Malware Analysis Report

2024-11-30 11:25

Sample ID 220104-e35dcafga5
Target 404.htm
SHA256 cc3aa328b29867e053ff7bf5e4d4ca84034f679ce19f5488c2d7f0d6052b214a
Tags
kutaki keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc3aa328b29867e053ff7bf5e4d4ca84034f679ce19f5488c2d7f0d6052b214a

Threat Level: Known bad

The file 404.htm was found to be: Known bad.

Malicious Activity Summary

kutaki keylogger stealer

Kutaki

Kutaki Executable

Executes dropped EXE

Drops startup file

Loads dropped DLL

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer Phishing Filter

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-04 04:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-04 04:28

Reported

2022-01-04 04:31

Platform

win7-en-20211208

Max time kernel

151s

Max time network

149s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\404.htm

Signatures

Kutaki

stealer keylogger kutaki

Kutaki Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 00e410a82301d801 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "348035525" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DC202121-6D16-11EC-AF3B-7EB9569AE3EA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000f5eb99f357bc5ddbb9b7b2fbfd602c7e4ea49fcd240f579a377b4b57fe6aeed9000000000e8000000002000020000000ccde27cfe33b59b1ce82c8e2e53cf83e95f9f07d8915a43b109f306f918ca763200000008c6f7b1904a9b9b6d5503c9ac386d2a114ef68721edbd5a1078c7f727e6072c84000000054b64c98d76a468576bc020e65106659ba5faee8303cc4755c8ec0dbbb86ecdda31da5eb812e0398febf451885b8895737322bbf6616ea1b0a4496c84b1aa29c C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 403852b42301d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000007265b0b7ab54cf878e979c1d8ffb20c0a53d204b088b27220c42fe193293ae9c000000000e8000000002000020000000a7d84730718d4471dc02eed6b8bfe43f79b5622d6bf5bc060e1a2bed526fb07190000000f254f9b336cb0bf4bf52acc7925d7c88fecf807a3b16ed2b8c51b70a65e98878091b31e09d53cbc4780c0928b86595fd8dcf3eae73ad50166982d68d19b18b57a471be4b0ad1725a9f2c67676bdfa82d9abb06ff573e995b5909c477a13f66b974613826e14750ba6117b39220f129ff332ed78a727204f6ec6a6a41a36b298002a16611475d44885881315d1e190a7f4000000043235572f0272d9c70e5e971a9745375f0aaf4f9ecbc1388b2688ae41bca2c8442fd61ac63b1218cc8e75204284a6b9a164daf60717f074f8b4a6dc09c371f1d C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 600 wrote to memory of 1092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 600 wrote to memory of 1092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 600 wrote to memory of 1092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 600 wrote to memory of 1092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1564 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe
PID 1564 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe
PID 1564 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe
PID 1564 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\404.htm

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:600 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe

"C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.cocoatini.in udp
US 162.222.227.230:80 www.cocoatini.in tcp
US 162.222.227.230:80 www.cocoatini.in tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1092-54-0x0000000000000000-mapping.dmp

memory/600-55-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VSJJWE3\Tax Payment Challan.zip.eyabtkq.partial

MD5 12bd7557bb598976e2b6fd37252967ba
SHA1 c7240568595c37d11270ea8f3ae8d2a525987191
SHA256 69e098c97202d350e9ea0268520999f0544936d28596a1a2c6fbe74b3d3b45b4
SHA512 16a02481aa622828877660113ca473d762204729276441949e01cd4f579ecbafcaae0ad2d91ceb22fe571dd9f43e89df0678a98a8f0d35753f4cf60edf099f8c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YT64D050.txt

MD5 05b2d35d2f23656193e698ad9cf4f043
SHA1 cf781a12e9c6fda8a638f568b1a8650c711c5643
SHA256 d3969411bb43a232dae2af2a8c1e494d0b97e9a1f03684144802031da5e6d91d
SHA512 f5088a63325c2e649f31c8d46e7523c71be7db38b6fcf5831aa93fed206b8c5802b6a200c0857cc2d7e4a9b98dfe88c4f832c3ce3098baea4f832a7427de3ddd

memory/1564-58-0x0000000000220000-0x0000000000226000-memory.dmp

memory/1564-59-0x0000000000220000-0x000000000022A000-memory.dmp

memory/1564-60-0x0000000076151000-0x0000000076153000-memory.dmp

memory/564-61-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe

MD5 ceb4610a2e6bc8ffc049d43df625c4c3
SHA1 cc9f8b871c8edf18ebdc654ba64e9a90257445d8
SHA256 ee4ab2d7101d0ba8f68faec3883744d8035eec005c17fc355e00e612eb424098
SHA512 c0fad261493e8bb71a813c830212e06384d7b114ff4fcce1228b18b4e5823ba76423fd05800f3f1997940ae6a00b1f3d32cce08c6e2904b029f3feff5f7c9347

memory/1640-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe

MD5 ceb4610a2e6bc8ffc049d43df625c4c3
SHA1 cc9f8b871c8edf18ebdc654ba64e9a90257445d8
SHA256 ee4ab2d7101d0ba8f68faec3883744d8035eec005c17fc355e00e612eb424098
SHA512 c0fad261493e8bb71a813c830212e06384d7b114ff4fcce1228b18b4e5823ba76423fd05800f3f1997940ae6a00b1f3d32cce08c6e2904b029f3feff5f7c9347

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe

MD5 ceb4610a2e6bc8ffc049d43df625c4c3
SHA1 cc9f8b871c8edf18ebdc654ba64e9a90257445d8
SHA256 ee4ab2d7101d0ba8f68faec3883744d8035eec005c17fc355e00e612eb424098
SHA512 c0fad261493e8bb71a813c830212e06384d7b114ff4fcce1228b18b4e5823ba76423fd05800f3f1997940ae6a00b1f3d32cce08c6e2904b029f3feff5f7c9347

memory/1640-66-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/1640-67-0x00000000001C0000-0x00000000001CA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-04 04:28

Reported

2022-01-04 04:31

Platform

win10-en-20211208

Max time kernel

138s

Max time network

130s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\404.htm

Signatures

Kutaki

stealer keylogger kutaki

Kutaki Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nrxinrch.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nrxinrch.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nrxinrch.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 28aae2c489ecd701 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 206b7bb42301d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0649ab42301d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "348035529" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "348052123" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8db62ff13956941acf514a4778508d7000000000200000000001066000000010000200000004ee2f5484093e21af802b2578f637bbef2d7e906b24c6e9aee5ddd0563f2783b000000000e80000000020000200000009422aaba7b03bb767e37bb37102c6ad0a1e152212d88705ca876b3827e0e5097200000008c4974012d839cace0c60373bd5a1139118616cd0a0c9b78a6f36ba126e636f44000000024b9ae4ee7449098c9cc517de8ecb764ad522de283fdc55cb0b0070068498a8c56a41a221c8f683481ae31abab6578511d7dbb485214a9da6094d78677206fe1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\GPU C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "348084115" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\RepId C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{BA8E3F1D-7F0F-4A55-B13A-73604D99B7E5}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5BC2ECAF-6F72-11EC-9231-EAE77BAD686B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8db62ff13956941acf514a4778508d700000000020000000000106600000001000020000000d6cf32a59888e8811b29cdaf0ddebd53b49986531c3980358dbe2559cb11f9ce000000000e80000000020000200000003c7b059367a0af7222677ced4867e73b019b71dcd7c8294718e3321589024d6120000000a48af222d0cf8f75255c43c42a264c9954b92f11fc94ff7c29348c522593ec35400000000495f57d307f4b1ad20362355d0debdb2ff159dfed0f69be5f211b6fbf5c7871f13413debbdd3b926fbe09fb71cebf3042d1f1d4e3abc37607c5a268c6ddd2d3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 580 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2408 wrote to memory of 580 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2408 wrote to memory of 580 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3644 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nrxinrch.exe
PID 3644 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nrxinrch.exe
PID 3644 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nrxinrch.exe

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\404.htm

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2408 CREDAT:82945 /prefetch:2

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe

"C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nrxinrch.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nrxinrch.exe"

Network

Country Destination Domain Proto
US 52.109.8.19:443 tcp
US 8.8.8.8:53 www.cocoatini.in udp
US 162.222.227.230:80 www.cocoatini.in tcp
US 162.222.227.230:80 www.cocoatini.in tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

memory/2408-115-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-116-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-117-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-119-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-120-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-121-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-122-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-124-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-125-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-123-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-127-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-128-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-129-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-131-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-132-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-134-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-135-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-137-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-136-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-138-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-140-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/580-141-0x0000000000000000-mapping.dmp

memory/2408-143-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-145-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-146-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-148-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-150-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-151-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-152-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-156-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-157-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-158-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-164-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-165-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-166-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-167-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-168-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-169-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-173-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-174-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-175-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-177-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

memory/2408-178-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LXHW3R39.cookie

MD5 9067728afb7344e3e7958b644b037f4e
SHA1 faf0157fe97f2440126c21729e18cb1cf1f6c5bb
SHA256 f18291258b4f453039dade7af3cd6741164047ded52ba76eef4e99a4f3613843
SHA512 93dc1838c4535a33c60d06920bab7273fb1ee9f7f0bceb846d87b7f5fb2129cd7725de5bf3ebe7e701c6d350746fbab589864e227cbb37418ef0af436e7329da

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6VZI9KRM\Tax Payment Challan.zip.7ti31w6.partial

MD5 12bd7557bb598976e2b6fd37252967ba
SHA1 c7240568595c37d11270ea8f3ae8d2a525987191
SHA256 69e098c97202d350e9ea0268520999f0544936d28596a1a2c6fbe74b3d3b45b4
SHA512 16a02481aa622828877660113ca473d762204729276441949e01cd4f579ecbafcaae0ad2d91ceb22fe571dd9f43e89df0678a98a8f0d35753f4cf60edf099f8c

memory/1828-215-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nrxinrch.exe

MD5 ceb4610a2e6bc8ffc049d43df625c4c3
SHA1 cc9f8b871c8edf18ebdc654ba64e9a90257445d8
SHA256 ee4ab2d7101d0ba8f68faec3883744d8035eec005c17fc355e00e612eb424098
SHA512 c0fad261493e8bb71a813c830212e06384d7b114ff4fcce1228b18b4e5823ba76423fd05800f3f1997940ae6a00b1f3d32cce08c6e2904b029f3feff5f7c9347

memory/3588-216-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nrxinrch.exe

MD5 ceb4610a2e6bc8ffc049d43df625c4c3
SHA1 cc9f8b871c8edf18ebdc654ba64e9a90257445d8
SHA256 ee4ab2d7101d0ba8f68faec3883744d8035eec005c17fc355e00e612eb424098
SHA512 c0fad261493e8bb71a813c830212e06384d7b114ff4fcce1228b18b4e5823ba76423fd05800f3f1997940ae6a00b1f3d32cce08c6e2904b029f3feff5f7c9347