kutaki | hxxps://rb[.]gy/v3vg5

Analysis

max time kernel
520s
max time network
494s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2023 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://rb.gy/v3vg5

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

Payment_Debit.cmd

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wennfsfk.exe	Payment_Debit.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wennfsfk.exe	Payment_Debit.cmd

Executes dropped EXE 2 IoCs

Processes:

Payment_Debit.cmdwennfsfk.exe

pid	Process
4072	Payment_Debit.cmd
548	wennfsfk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133295834706745693"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid	Process
3280	chrome.exe
3280	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

chrome.exe7zG.exe

pid	Process
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
4684	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Payment_Debit.cmdwennfsfk.exe

pid	Process
4072	Payment_Debit.cmd
4072	Payment_Debit.cmd
4072	Payment_Debit.cmd
548	wennfsfk.exe
548	wennfsfk.exe
548	wennfsfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 3280 wrote to memory of 1644	3280	chrome.exe	83
PID 3280 wrote to memory of 1644	3280	chrome.exe	83
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 4820	3280	chrome.exe	85
PID 3280 wrote to memory of 3852	3280	chrome.exe	86
PID 3280 wrote to memory of 3852	3280	chrome.exe	86
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87
PID 3280 wrote to memory of 3664	3280	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://rb.gy/v3vg5
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb46e39758,0x7ffb46e39768,0x7ffb46e39778
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1808,i,64164769888754509,17287311949769791936,131072 /prefetch:2
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1808,i,64164769888754509,17287311949769791936,131072 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1808,i,64164769888754509,17287311949769791936,131072 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1808,i,64164769888754509,17287311949769791936,131072 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1808,i,64164769888754509,17287311949769791936,131072 /prefetch:1
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4592 --field-trial-handle=1808,i,64164769888754509,17287311949769791936,131072 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4876 --field-trial-handle=1808,i,64164769888754509,17287311949769791936,131072 /prefetch:1
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 --field-trial-handle=1808,i,64164769888754509,17287311949769791936,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1808,i,64164769888754509,17287311949769791936,131072 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=1808,i,64164769888754509,17287311949769791936,131072 /prefetch:8
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1808,i,64164769888754509,17287311949769791936,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1808,i,64164769888754509,17287311949769791936,131072 /prefetch:8
  2⤵
  PID:4208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2620

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Payment_Debit\" -ad -an -ai#7zMap4693:88:7zEvent30231
1⤵
- Suspicious use of FindShellTrayWindow
PID:4684

C:\Users\Admin\Downloads\Payment_Debit\Payment_Debit.cmd
"C:\Users\Admin\Downloads\Payment_Debit\Payment_Debit.cmd"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1456
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wennfsfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wennfsfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9f72b413a0cb420283e0adfe15307b25

SHA1
f2a9e9c205c2ae3b0cbf674d7e6df272f5ceed97

SHA256
f571ec18594d8610f2dfef08fa482677ade2e81ac5bb7b404cf251cd3af552da

SHA512
5d4829f3cb4f2c0f7a020e9639586c0a45a90e6fbc58881e7e6104e0702e3904886b99c690c560b705d3b8b6fe7bc3d74092aa9526bde904f4f7a32c6b66ee0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
9ef763f684931c8313dcd5a5c5b2abe6

SHA1
1f59049f122e69d0d65b41a2a6be9de879ed88cd

SHA256
dab489f241c81e2de45fbe3ea3792e4251056ea42d1e90bafc443cb47c1585c9

SHA512
5a237a510093c7d259e3368c478b7d17143b9e47e1e91efe34542db9b45e3f174326fb80bbb2f50e6dca66bef8b3466cc6578623457944907ed3ca6e4ffb0878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
85ed481a80b91fef1d0ffcc0b541123f

SHA1
03662707fd9d6d98dabc01fbafe4584b9ba4924f

SHA256
e1d89bd715582670e126eeb0cda49d5f8dc614f98b7c6fb9a05f042203d40578

SHA512
1e7ce1a2ade8310fefe1a1e8ce27eedcac568d5e57dd5cfd21878a1567a1d5fd59056af329eca6a709b94276c157d9ed2212007506fc4a03ca1b88be82490147

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bcfd959517589e4e87004f44334ed80d

SHA1
577fa162dcd8c9d05cf86addac021e0153ffe2b5

SHA256
40779597795be72844cb98809f77e36835d780918e08e13957246376e7de50c2

SHA512
fee9b49a32b418ba85f82151f062379805e3f0068bfd9dfb6fbbb3856103ba2c85cfd99bc2f1ccd8a16d24a7aa356a2d19b7482e49665096af92f80f832a7559

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9bac9c410d47d2f5d5796e1752df4783

SHA1
ae50cf1ead8c331cfcdbe28d7e1031f5b989b0b7

SHA256
0ff00710efee9ee2e15d70db5b0f1eb212bc5e6a93a88fb4145011a871db89b6

SHA512
2fed47ab3ec14daff16542d741c7582651b8cecd8b18579b5fc8b84c4810cf9196ad6cf47e6bf84d980998de5cc691ab64a000981078bbe0303774917e9217e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
6d83613e1d99bc075f328b2373a5c719

SHA1
87fe6141d1f68d6adaf2cdda7543fbe981cf79f8

SHA256
0af34522850b25a482966599cd92bec46eb4ae4962e6d7eb311dfcf4261b2b8f

SHA512
3d88d4e4ead44db2ce8d2f465546f6d32d8e049a545df8e07f9f29baa9b2271b320679b2d2413eff3695d04df173e8ddf13b479e310fa1da8364a53759f7efe1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59afce.TMP

