kutaki | hxxps://argunt[.]com/mklop

Analysis

max time kernel
126s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://argunt.com/mklop

Score

10^/10

kutaki discovery keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki
Kutaki family
kutaki

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdjvnvfk.exe	HDFC COPY.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdjvnvfk.exe	HDFC COPY.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdjvnvfk.exe	HDFC COPY.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdjvnvfk.exe	HDFC COPY.bat

Executes dropped EXE 2 IoCs

pid	Process
3720	vdjvnvfk.exe
3232	vdjvnvfk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vdjvnvfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HDFC COPY.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vdjvnvfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HDFC COPY.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5116	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763516234678141"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3540	chrome.exe
3540	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeDebugPrivilege	5116	taskkill.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4540	HDFC COPY.bat
4540	HDFC COPY.bat
4540	HDFC COPY.bat
3720	vdjvnvfk.exe
3720	vdjvnvfk.exe
3720	vdjvnvfk.exe
1532	HDFC COPY.bat
1532	HDFC COPY.bat
1532	HDFC COPY.bat
3232	vdjvnvfk.exe
3232	vdjvnvfk.exe
3232	vdjvnvfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 4736	3540	chrome.exe	83
PID 3540 wrote to memory of 4736	3540	chrome.exe	83
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 3128	3540	chrome.exe	84
PID 3540 wrote to memory of 4956	3540	chrome.exe	85
PID 3540 wrote to memory of 4956	3540	chrome.exe	85
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86
PID 3540 wrote to memory of 2216	3540	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://argunt.com/mklop
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff5531cc40,0x7fff5531cc4c,0x7fff5531cc58
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1856,i,8170634631257755029,6388841997595195307,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1784,i,8170634631257755029,6388841997595195307,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1968 /prefetch:3
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,8170634631257755029,6388841997595195307,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,8170634631257755029,6388841997595195307,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,8170634631257755029,6388841997595195307,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,8170634631257755029,6388841997595195307,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4908,i,8170634631257755029,6388841997595195307,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5096,i,8170634631257755029,6388841997595195307,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3204,i,8170634631257755029,6388841997595195307,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2764

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\Temp1_HDFC COPY.zip\HDFC COPY.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_HDFC COPY.zip\HDFC COPY.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1824
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdjvnvfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdjvnvfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3720

C:\Users\Admin\AppData\Local\Temp\Temp1_HDFC COPY.zip\HDFC COPY.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_HDFC COPY.zip\HDFC COPY.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4140
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im vdjvnvfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdjvnvfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdjvnvfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4345b905ecb5efcdfe45aa8a7bb81c85

SHA1
0229d8ef0cad25411fc2cf2f67e4e65e37c1e85f

SHA256
53101f6c68fb6d37f010a46ea704c87f317d9421e823ee86cdd81aed42f3d7c3

SHA512
c897bc70e81b31ccbd4367aee8732b95b05ffbc00ab43274f08faa65a24c1f4c765b65a1c8c2c8e6d931507c42de4d30786339a32d0689551bcba0068bfe1f98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
896f0062b8acbfd81407b5c4f9c6468c

SHA1
4a6f3b34be05ade1ba0578005b77aeb9ebbf9fb5

SHA256
4b33cf98b65860a745494a70a3983a636f344d4ee0083713fee82cb7cadbad7a

SHA512
563c76ebca15b94ee8b490849539ba5689339c8db177e5ceded61c1650d1aca2cce9e65f831046c5c1e131b00b9d5f23e26f873f976c009fbc5cc2cc97990e99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
42962adfe7dd916dad67d560b1f44901

SHA1
f43545f267ed9d827bcbac3f95a926b86efd760e

SHA256
59e0ec19a27be60bcaf0f563ef67f58691cbc25c5f8eee295a23b7d2b38909ed

SHA512
c5ded6bfd67915e5a0ffa952d96cef0c454b450f69c1a04c149dd475b01bfa4e57b0b600f8eab83d8b3aa851d413895b123eb1f2d541019c193bfec65ece2969

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
946e31fa2701a982070c1b6db8cbee5b

SHA1
3fbbb5f1a78e23513b5c8c9db016f1035ea7be44

SHA256
925ee88b28905cc9c8b229db326cd0fe639359fa066eafff3b17809fe9336578

SHA512
0841505701c1a611dfa34e231ed8589335745e78eb18005ba2e109db473fd91c3587e046a6050ef28f6caf2514af9de4597c3c7ce43de20b8fca5127c28497d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
257b7cd111cb608526dc2d8eea1f689f

SHA1
dc42bee3512cbc5e716c023e9d384ed0add8c8fc

SHA256
78c39860ed478385402d55865cd0d9fc9dc8133e866196434947be7784dffb29

SHA512
dde6e7e43ceb8bb48b7068704ef14e3ba02d88938cdf658ca7cce8dccc70a2db6b88c1c6d12a3e9a9cb03ee3d63be97dbce9d3d34cf5bc2768f6046475c7c252

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
abc591a468c24eec27da432309b2ffd8

SHA1
575fe17b5715b0bd92ca018ff9793125c1159d31

SHA256
73f0c284c4a6f2b10ba0d0b34ffb2801ec5df6771e7f3a7f0068da67b868c6d1

SHA512
fcaecc77cb7275eb46af41001054323c4d061c47d1e8576364055932afff8d082a851381f3ab42271db6da852fbd086773153b4942db3866da7fbf07b03fb5f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1166d809ed0d164839ceda6a6ff7156c

SHA1
2c6cc2402a6c14923388e4bf82649b71beaee01e

SHA256
c7d7f4ef523b75f59fae4005905bda48bf8fdde40d74255fd22da8723b3ab9f6

SHA512
e03a7b4fd1cfbe3032544085e1db8cc0046231961f350341cc14f4e10ad186e66d37bfe3cc56c0f25981589f960a03952b0b5b2a86bd0d78c3f276b423c95ff9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
98161aa709dec568da7e3ce80a964038

SHA1
dd6dca2664b36205e00ce1922cf8f2da847df854

SHA256
e105010a32e60b80c3559d0e34a2d597c6013b7ebeb03fb21296588a199d3c99

SHA512
28397b25a11cb556c2b84c6539e00f5ddf018e058bb74f81a88d735ff41ff9f527e5af39a50947843eb3c8cc3a80310393e9322e7573adc943d12693a2420a69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c090f2785d697efbafbf4d5d096b119a

SHA1
dcaec8c8698e1d9dd24550afa0fd58cb6dec883d

SHA256
f0d1a21b11aabe30bf58fa7141777c0a4c125856a5ca8549c4dc82456885f745

SHA512
bde830d2f0e4b05484ed4be824b13b05b47183d966ceceaacac8b47b5f865b3b2b04fa42e1a4bde5dc6d165505f6204fb63551c7e0120a5aeeab9602338e1735

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a499be31a518bbac913ec01d04cc704c

SHA1
83d778dba9a561ac34dec12433f2915f0de9e19a

SHA256
fcc1492ed1758dec4e146fc62f418447cf4e813b50940805cf33a3952347b817

SHA512
c520813023201c7f64f36b58ce8e9f9303fb9363b719f78f13cf3b45701461b29705d7d0e4e7a04de1efb0fce5b7f9d86b1c06b2fc9049588501c63199ac2b43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1e0361e847916c81c883b13c957f11c0

SHA1
e65a68896feb0ffdcf8dca153d927701fdb13278

SHA256
54ce9ce7d36f33367a654bf1896633db59bd7e4e924733a86511a97b030a7666

SHA512
4e90c8fe0416cf9386d7a09b97b00719444953f6c9a1d15e52f8f858179f79f30a56b9ab7b1e490026d3f5202f1ed2bf0183a47709281ee498b688e55613e012

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
c60171ea048a713c12153f3582e77afc

SHA1
4dc1d4bffcb240b7d6171b35c4fa8fdc48d4f662

SHA256
391230fe279f9e046f0f7e51e3112e1bb9e47880e508273a549c589e9dfca49b

SHA512
31909381d61805edad67c67275dd3d7fca309ef63a78dd4d00b31e9a389101bc63786eefe2d9c03548f9a4544e8b3766613a42c06e50660c7138eb42f6012c46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
07d024c3b3d86711e4dd46c757a2d767

SHA1
2ea5b5669d4a32bea2459b86c2a1cacf79efb3d7

SHA256
c36556793c0a0558a9864bb11d1a09c0a7adbff1b77badcaf620c2bf4daa7e27

SHA512
80f1a3d325f2896a991af4f136af80890d14bae596b9b9fa5674aa14eafe7cba19292275e3e12b6c9a2444353c62ed8c6d4ed01025725ea19e4a0caea3fd8f60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdjvnvfk.exe

Filesize
464KB

MD5
6b45ad47f69231232eb081f76f8b00c1

SHA1
dc4edbff846df1fa694fa9e0865932eb38b1f7e5

SHA256
1b6146de1bab4e1e4d5bb63e0ca22eb7301104a1625bfcd9188efb87af1b4888

SHA512
daac888a08414ddb51b486d7e449aa4e74b1ed9d651db29d37037292d3c53e2b25f2dd4269bb668d4cd21542cb97d5f1b7141c4448427c90cde65d17df42e2a5

Download Submit
C:\Users\Admin\Downloads\HDFC COPY.zip.crdownload

Filesize
324KB

MD5
7dd63a854da9ced43deccb65de4e50a6

SHA1
c45c9a313ce2a9cdd5d03972eeca76b451af38ea

SHA256
2c1fec61c167224a3a992c4e6b7e3a6a64030de0bc9a65cc3394fba635ebe6ff

SHA512
045bcfade24c186f3b6e91a27d7d58a4e9a8c44430856208410463469d3de073a3a5510465ec9b062a24f07cf4fa8ba890ac5215e4265a6b32cf8c378efb2e86

Download Submit