kutaki | hxxp://h3a[.]in/jdtesc

Resubmissions

17/03/2025, 02:44

250317-c8ad2s1ky5 1

17/03/2025, 02:34

250317-c2ncbsxwds 10

17/03/2025, 02:29

250317-cyyc5axvct 10

Analysis

max time kernel
600s
max time network
499s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2025, 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://h3a.in/jdtesc

Score

10^/10

kutaki discovery keylogger stealer

Malware Config

Extracted

Family

kutaki

http://91.223.82.87/~ojorobia/laptop/laptop.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki
Kutaki family
kutaki

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jvkfvrfk.exe	RTGS.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jvkfvrfk.exe	RTGS.cmd

Executes dropped EXE 1 IoCs

pid	Process
4680	jvkfvrfk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RTGS.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jvkfvrfk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133866524906872590"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
4644	chrome.exe
4644	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe
Token: SeShutdownPrivilege	5976	chrome.exe
Token: SeCreatePagefilePrivilege	5976	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe
5976	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5192	RTGS.cmd
5192	RTGS.cmd
5192	RTGS.cmd
4680	jvkfvrfk.exe
4680	jvkfvrfk.exe
4680	jvkfvrfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5976 wrote to memory of 1828	5976	chrome.exe	86
PID 5976 wrote to memory of 1828	5976	chrome.exe	86
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5112	5976	chrome.exe	87
PID 5976 wrote to memory of 5308	5976	chrome.exe	88
PID 5976 wrote to memory of 5308	5976	chrome.exe	88
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90
PID 5976 wrote to memory of 5448	5976	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://h3a.in/jdtesc
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb8ad4dcf8,0x7ffb8ad4dd04,0x7ffb8ad4dd10
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1836,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1560,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  PID:5308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2372,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2380 /prefetch:8
  2⤵
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3036,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3032,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4384,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4440 /prefetch:2
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4684,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4868,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5552,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5616,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3324 /prefetch:8
  2⤵
  PID:5836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4744,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:5732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5964,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=208 /prefetch:8
  2⤵
  PID:5716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3964,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4456,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4624,i,5017574348856844252,16164199639459510966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  PID:4456

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4040

C:\Users\Admin\Downloads\RTGS\RTGS.cmd
"C:\Users\Admin\Downloads\RTGS\RTGS.cmd"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1148
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jvkfvrfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jvkfvrfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\85f9798f-c4fb-4614-966e-690710c7bff6.tmp

Filesize
81KB

MD5
3e5663ede683b87cd7eeb2ce314c7b00

SHA1
3ca1c49423df3a30183811614c8eb1bc7713f4e4

SHA256
9ae44f25aa9233f7993135f3a181290f1d5ee0497fda31b0ca0e22ba41843e47

SHA512
10b782b1fc245535b35827919d4d27198defb25c1902a9630bb38b7265c4f5c7825656a2e65a635908805ed2d5308dc4c382a38bfa67f9db3479fffc36a587d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
5eb76109bdcfdc0934f189e3f7aa6dd6

SHA1
63543e103aaa61eab674fbd9bcb3a5cca57bae01

SHA256
481ae0add1926dae2433c344738e03fb6043435a2337b0e2eaee9dfaa015af9c

SHA512
946365ba4c4512cc528d2327ec5d90c3c80dc6521a9562cb1d7f9715ef0988ff965e9061fd6eb6a5ee74389385fe36910008f40f1e3f053537ffcc76b475fb95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6c2739904ed17ef272b1640c7b3a9d9e

SHA1
9ac3bc658414058da881e94e9684b6937b7b40ac

SHA256
eb0da4794b8d4559d859bae993a4ff7910945853d3eaea6916fb1e6db14f2f66

SHA512
48b1b5566b1a168d63155694c9b42d1f11469a74eb8518dfbf8869e578afce9f4ff20743ede2ebc59182dbf108f360a93556f55501543a492c1984e26aacd67f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
63394699d3a153e4b081a9a3518ae759

SHA1
3377a07d2a54a914007601ebedfda755a498f470

SHA256
43b0730a47ad19c5878f4afb26ff8348c2f1f22b72d7baa4454da519dba46ef9

SHA512
34cdbb359f3f4dd8291a9408e94fec1bbf408e20d433f1c23ab28d57713b0a0063dcf3e812c698bc3a72a0569de6d4ece68f90e2d9637f82b431b7feea21613b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0e041b8beb62109bc612bd433aecbfbd

SHA1
15b0515597c527f32376c2faf6d7f4084d208ab8

SHA256
749129b2c7e5e151a012ba92a99b29c216369146a1469915fb7d4eaa4c1700f2

SHA512
f8581544274d402fb6345c08b1bc8972b9156218704e2bed646a61e2af28029072a8c9eab331475d60647b2648f827d93b6eee8d386acb3c1fa14c35678f5573

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2231f046df12847a15265df17790c71d

SHA1
2dbbb0998f9ab9b62f2b63e011f8390e867d9bc7

SHA256
aed7a55c6963a5554fda9cd82f54300ef9eb2292736c81498617a8ff84e732ea

SHA512
82e77ad27037c922b41a014fc11a8dd4e87b67c598ac9e40edc44a26ee027f48130ad15227bcfbb8d88dc83cc1693a91e1165f960aafe805bd391443bd19a623

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57db3d.TMP

Filesize
48B

MD5
83087ffcf71a32dfbcddc76d56bba3f9

SHA1
e5b01a5da21ed4e14274cbb24c562d0037b8b619

SHA256
10058ed62a668cc87d5e33222559ed4f231f3379bcde5a597475dc89b3fb7c1f

SHA512
57061e2d8c1c728e9a41522dffe8a889de62a459ebd9ffba31dfc52e010c0733c2589309c177faaa5d86e0c22d9968d78b868108b4256cb88abe0b66e32d831d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
7fcf771d56e0c2e763c2075e7f82c8ab

SHA1
3cd99ee27bdf58cc9b886ee99445e7988aa607ec

SHA256
2951c93ae5b115530ff979524ed44f2082033af978e489a347d7979c7ada0eed

SHA512
faf5a665cb32b92eea8b6192dcba239b42a1f3dd645f7ecf6c152ccbb4ff6d99036431e381aa06e4c4168bc465f00595de48afee9129dd35eb20b5feedc3f044

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
bab0dd2bd106f1eee0a1a7f39136294c

SHA1
d349b3c5efcb6ae02ae5aedd23d6e96e3a02eecd

SHA256
42e953dd25c33a3e3630fb925d7308fad381b89afa9dd3461c9cc08cfe839238

SHA512
5520522e42b0f37715d3451ff2223df70218c6964e353d56088c9b365418f48b55bd47ac0c57515dee176e86cded3ba1f1c33965907f7b530831a2fcde086adb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
ba77f26f2614384b02d4d364086cf90e

SHA1
21668de274a3ff3acc42c14d5094c24dae5a70cd

SHA256
c1bfeca5263bc31d0b8e1215c107eaa4c742477dc80dc8feb5f9817c924afba4

SHA512
9e0617b5023ec64b4f12bf48a254f44f82bb6c8a2d75cb0b67e1c6c6f950620dac05c1a44aa930c34f32ac82e6e003d9d2d818ae72b6f8df3f94e0835f2d829e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jvkfvrfk.exe

Filesize
500KB

MD5
8092b76f06d46ae065e8334fa8f26234

SHA1
473dd2cf98b6ace253d83191389cba86d306b94c

SHA256
b4c2077be7a4185869fb91d5f651eb30e53f3eb31c35dee36a85101dc9d612ab

SHA512
1701121fcb0de54592f9c26431258f18276a9f0597cabc7b09553686c913ef5ab9fd2590f9b2f7e8edb671baaff18cf5a5939eb2caea77481fa80e959bf2d0f9

Download Submit