kutaki | hxxp://kothariwheels[.]com/dnehj

Analysis

max time kernel
50s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://kothariwheels.com/dnehj

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 4 IoCs

Processes:

Inv No 98977.batInv No 98977.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\npnrzqfk.exe	Inv No 98977.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\npnrzqfk.exe	Inv No 98977.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\npnrzqfk.exe	Inv No 98977.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\npnrzqfk.exe	Inv No 98977.bat

Executes dropped EXE 4 IoCs

Processes:

Inv No 98977.batnpnrzqfk.exeInv No 98977.batnpnrzqfk.exe

pid process

3020 Inv No 98977.bat
4852 npnrzqfk.exe
1772 Inv No 98977.bat
1808 npnrzqfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

456 taskkill.exe

pid	process
456	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133509855473849182"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1536 chrome.exe
1536 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1536 chrome.exe
1536 chrome.exe
1536 chrome.exe
1536 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeRestorePrivilege	960	7zG.exe
Token: 35	960	7zG.exe
Token: SeSecurityPrivilege	960	7zG.exe
Token: SeSecurityPrivilege	960	7zG.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe7zG.exe

pid	process
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
960	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

Inv No 98977.batnpnrzqfk.exeInv No 98977.batnpnrzqfk.exe

pid	process
3020	Inv No 98977.bat
3020	Inv No 98977.bat
3020	Inv No 98977.bat
4852	npnrzqfk.exe
4852	npnrzqfk.exe
4852	npnrzqfk.exe
1772	Inv No 98977.bat
1772	Inv No 98977.bat
1772	Inv No 98977.bat
1808	npnrzqfk.exe
1808	npnrzqfk.exe
1808	npnrzqfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1536 wrote to memory of 800	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 800	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4628	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4920	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4920	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe
PID 1536 wrote to memory of 4724	1536	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://kothariwheels.com/dnehj
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd67cc9758,0x7ffd67cc9768,0x7ffd67cc9778
  2⤵
  PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=1924,i,15444532698924126651,8137451043101132823,131072 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 --field-trial-handle=1924,i,15444532698924126651,8137451043101132823,131072 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1924,i,15444532698924126651,8137451043101132823,131072 /prefetch:2
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2820 --field-trial-handle=1924,i,15444532698924126651,8137451043101132823,131072 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2812 --field-trial-handle=1924,i,15444532698924126651,8137451043101132823,131072 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4580 --field-trial-handle=1924,i,15444532698924126651,8137451043101132823,131072 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4848 --field-trial-handle=1924,i,15444532698924126651,8137451043101132823,131072 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3132 --field-trial-handle=1924,i,15444532698924126651,8137451043101132823,131072 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 --field-trial-handle=1924,i,15444532698924126651,8137451043101132823,131072 /prefetch:8
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 --field-trial-handle=1924,i,15444532698924126651,8137451043101132823,131072 /prefetch:8
  2⤵
  PID:828

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3388

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Inv No 98977\" -spe -an -ai#7zMap25808:86:7zEvent31061
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:960

C:\Users\Admin\Downloads\Inv No 98977\Inv No 98977.bat
"C:\Users\Admin\Downloads\Inv No 98977\Inv No 98977.bat"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3784
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\npnrzqfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\npnrzqfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4852

C:\Users\Admin\Downloads\Inv No 98977\Inv No 98977.bat
"C:\Users\Admin\Downloads\Inv No 98977\Inv No 98977.bat"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1368
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im npnrzqfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:456
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\npnrzqfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\npnrzqfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
f8b98eb9a5f215d54069f17c569139bd

SHA1
b38d9c0afc8dbd4aa23ad86ff76c300e01d4d96d

SHA256
248f77a6cb0f9cd5cf2adb8f103c23f1b10be46a9c46c6e12fba60fb093875af

SHA512
dae33e63c86affdf3acea5d3b077817e7974c88f2f7f405f04e1282c556d0fea7ef6d5f688dad42376bb689b65dfd1dc94dca15ad0149fb95e2f0108e99f6ccd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0ebb1907f040d70852e5c12d0d41424f

SHA1
b236aaf6a9c15e95c183efd34a729c523ba442b2

SHA256
d1507ce90fad422457e5bea7fa84d8c867a1bfb375d4f4568c8616cf8c905bae

SHA512
2a6aa87ce562f8aa64db57d494fe542a64da6f4f58a81d3a25eef3d6e59323bf3fd8f99d5c4968078f81e886dbb4fe4fd348b91f1f50050e3dae80fb574ebcb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
12b30bac43ec613b1937165edc52649d

SHA1
054963d27ffe074f7b69a22b4b6a7f72edce9837

SHA256
0a944481af44f45372a008b372f470746fc0c4cb6eb8065beb70adbd9b29d69c

SHA512
6a21d92ff351e85d1a609c2825a8013aaf9e2af2b72da56dffdf24376cb47b033ce904c1e7f67ca8a275acfa872bdae0ebd5c45cb8ddbd86dccdc055e60dafcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\npnrzqfk.exe

Filesize
498KB

MD5
818859ee01d45551a11a64fb44f9b233

SHA1
75b39e239f6621bf95bfdec874bd7dfb309d1284

SHA256
5d796c6a99963015e1979b7959f7663641563d35bf751e96c8ce72ff4629cf01

SHA512
6f65d5fed5f6d7cdf5b4173ea0304698e810c29fa8ea308350a58f2a8e30ee698aff6e745df1cb86da04cd1c4a82d790de9634784e16bac25c1416d1654fbe06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\npnrzqfk.exe

Filesize
570KB

MD5
a4eaef36fdd0d6b9c735976113dce049

SHA1
2f3e6e57bc6b65ed8b9af0e37d4c99641af36608

SHA256
f74f4233811f148ee7f4890f2690b7914a74b00a9ca51a96479f52b2e2e9685a

SHA512
43bbf1cf4943ad5c02b482885035044bc0f86f0905e7678207a9e653ed3857bcbb56186b4870fd1469109a6609380b238edbd9fec7664bbe96217bb897b1049f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\npnrzqfk.exe

Filesize
536KB

MD5
675f67ef7d37ff76980e09df0c084088

SHA1
758c88079c575d838b97cf9c3a1e8e60c5ec6761

SHA256
329559d1f97500086e5f51393a225479f2a8930b7d785f7573c30a275d14ea43

SHA512
a8b6233f7bc061276482420ae777766558fb39402990ef21fcfa20782a4ab4a7f1a6bb874dbb90e8d95fcc129fd3df5150de9ff989806d7a38e0d021566c114e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\npnrzqfk.exe

Filesize
2.4MB

MD5
243b04ad74dc56ee36e997ce5957023c

SHA1
7cfe64eb1f9375c84020fbe64991ff8697c800bb

SHA256
2a6b3b326c41b9d157f57bc3b2137046c8e88d73fd6df3a0f2dce1e15075e997

SHA512
55c45f1e3fe3d3119752445372163012809705d62d106ac6de0ea90a248d4876e4c656dec079a63667193956476dca188cdf0605484949c787fe98836caf21f2

Download Submit
C:\Users\Admin\Downloads\Inv No 98977.zip.crdownload

Filesize
2.1MB

MD5
b434b22f5bc8930fb73e6f461201eea0

SHA1
53e6bca1d8c035c4771142a9279b16fdaff72550

SHA256
dd08ef4b023bd8d54cec3d80f09765f801ad19ccc8a1d5861165640a3111670e

SHA512
f82a32c474962b4d927f8f19827b8ea83c5596e256ec01085a987b7b06dbd09996d80d055ec3049c0f9f92014b4ca1cbf478a9dbf9245b14f21e1c1309605f1b

Download Submit
C:\Users\Admin\Downloads\Inv No 98977\Inv No 98977.bat

Filesize
653KB

MD5
385eb39b3db910b2a8ff51eabec3f177

SHA1
e7cd34ca19470408ca32650f756253634111ae26

SHA256
51b4e064f27bb7ae1217b7517714756c17b5ec94b330a32062b6d569f9aee2bb

SHA512
90ebbd4b6855057feeb1a30b4b7d40d79cc44d8b26e267f9ac3284eb6537c794bd7a0f7428da8e251c7d6bdf1d291236a7eec0fc2b2d6662cc11126d248566fa

Download Submit
C:\Users\Admin\Downloads\Inv No 98977\Inv No 98977.bat

Filesize
749KB

MD5
f93d83da78d59c0bdeba8dfe9e898045

SHA1
331100ce4872cf23eb8d902dba9c4f6adc81ec46

SHA256
53708242c0b6ec339c1e3d0aff42af7bbaac37e64ccb91b0ed0795dcbf657a2d

SHA512
0ed28d2375bd75dd2d198c7bd1af4d7834cc41e12110a649345e36b1933e0ae229ce68d1f5cbffa6cf5b49dafbf05343cae854d0189157254943eedcd8660562

Download Submit
C:\Users\Admin\Downloads\Inv No 98977\Inv No 98977.bat

Filesize
350KB

MD5
51dcab038edf52a07b966bcda41738cf

SHA1
21fb178cfe99ad9464dd71a962c85eb9a7a776a0

SHA256
e60f58cbcbe877c236363a9262c8c4d4af51824468632ff1c9b1b331f2b59f59

SHA512
22080222f1ce0f78ca58b63a08cfbd05e41e9b3a1725c7994eb8074870f22bc625b594cfd3a5cde65b4452085801a9ab768d31b7affb8a50c934e00e98a70d28

Download Submit
\??\pipe\crashpad_1536_YRSUKGYRJNIXGCEN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit