c6f46b31d39f5482958cbbedf9302c9f2135c2dc8bc5449933a801a0be8758b36c7c9b13894cb3b0cc61769e5831308960fa3d4d853

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
8125721eaf82f81ff2eebb71a455b16d

SHA1
6720917329de2e6cd4980e5bcc5b8c893ade4ee1

SHA256
c7f9bf02f1ea1ddfa97336b6361265a7ec9598ba1369cf2a4d0711985daa2f10

SHA512
b0006283c1a59ccdd03b0fc4efd4ea79b1e414ec9c74dd496694d86ba4568b1474b8954e5b5ba38b56ae7fc74683ca5bcd1d2a4a01d26635e6cc8bd12f0f1cdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
277d9a9a196946223ebabe22784ce080

SHA1
df3cc14e2dcace4b505d9778938c7e83c69fee2c

SHA256
a138ec0ff676639a41edc681865d7caa7498b10d4678297e05ef8d0fdb7bcb75

SHA512
70ea710622aae85a97119b00fdcbc4704d1e824b01d4f88648eb19e6f6d052cfc3fc5f908c7276ae221d9684f659758f79231ca79fb1df8339a0a49ca49b9329

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO405E49E8\Invoice No-99531.bat
Filesize
500KB

MD5
0b7d5f3ff5e4f26e4873337056b35fba

SHA1
8eb49683378825b23c9b82e9782a3a2ca09e7418

SHA256
ec214c52f8d1971dbcd48e9c5d35bd583111a12a73102fbba18ef4d31d5157d2

SHA512
9f90e0676b81571e0779003cf290fabb877e01fa22ff542e645c238a41831e90238da8822c7e7ff506ef9c49dc59415d9b9adfc499ecb78f07ad0b9f7669ad5b

Download Submit
C:\Users\Admin\Downloads\Invoice No-995319.zipx
Filesize
333KB

MD5
a9e00234d47c1c1b929ff4110546769a

SHA1
741da9510aaba8db15ab87e64970d8352c96ca76

SHA256
21d253253fa311932065d43d7163c2296c9e4a7ca98f478826c9377e382f911a

SHA512
b33591a5a0d23b9fd92dc2ef653ac158d8393cbc2841b414b386361203e8a69353a76399f13c6a25f9c9ca35ed10d472011091a3d89c3b24855cce4689dbe006

Download Submit
\??\pipe\crashpad_4460_UDZZNFQWXUEXFHSP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit