kutaki | hxxps://kothariwheels[.]com/enxur

Resubmissions

15-02-2024 04:29

240215-e4rhwahc26 10

Analysis

max time kernel
166s
max time network
167s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
15-02-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://kothariwheels.com/enxur

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

Challan.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lmatvufk.exe	Challan.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lmatvufk.exe	Challan.bat

Executes dropped EXE 1 IoCs

Processes:

lmatvufk.exe

pid process

1484 lmatvufk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1484	lmatvufk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe
Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2826985972-2069816429-388129859-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4644 chrome.exe
4644 chrome.exe
3192 chrome.exe
3192 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

4644 chrome.exe
4644 chrome.exe
4644 chrome.exe
4644 chrome.exe
4644 chrome.exe
4644 chrome.exe
4644 chrome.exe
4644 chrome.exe
4644 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2826985972-2069816429-388129859-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Challan.batlmatvufk.exe

pid process

3752 Challan.bat
3752 Challan.bat
3752 Challan.bat
1484 lmatvufk.exe
1484 lmatvufk.exe
1484 lmatvufk.exe

pid	process
3752	Challan.bat
3752	Challan.bat
3752	Challan.bat
1484	lmatvufk.exe
1484	lmatvufk.exe
1484	lmatvufk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4644 wrote to memory of 2272	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2272	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2548	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2644	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 2644	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe
PID 4644 wrote to memory of 4264	4644	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://kothariwheels.com/enxur
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9149c9758,0x7ff9149c9768,0x7ff9149c9778
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:2
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2816 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:1
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2824 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:1
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:8
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4392 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5292 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5268 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4700 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5200 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1936 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4496 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:1
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5308 --field-trial-handle=1800,i,7535661575375078228,5642671917724715865,131072 /prefetch:1
  2⤵
  PID:1388

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\Temp1_Challan.zip\Challan.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Challan.zip\Challan.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:3752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2076
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lmatvufk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lmatvufk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
194KB

MD5
36104d04a9994182ba78be74c7ac3b0e

SHA1
0c049d44cd22468abb1d0711ec844e68297a7b3d

SHA256
ccde155056cdce86d7e51dfd4e8fb603e8d816224b1257adfcf9503139dd28f1

SHA512
8c115e3e5925fb01efd8dda889f4d5e890f6daaf40b10d5b8e3d9b19e15dadcb9dcf344f40c43f59a1f5428b3ee49e24e492cf0cb6826add1c03d21efdec52ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0ca03b9dae816d61_0

Filesize
280B

MD5
713ca72803df4fe351a154b3d75dae66

SHA1
d68eef077421d899d15e6bd327173e22ba7e8746

SHA256
899c9d9c4061790fdd55ba6a4b6c9b675b6acecb5f1ce701e3aa192f62ef268d

SHA512
5da7e7082ea8373f881357e2da523ffdc2f3840d75cac94b05690bae9ca5cccc98b1f5c1b0147cd8eb3432d79fe037b82d3fc46cfb9ab3c9ff86acd95c4cf3d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0d753e076f638a91_0

Filesize
18KB

MD5
d2420770505a05ba87e967e76d6d2dc2

SHA1
cd200512cbc2b85ab3255592f50b34ba7fd4a98a

SHA256
4b00ddc8ed899a9134d8e92bc3e5834156ff58f25c339a01bb04db63b5a94196

SHA512
ea95fe33e762bf6f3410fbfd44a27adcbd0ffb4df45b609a65a99cfdf97aa922e45d70ca787a3d00e209f5938dd96d0f5fbbbe33462af9fc0a3ce2ab2d750c4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ac5d9cc93bac2b3f_0

Filesize
289B

MD5
587214c3ed1073c9b5d78da14c1a6651

SHA1
c888abbaf99d8b97814b1d8c5bc2c9ae5954ee6c

SHA256
676cf81382e939e4dbc6d25ea3d31b8624aa69c7a5a4f1939441775d858f3731

SHA512
ab6f892570972e4075f73c3f73e80b15bd948127728cd6cbf601a30069a7a6efe3e900d53ad43c7b3723665f04ab3b3d68b283c25b4db7561f1407c355616402

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\bf0c7fbdf2665121_0

Filesize
324KB

MD5
876ea46039a0b1bb46914e80ac809d8d

SHA1
37925f8790ca11a6b056384e34c7aa387f4eb658

SHA256
4de902824d9ba0e31ed5ad58d03c3aab7fe2bc97fcf59b6cd376552744931f60

SHA512
4d399d8ee8f45e3e9540bbd99848bacb502a4dee3289a507f59406d7318d6a2aee7d91e5b9a82ce3309d2d861a65dfb865ddbfe789a750bbd048158ef3430f9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
f0366cd4495eea1f3d7560f8eac1ffbd

SHA1
8eb81cce17f82525fc14b6277efb22e715e5909e

SHA256
58e95aadc0de5385ce695052ca89432308c7e36184ddb7f4ad3df7cb0dc42752

SHA512
5172441a303d895ac82556d8613a638a97298d312539bc4898d27cee741c239bb876d79f82686c595b851629683ffbbad1d4d7c43ea5999ec74c298ac388443f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
6ad2544a0420c3c7dfeefa09e3a20472

SHA1
a4026ccadb1cbfe6cd7c13ba1069f0999c4a66e6

SHA256
7cd9f6dc95c5303391b1ba75dc908054f67ce7a4922163ad649134b3fbf63ea5

SHA512
03c487d184b58d92e459e94701668002e85681556ccf8ad617e82ebc61c30eb91d60715cdd5ec275dcc9a5a97558a28a552c95f5bd22eb41569bd49abc9d3497

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
3445aadd2bd1d6895bb13f9093da0e88

SHA1
b03a4c2a9901759d76f7e95ea078464d138dc627

SHA256
c094fabda13cdd7d464303ea4f515fdacba17ac0dc3d557c46c49368eeb62e94

SHA512
c5c601d5371e8b2c014f378f7502d085fb990628c9a153981ff1322e249da09da907333346326cf4728a0bd6bc1ca61570c3c8d01823a75099ac312cb5b14cee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
78eefe3a0df95282bb6499a8fccb15d0

SHA1
3cf40a41884d97eaf41be427510ea54b23342d77

SHA256
95c019783d3d14ce06bc13cdb6a6060e30d4bebe862b8edf73bc9b35df2d9262

SHA512
525655fd032ade62b9de8ae8659b42e3c3f298cc48260983d4c6a61fd45f662334dde22a6b70e5612d584a2e78e3edd716985f665ca7bc7f16acfab4c96265b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
134fb0c02b4469f7db7096b063676587

SHA1
bf495515bea5425dd3eaa816fa72bb5a4db27ab2

SHA256
5fb7f8125368da1653f6106d747e9c6778ed0f18b70851177ead63869d4f2779

SHA512
0ef3553bbbd0b6716ec9709eda3913a85fc00bcce43ee28de33343f6251ce6a3a696713efefd8e454c3c7d56cb3d7ece22bcff40ee1914bf732bd13721d95a68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
4203c8071bb854e61697877209f9a136

SHA1
b7ef10fe01d92f607d45a114efa33d8b930ee435

SHA256
33cc023c23143970d226f03b2cb1bddea0bc1e8d163c7649d5569ef19118275f

SHA512
99e7ab86c28915d898cf13142aa0df56da24c386e6365f6f50c80c18a23d181e90e93d122fc5f260257dd481361e3599dbef454bdfae2132d68c4ae1d41ca48e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
fcb067a2b77b5986b8909dcdbf3bb708

SHA1
97c04cc3e9bdef30d7020e874c0a910623b926b0

SHA256
afd24c6a98be9330cc934c7a71acde0c4b74274e36cd085ebb59ab0952bf2e03

SHA512
022127d6900a707f5e8437c4d85bd97754e4c394e2ad03a13fb976e587b71ae745bd8b65b3aa30cf2a6991222cd5b180a7df65a3dafe56b62bc3e1cc92a131ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
58dd3714721f151c37bf72399ce15596

SHA1
f453f6d0db4d88d0985ea396cf49755a227a25f3

SHA256
32575810b60c9b1fb4a6d0291df81a50e95a01931389c2d167f3957ef22d74b6

SHA512
e7dfc4a104a375eee9c112e5fa65b42b33df67ff3bca5340f2a0328ceba732f4b267eccc663d83e6c2922bc9988f8dd972c911d0a77619b3578921e363cb388b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
305bf5638ddbe737e11905b99da1aa6b

SHA1
06d5d7abfac794ff1345035bb77e078be6d652d7

SHA256
2693f0db2dae0feba0d5fd74aca7a0e2fea9345da2737455582437b69790668e

SHA512
c0d8a7b6c668f895871a7bc1a2051a46aae09c1810205c6a3894dd1e110c437b5c962de50408c86d011ba26f671b3bc88d4ef52ff49d193366eee26691718b8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
882ae5e4fa311e52706eb64818338f15

SHA1
557448b724aa5dfaa0b6b6f28661926655687dc7

SHA256
c409cad604db2bcd52280dc05e9a9c3ddd344a3d978bee05cb6e44dd0de7bbd3

SHA512
7c3a6a8a77479d052c0b598d8b86d36eb92874f5adef5ff7300817cbdd2941b030aff7324a073aac6110f325314b59c48576f90a51870b065b9a487ccc4005d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c568b9ae3307d02a9d33ffec1b83b545