Filesize
106KB

MD5
93ae2ba1d2d5a6e85d114adf6afef106

SHA1
21dc9d55f5eac0402623ae37b7afe4c591b442ca

SHA256
ce2b6cf188b8cf2f6a5a8b483635f0e384be35816b7440d5b8ca359c43c8e6a3

SHA512
e47fe515cd8374edd9deca2cbc7958ab1ecee352744806722c639431adad23eeb86f76529f5cd67111c1e174b75aa434b5dfb2fc00d23812874edfeb79fe2eb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\cdb70b04-3004-4008-a2aa-e7ba15ecbcdf.tmp

Filesize
153KB

MD5
489f6b0e6a8eedd40a7a6839835c5f0b

SHA1
c825917ffde608c045cb48cc14b871f14e693953

SHA256
18eea240d628c75575b8d3ba59c19c5da3eeab04a82c2c5bab2ddc7ce6c8ba82

SHA512
8a6d3be71fcdd70f3b84f444fcac5e985344597433b1c81900e2382d4f9d514828ba789fa33a662f8e2dad25658e8076662ccba8cf76be75e269f5b73abf6456

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wennfsfk.exe

Filesize
2.4MB

MD5
ebec9c7d7ccd8a21125bbf8709fadb40

SHA1
d7759ef600a94c59ef0f7802bea90949041055dd

SHA256
2daaa422a6cc23cf90849e86af30d8bc9252704159a94e2fdd5fc28665f58b54

SHA512
a4cc92873f82390508d8c95a4bb9779fd3212709cc7a7aeb2f1c844de8ce802bec3b7df5be42d5d7ac7bf6a58ca592fd9bc7fe845bc80771adae2c801be2edb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wennfsfk.exe

Filesize
2.4MB

MD5
ebec9c7d7ccd8a21125bbf8709fadb40

SHA1
d7759ef600a94c59ef0f7802bea90949041055dd

SHA256
2daaa422a6cc23cf90849e86af30d8bc9252704159a94e2fdd5fc28665f58b54

SHA512
a4cc92873f82390508d8c95a4bb9779fd3212709cc7a7aeb2f1c844de8ce802bec3b7df5be42d5d7ac7bf6a58ca592fd9bc7fe845bc80771adae2c801be2edb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wennfsfk.exe

Filesize
2.4MB

MD5
ebec9c7d7ccd8a21125bbf8709fadb40

SHA1
d7759ef600a94c59ef0f7802bea90949041055dd

SHA256
2daaa422a6cc23cf90849e86af30d8bc9252704159a94e2fdd5fc28665f58b54

SHA512
a4cc92873f82390508d8c95a4bb9779fd3212709cc7a7aeb2f1c844de8ce802bec3b7df5be42d5d7ac7bf6a58ca592fd9bc7fe845bc80771adae2c801be2edb4

Download Submit
C:\Users\Admin\Downloads\Payment_Debit.zip

Filesize
2.1MB

MD5
6b28c8f8c770282855639857b2a446ac

SHA1
9c7a967e94874909d2c90b7f239a391aa7cef047

SHA256
859c654e0746df397e87d5794f33fce8fd7b716b52eb4611bc0c18360e658d23

SHA512
766df651fd521c4745228b1daa8cb98ad9420bdb1161ad41021bcd0b11dda666d5a824761d6aff396caf7c30f3c3a36052ee3fb9bae62901ed3f8ef58340f32a

Download Submit
C:\Users\Admin\Downloads\Payment_Debit.zip.crdownload

Filesize
2.1MB

MD5
6b28c8f8c770282855639857b2a446ac

SHA1
9c7a967e94874909d2c90b7f239a391aa7cef047

SHA256
859c654e0746df397e87d5794f33fce8fd7b716b52eb4611bc0c18360e658d23

SHA512
766df651fd521c4745228b1daa8cb98ad9420bdb1161ad41021bcd0b11dda666d5a824761d6aff396caf7c30f3c3a36052ee3fb9bae62901ed3f8ef58340f32a

Download Submit
C:\Users\Admin\Downloads\Payment_Debit\Payment_Debit.cmd

Filesize
2.4MB

MD5
ebec9c7d7ccd8a21125bbf8709fadb40

SHA1
d7759ef600a94c59ef0f7802bea90949041055dd

SHA256
2daaa422a6cc23cf90849e86af30d8bc9252704159a94e2fdd5fc28665f58b54

SHA512
a4cc92873f82390508d8c95a4bb9779fd3212709cc7a7aeb2f1c844de8ce802bec3b7df5be42d5d7ac7bf6a58ca592fd9bc7fe845bc80771adae2c801be2edb4

Download Submit
C:\Users\Admin\Downloads\Payment_Debit\Payment_Debit.cmd

Filesize
2.4MB

MD5
ebec9c7d7ccd8a21125bbf8709fadb40

SHA1
d7759ef600a94c59ef0f7802bea90949041055dd

SHA256
2daaa422a6cc23cf90849e86af30d8bc9252704159a94e2fdd5fc28665f58b54

SHA512
a4cc92873f82390508d8c95a4bb9779fd3212709cc7a7aeb2f1c844de8ce802bec3b7df5be42d5d7ac7bf6a58ca592fd9bc7fe845bc80771adae2c801be2edb4

Download Submit
\??\pipe\crashpad_3280_HXBODSNERXHXSSBM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit