kutaki | hxxps://argunt[.]com/mjfjdf

Analysis

max time kernel
88s
max time network
88s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27-11-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://argunt.com/mjfjdf

Score

10^/10

kutaki discovery keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki
Kutaki family
kutaki

Drops startup file 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iybvvefk.exe	Inv No 65990.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbwbgafk.exe	Inv No 65990.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbwbgafk.exe	Inv No 65990.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnvkykfk.exe	Inv No 65990.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnvkykfk.exe	Inv No 65990.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffblkpfk.exe	Inv No 65990.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffblkpfk.exe	Inv No 65990.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iybvvefk.exe	Inv No 65990.bat

Executes dropped EXE 4 IoCs

pid	Process
4068	iybvvefk.exe
1932	gbwbgafk.exe
2924	bnvkykfk.exe
4612	ffblkpfk.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gbwbgafk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnvkykfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inv No 65990.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffblkpfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inv No 65990.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iybvvefk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inv No 65990.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inv No 65990.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1092	taskkill.exe
4640	taskkill.exe
2264	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133771837417522578"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1592	chrome.exe
1592	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
1580	Inv No 65990.bat
1580	Inv No 65990.bat
1580	Inv No 65990.bat
4068	iybvvefk.exe
4068	iybvvefk.exe
4068	iybvvefk.exe
1588	Inv No 65990.bat
1588	Inv No 65990.bat
1588	Inv No 65990.bat
1932	gbwbgafk.exe
1932	gbwbgafk.exe
1932	gbwbgafk.exe
1408	Inv No 65990.bat
1408	Inv No 65990.bat
1408	Inv No 65990.bat
2924	bnvkykfk.exe
2924	bnvkykfk.exe
2924	bnvkykfk.exe
1172	Inv No 65990.bat
1172	Inv No 65990.bat
1172	Inv No 65990.bat
4612	ffblkpfk.exe
4612	ffblkpfk.exe
4612	ffblkpfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 3224	1592	chrome.exe	82
PID 1592 wrote to memory of 3224	1592	chrome.exe	82
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1688	1592	chrome.exe	83
PID 1592 wrote to memory of 1720	1592	chrome.exe	84
PID 1592 wrote to memory of 1720	1592	chrome.exe	84
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85
PID 1592 wrote to memory of 3808	1592	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://argunt.com/mjfjdf
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1dc,0x228,0x7ffb2e22cc40,0x7ffb2e22cc4c,0x7ffb2e22cc58
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2096,i,18155394128563727849,16253376495245817566,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,18155394128563727849,16253376495245817566,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1932,i,18155394128563727849,16253376495245817566,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2332 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,18155394128563727849,16253376495245817566,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,18155394128563727849,16253376495245817566,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4368,i,18155394128563727849,16253376495245817566,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3884,i,18155394128563727849,16253376495245817566,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4384,i,18155394128563727849,16253376495245817566,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5064,i,18155394128563727849,16253376495245817566,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4468,i,18155394128563727849,16253376495245817566,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4876,i,18155394128563727849,16253376495245817566,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5564,i,18155394128563727849,16253376495245817566,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5488,i,18155394128563727849,16253376495245817566,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  PID:1784

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\3bbda9a6-45aa-4fce-b0f0-98d5ae4618df_Inv No 65990.zip.8df\Inv No 65990.bat
"C:\Users\Admin\AppData\Local\Temp\3bbda9a6-45aa-4fce-b0f0-98d5ae4618df_Inv No 65990.zip.8df\Inv No 65990.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4676
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iybvvefk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iybvvefk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4068

C:\Users\Admin\AppData\Local\Temp\24bde521-11ea-4f15-9466-558b64a71b8e_Inv No 65990.zip.b8e\Inv No 65990.bat
"C:\Users\Admin\AppData\Local\Temp\24bde521-11ea-4f15-9466-558b64a71b8e_Inv No 65990.zip.b8e\Inv No 65990.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1540
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im iybvvefk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbwbgafk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbwbgafk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1932

C:\Users\Admin\AppData\Local\Temp\0d473ab9-bad3-4444-bd22-03cf96f9617f_Inv No 65990.zip.17f\Inv No 65990.bat
"C:\Users\Admin\AppData\Local\Temp\0d473ab9-bad3-4444-bd22-03cf96f9617f_Inv No 65990.zip.17f\Inv No 65990.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im gbwbgafk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4640
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnvkykfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnvkykfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2924

C:\Users\Admin\AppData\Local\Temp\23107d37-1b4d-4ccc-a51d-565de94f03fb_Inv No 65990.zip.3fb\Inv No 65990.bat
"C:\Users\Admin\AppData\Local\Temp\23107d37-1b4d-4ccc-a51d-565de94f03fb_Inv No 65990.zip.3fb\Inv No 65990.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im bnvkykfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2264
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffblkpfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffblkpfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f9c1fb6675dcb8d20ce26814dfcd7b2f

SHA1
63868460fa7c42e638c71281d67981f7e7bcca75

SHA256
ea5e84ed51dd0a03ff2959ef3d82a2ae912d8d2b99032dc6fc9e61a53b63f878

SHA512
6902af7c5e0d06fd7833e588cdb33deb72e76441f143c1b1c75b8784cedaf5bdb3a63effb174c11fd9af41e24961659a0598b4c14a5a5395950facaff06d0e21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
239adfa7ffd2ec650ee1636dd882a54d

SHA1
ce91c43000602f6c75d008387390f0ec90c926bf

SHA256
74905699670941d423a15b41e82b95354055c9ac2141adbe1a9bee9c3a02b29a

SHA512
6dca2b56748edbd6ab4d53e2933f9dca57bf1cbbd37ec0c7b4014f28ba9ae20b0f7737983393969c7dd35c804894c889eb7e6af387ba0a43d92fb01b6086b3e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
e58b0af83746633591984c695f8d991d

SHA1
1a7695196e948857b839f01bd2034a338883c24f

SHA256
57847207831a83175add2807bd8144fb1cdc6944918b7562fd0de719ed109fa8

SHA512
f7e7c652b8121003a9268d2cbb18aaa21ece6361061e513449bb4f594f6ea932203d44e3f570d0b205c6270848a261fc174285d313e020af33e9ef01ea4a596f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
8dc837eadd117994ab3f0203d7063218

SHA1
b3aaab7087afd0891e0c142e026842a627849e6d

SHA256
8587c74403a9b17e7df727c1da2a983d126eb9907d272032c6080b2f1bb30cb5

SHA512
1300408d018c4032eaa18e8442031df92466b660105afa5ffc14c35dbb0a26ed9f1a160fd0268275ccf748155bf19ae5bc357e3413e6396276cfc5aa6013d2d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
70f66ca9f60123ea410506f91c7508f1

SHA1
c5536503fc05e8b6588c42f339bf4f07f468b02a

SHA256
c4e8b5d6792ac42f31075a261e7ba523cde511ebe1cd1997f816445db8a01e9d

SHA512
4b9ddabddbe61c2075b335f5e133b9e15366d9c357b9990bc562a949b49b61377166d96a9882182bc8eb3ce28dbc7cfc86dcb0f60868c2a210713dd19a8e3d5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
770c41b1d7c5d6b7a055f80a80058dda

SHA1
a9eb22d3410514300b5541aa3a8376f862279cc2

SHA256
78ce7678102f16c968708488f20c3cc2db29ca6a74a9aa99dcf03bca1e3b0d47

SHA512
c1db242fb252bc350c04741fc682ebe28476e265cdb133e8fd058e3a99e59823699a6ba39c7acdcad51f632dffe05a8c6332e9f1d54c23d62b531b9e79c86f5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cafafa2ee7323cabdea2a7fa3621b644

SHA1
c5152750e9c5909f95e2a3016dc7d051f208d080

SHA256
ce24a509971a847d12c65cc9beb8762bc93edd9d7ab89d09d3d83824a50d83a9

SHA512
ffb30b197d2cb52be415b73002f8a57fddf5dfa54064a3cd9ff35217286ce5a622a916a73faf18eb68b8b05f881bec84c502cba75f139374c2b5fba240763003

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ba5ca5b94b31051699f29c4394cf2caa

SHA1
05a58a94efa1906ba95e1f4c0e598d4780f7498f

SHA256
ebb1605aaf07b710689a6fb278f16ef72afef6451f9d3963bbd828aa316dee68

SHA512
a377e527da201219b7e5192ba6532bdca7db93cb973bf989ab3588e800ecbe9491e02bc46cd2d6310afe1fda2cf824dd89995d063ed5628389612c49e7dd596f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca176435325b1e4a917829a10a1d860f

SHA1
120ff41c71db91a7751d6bf04230715c2ce5bc2d

SHA256
e5587785d635c2e70309ebc404376a681f6adc85187aacd9dee9d78fa6cf9617

SHA512
80a2f5033ada12fd4a69ab37ee30b0d74beb93b91c3eaa2f17f79b033bf93dcd73810635688bab484c7c7fcbe47faa59fe68592d5461f4eae3901ae12b3350e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8360f1bcad47c27d3c251aa5b4fa1afb

SHA1
c8ce084d726d4d67d625b87f7bd96a75cf189be6

SHA256
83baf0a5b94a2173b9d4d9799194a7f448321f85f85b9f44f6132af88b7f470f

SHA512
0569ce83808ffbdd85c47ab2dd029c4d6059c0d42be06472c997f35ef39c94ffd4be6ed5c88fd25a1be582fbffbbed1c1454860da10686b57458a85349df8aff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
56eefb72f23dd521ede4a68485a52abe

SHA1
ee31a92a864180781dedbdd7afc6f269c4eaefae

SHA256
f12200f28a26d3b3f1a06ae63964a74e897fb29eeaf2fd60f24b4a6de1480bc2

SHA512
368f1de2130d7ffd463b07011490346dc57816e00cbbfe90231dc983f3d1ee61733e8c3d113d013c1d972ae51541cb037634865b24d252568e546c6f18703338

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
083c4c55048cce1722dd1a8e000ed72b

SHA1
9bc93ce64e6a704853065319c906b39b2d22b8a8

SHA256
b9e2c79f5c803be5e243d36cb64622ab0cff2e67d1e5670b3521dbd226466f9d

SHA512
7471b32e7b0869e2bde1ae7d1b82b30cd6dd47f68e0b9adbc53fa6be97250ae46fb5e37f8d9bfede33bda26fd0a8dcfe1b663661486d5ee383edf58acc620668

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
f53384d52296da96f551800b4a8985b0

SHA1
6eaa620d56f60e0b894ccc53c132c47bec24e3b1

SHA256
4a931d32bfa00920e27bf4649d5af805cfe9ed99efd263eb91ef81c2a12cf02c

SHA512
425af52cd48088367982bd1ca2dd21a769aca3ad728bfa3f56936d9d671a34c98cc3bb08c6bc3c9d06ceec9695ae8129260093da01e9393cdf477386b4919eeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
b40e9599b6cccc8e5a4a492f50a3143d

SHA1
cf4df638c1b696363214c8b0d8604dc9e44cd50c

SHA256
fbe01fafa331d5055890e9bb834cac3e9fb3c5d317740db1c9fb579841881c43

SHA512
b5a8fbb1a22c2a32b3d6bebd388296ced9a47caf3fcc1f230d3dd8db0f4d0aac04759c81fd7f1682f37ade77f41ba38e5c212745d1da173c8dce9a457f79859b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iybvvefk.exe

Filesize
464KB

MD5
8c4f2ef702e34171918c9bc81c43e75d

SHA1
a603ad96ae8cc61257784a7828795e66f46366e0

SHA256
46f2747c7a9b1bfba6a3aac8d846e6f854895f6e75e9d395898fd2b74eebb46f

SHA512
154f3c261f0d9cc69b2bcba52fd72edbdf458487d91e5bef7c24add1222e7ba570a76b7a5db4b3c971c1223af9d8957db645f2d28ccda24ea591e07bffa7ac6c

Download Submit
C:\Users\Admin\Downloads\Inv No 65990.zip

Filesize
323KB

MD5
7524cfe65c160acf678d2820cc4351c5

SHA1
0ff66b65339cde68552d7eb1540dc0a8ae63b8aa

SHA256
38997ced36313b3fcf6cd2da9a7ab4070684e6043e44c8a5b012ee26a971cf24

SHA512
a08a40bf724b7ae9adfd9e8b24c76e89801b906a730981d3e6cfd34590e265b6264531f5b1ed5b822b4943e565a6e05d7e912241291393239fb701d60f0f93d3

Download Submit