SHA1
7be9c51918f312272ac1702366b6c1a372c9a27d

SHA256
fd0c6e8a085751cd1a061cb7bbb4d3688f04f72ac66a684b76d3cb8305dd83ca

SHA512
15cb74788d765284afc54d4ec821f741aedec5a424d4bb3879fbe680ab4d8135da21769c930e69c5c752c6708f5d45a62971c9745882df29d54bbdd55bbf3194

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
eeca404e51ac60a4dddc3eb1647297b8

SHA1
183f1755ffaae950aea8dee823ef9110220ec046

SHA256
74be7e2e6c8ba0213bb1f0fc55e5d4be6b9a052fbb4fd058cf399fe0e3e259ef

SHA512
c353e512df11e902b3c79961342080cb17784be76a8dc18bf0442f9d2700d753249d5a9703e038a5f504011d11f4c185324b211f0bf4e148012d02c34fe9c871

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fbf5a88fc44b576d75c9d79a6d951678

SHA1
c70a5cf552e6fff2540613183cb2146319edfc0f

SHA256
ffb4867c2112fe2859dd842da4917c911a1261454b1158942c51867e68070112

SHA512
cfc17a433206576b1a9f1379664e1b7fe56fa67e058b3bdd61f966842add1dccc2f8309e5b75849140bfb631290b99f8af7679b836bf58e61f78bfe53b0c4c3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
b7fd2acd0ffc61af3291f90d1cb73321

SHA1
f6a2996a760cb013c49d83547a8e7ce7df567b71

SHA256
3d51b74a34e424bd3c91ba0e605bd9c1c2380c89154759b2f373c5cc1f1c0397

SHA512
527a55f7cecd3df3327ff68615f93da3464d6518d82a175b846a7b778f0717ff6be4e839ea49dd630cca9b2a248d320c647bf2c6408b8ee262e4ef45987b9927

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
872f7f3ba5b1c0c2eeb43aa7f59bb0ad

SHA1
c182994242c4f05fadb77576324bc1d88622e9b7

SHA256
e4c29a804d208e4e464b5ba2a203c73df5fe1cc85a0d4a751e24a15ea600888b

SHA512
cc57e864c021f9d3112d58fdf29d408371f70e336bcc49845c53b8256e444b3b8d8429f50d3f3afdd8e05f968223bed9ae89caa5932aad921c42ebc9c3704d55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
0f19625d11b2ff053d29d9f75ed2b77f

SHA1
4b3cbd5033b9bfb57daff62680e4bb4d5f115352

SHA256
82a14a5ed653fd1bad01726ed1c032842c51cf5d3893b08d19696d3fc8ce87da

SHA512
ed520c1c7eb073467fbb909638a8661e0a2d4fb0cabc6d1d70975b5fc38912271ddde83ddef00f4dc3f97a438170ab8114cfa2f383c66ee482be3c7edeba83c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
5abcf1cf1a9460571fe1b85bad33cd55

SHA1
25814b5d003c6914d7603c3f26de544897b3c220

SHA256
c35d2cb2e386966e64869d7a14e67b59585a40d169377c8f3304793fda62026d

SHA512
962ed17536c483e68dd7cbf8623eed0adbe368a65fa554afdaba9275711cda3ba8ec73264b020c8ae7eabf940fe6b790322005496f90af0767572a39381c5aad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lmatvufk.exe

Filesize
512KB

MD5
77e4466744584a3f31a4c4e71856772d

SHA1
01ca46d4a08a58b05114b027df5c60974270e233

SHA256
f6cc096b17ba74d886a51599b65a1fd854182df4b2db12326e45fe5662307594

SHA512
97b0cbdac79aa7a8afbf5fd54880f00b59ad9cacd4d0ed3fa846904fdd8b8d7bf2488375001dcc5b06250643288a03863b7e54eca3a328ea01619e5e1988dba8

Download Submit
C:\Users\Admin\Downloads\Challan.zip.crdownload

Filesize
338KB

MD5
ca4e4241dbb49446dd9f3c20991d3b78

SHA1
b6ddac05e7383156574703218ad91953d3509c22

SHA256
4d4445593152fcda3b7f1cc61b7701af503650cf7ed863e9f5f36a50685ee887

SHA512
344b69a054054c6f5278e18f5d83cf1fe60b32e78b947fb73a366b00a9b57977cef01dd9e7fd02ff2baa87c9a248c04acd32a181cf0b1d87e220a1547605c58b

Download Submit
\??\pipe\crashpad_4644_NGWGHSKCSVWXWYNY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit