kutaki | hxxp://makevision[.]in/invoice

Analysis

max time kernel
600s
max time network
599s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2023 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://makevision.in/invoice

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 8 IoCs

Processes:

Invoice_0615.batInvoice_0615.batInvoice_0615.batInvoice_0615.bat

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe	Invoice_0615.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe	Invoice_0615.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe	Invoice_0615.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe	Invoice_0615.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe	Invoice_0615.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe	Invoice_0615.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe	Invoice_0615.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe	Invoice_0615.bat

Executes dropped EXE 4 IoCs

Processes:

arywnpfk.exearywnpfk.exearywnpfk.exearywnpfk.exe

pid	Process
2152	arywnpfk.exe
1412	arywnpfk.exe
4072	arywnpfk.exe
2152	arywnpfk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 3 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid	Process
4016	taskkill.exe
2336	taskkill.exe
3116	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133313223617113076"	chrome.exe

Modifies registry class 64 IoCs

Processes:

chrome.exechrome.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000007673eeb56645d901f410e1786f45d9019ff85ed2ab9fd90114000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid	Process
2028	chrome.exe
2028	chrome.exe
412	chrome.exe
412	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

chrome.exe

pid	Process
1376	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

chrome.exe

pid	Process
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

chrome.exe

pid	Process
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

chrome.exe

pid	Process
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

Invoice_0615.batarywnpfk.exechrome.exeInvoice_0615.batarywnpfk.exeInvoice_0615.batarywnpfk.exeInvoice_0615.batarywnpfk.exechrome.exe

pid	Process
1836	Invoice_0615.bat
1836	Invoice_0615.bat
1836	Invoice_0615.bat
2152	arywnpfk.exe
2152	arywnpfk.exe
2152	arywnpfk.exe
1376	chrome.exe
1640	Invoice_0615.bat
1640	Invoice_0615.bat
1640	Invoice_0615.bat
1412	arywnpfk.exe
1412	arywnpfk.exe
1412	arywnpfk.exe
2164	Invoice_0615.bat
2164	Invoice_0615.bat
2164	Invoice_0615.bat
4072	arywnpfk.exe
4072	arywnpfk.exe
4072	arywnpfk.exe
3648	Invoice_0615.bat
3648	Invoice_0615.bat
3648	Invoice_0615.bat
2152	arywnpfk.exe
2152	arywnpfk.exe
2152	arywnpfk.exe
2780	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 2028 wrote to memory of 2000	2028	chrome.exe	85
PID 2028 wrote to memory of 2000	2028	chrome.exe	85
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 2476	2028	chrome.exe	86
PID 2028 wrote to memory of 3796	2028	chrome.exe	87
PID 2028 wrote to memory of 3796	2028	chrome.exe	87
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88
PID 2028 wrote to memory of 3900	2028	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://makevision.in/invoice
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbd3bc9758,0x7ffbd3bc9768,0x7ffbd3bc9778
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:2
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:8
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4496 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:8
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5268 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3540 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:1
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5596 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:8
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4860 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4508 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5680 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5268 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5452 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:1
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5376 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6124 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5940 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5800 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:1
  2⤵
  PID:468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1812,i,6045666491253546909,7384759205500993367,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2780

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice_0615.zip\Invoice_0615.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice_0615.zip\Invoice_0615.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3628
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2152

C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice_0615.zip\Invoice_0615.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice_0615.zip\Invoice_0615.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3396
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im arywnpfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:4016
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1412

C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice_0615.zip\Invoice_0615.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice_0615.zip\Invoice_0615.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4976
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im arywnpfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:2336
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4072

C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice_0615.zip\Invoice_0615.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Invoice_0615.zip\Invoice_0615.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:3648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1644
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im arywnpfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:3116
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
37KB

MD5
5b0c0d429185ff30e04c93f67116d98f

SHA1
8eb3286fe16a5bee5a0164b131bc534fd131f250

SHA256
f1a0b957050b529afc0e94c436976326124ed8968183859c413986487623294d

SHA512
6295bcd662325172b15c476d26f23c8794c4f1454e0e8cfd43bca79b45aa03e1ae721ebdada1c52fe7699027fa97699156280ff259ce3cc476e322ccc0337902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
1.1MB

MD5
ff14856060c7d905c34cdca779027f5b

SHA1
29a421f6eb5e52810cea62b19b166811d71a1d0e

SHA256
10b601c2d1fc1e66cf58c08d979a854b175b72e0b1235beeb486568749073661

SHA512
99d6b4a75ef48d4dfa55507fc7028a91a60de10fd2b5b4c3c88fb922274623f876956c6c9078d520d1ad3237681454a2c66ae5676c9542f2f1256ce4896dd541

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
162KB

MD5
5d1325194ab19e5446660cfba923e18d

SHA1
1e3c2ca9abbedc852231c72f321207c4cee69276

SHA256
54ad7e76fb07c695cdf95f30ebb6047a552b61ece067cc50b74c2f755722bc03

SHA512
0aee70c35a38942cf88cc655f7f19cb858549cf4e883eb249dbdf70274c96e24c552a187ea0eb44b2943ffb3f9b8be968e066ce9619a43c55004b52419c735bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
550b681ad5795ccb228405892083dacf

SHA1
b8d441191dd4e93e975dfc1625d36be4ac526a1b

SHA256
106c5e8e937d2e16db412da9a7f3207fbe7643f96926948a4db2074969f7bad8

SHA512
f76521b0d88c89bf672cdb51371dd22e2513a6f3c96f2e3833ec3c280df9c350b4a47f3d4041ac34e89b73ceb0e271dc866c65edbda0cf0a01fc1dd7c3599442

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
7ca3a8a090b893bbb3fedd9b6d400a11

SHA1
b84743d250d10605f47fba939f6b491e12c89e96

SHA256
553f3cbad576b57ba0bcbbf76ff403aaa529e4b710ebc63cbba4931d49320505

SHA512
e8830d317d29f0705f80bf797dd1c7966bf3b3d5cc08e94313ed17fa610d7f238a495bee535b5ddaf54e3429998601660d322fbe4a0e18442f585909ba07f728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
539d7ecd09f3e0661c1c3de15b692d35

SHA1
99394b29a44f120d198f350d7ec0e5349152317a

SHA256
1f82df4ca706049ca9d0637c00f01b54d3857c5828471d2a0e99c300fc066bc6

SHA512
3c29790562128bd666dbf993a99deb72d6ca1b9343d7028b0204de0fae9bd4f3ec15e269824dd35b67ed5c0fac8860142cd655c8d719d5381891ca76587911fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e9f8db7b02c9e4bd80743a0a12b452a8

SHA1
71ecc357e190eb2415e1e078714581af2852e04b

SHA256
4d2b2ee8958277baf00efbba2d705fbc58d033bca104c647abf6230818550e76

SHA512
f5e699323022e80553c66ec1f669bee6ff98302e25a2d755f925c4a180efbcb6338b3be7d8db7b39c34a0137ae4c0de9bf144c5b1448538a2464bc0ff0e24717

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.virustotal.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
4a6ee96f1b56d230f528b541fc6dad3d

SHA1
2e72f8f3d913377bd5a326bd6896a99e866df899

SHA256
add31638940ee6cd2aa64105e736e42aff0dee6e8a014155f22436b15c14dfae

SHA512
5dff8718cd62764ba9b24b806112d7166c88cb7ebec91b8d1d3b912380e3f9fe038b7d8c836c0c94c84367b0daa76628a20f6089d09114be3b871683296a5d24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b5bb230761da0dbd92dfd1d333a4c494

SHA1
f45e8d8c3f89510a0a58d7b10a032b4bb684337a

SHA256
3ffc8f2879b1c12fab4561fe36c42478568888b9c2c83b8e29107818ff3e8efd

SHA512
1bb23769ea6a8b85e27ebbfc389804b9bf11e7531702af063834ebb0284821c14434820fc443dfe14f4d10e17fc73841611599bd855f2dbdf56a3bfa6efa76c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a897cb51c130b3a94901a3f939724919

SHA1
8083d1e1b095cca528593fa10161adc1a686e243

SHA256
e140f288598c26f34f3abfd3276b594c6912514e5d645e12f4b7b8f6b557a681

SHA512
bb7349c3c853d744d240aac2d0bfcd12c5465b4630c4e87b42f1b4c9ffaab64f8e17048a34138f1570d3e4a9f573c9897c1435aa17e62858c29045cde131a790

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
73b93af8581a8c3bca249a10411049c0

SHA1
9619da591b8db03a2f4910ca7f3166ee28798e9d

SHA256
446faa700aadcf73ee35a82590978d324d85df2a473ef1b777bd0a1b3dc5a525

SHA512
ed28d711f4372ebedb5cc3b9261468a52a047b7abfebf6920786f67aa24d289713d07c41cdc0fee1c8cbf26a26e092b97fef7b43e18e75e33774e2ce04520a94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9bf300d2ff2768c0ba77aee41741055d

SHA1
6a38e2f65d03b61e161b8fe3f0c4eeae2e7fbfff

SHA256
60c0e51c8741bda7becc93e566c42a9adb7562a31e58f8d9c77be6e0643a5a77

SHA512
13c1233c9f95a0d15af02c0a2de0eaa7d4b28f3ec78629c1eb89adcd2f64123a5ebc9cc03b4e260d6e58b33b232544613f3a04b1be3a58c29570fe392d066099

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
58a09a6f3260512e355eca883ef5d85a

SHA1
2e4f3ef0940f9a335c141ec1e8c917c612b7e698

SHA256
3410f2e2ee9746041996ae1ec8686c9326f4df9881589340532e861e035abd1b

SHA512
597a3ffacd5ceabdc89049d3cba46b9b1b035f0f7e6759947b78dd5b4d52e014bab3212e316d970a6d33f41a2cafe11a04f186c4de2aa2fdef2ca62c133e1e22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
960775718ccad472f472ee782ac2b72a

SHA1
6751cd5d81470510162336f596b53fe747a24e71

SHA256
e09d0c54570d60241c72e59a692350c6df049753ebc0de67cb9b86591e1ae34a

SHA512
fb4b1e30d68dc0df9adb530fc1fb2f2f1ef7ddd1d67206a8a861e38ae6c38a2abe2f9d5f572f994c71b49414c36e80c76e08aaa7efbc336cb04cb75f48209070

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
b3be2dac1467aefba13110ae387e96f7

SHA1
3a78384b0ff5b7ce8bfecd7857f68a86d286174f

SHA256
a92bc3f7d2fdc94292e7e17bdc7b2de6a49c3ca43f03fba5a31f7b6364b48b88

SHA512
aac277091524c2cc97495a251d34c4751c52d3eff37bd79bbc1194055a663d49f5cb08105d21ce5bddc05787faac64421a1c035eb3d34b7816a3bf380f90cd80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
0746d80498f3d7d80b1ed63d3d8a7085

SHA1
fe3ad9990a6dbe2fa00f4daca8f279decabad085

SHA256
f68b07eb8710e627d188684481ec4d51fc27bd0c9bf736655afda48fc855ac39

SHA512
ac8e80fcafea2b05a07cf23e05b396d224d88421ecce1d252bcc899fcdd8e49df74ca1a76538bd556938ae0b9a19b7c0401566809148b2cda9d769c98e2115cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
193bfeb30ffd7416ed619c5feb3ec0ec

SHA1
1c29bc4e46352a70f743cceb1ca83cc474b3dc02

SHA256
307a7135165594c6c88ac3342562ffcd96e709917688a1d9532691868ff5deef

SHA512
ca6abb40739f6ef1e56375b894be7b1bcb894efc287e4ec84660fa97a31b517436e38768f66d105f310d679d29a54065fae0660074986665364e440f129813ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
31fd6d60b8c73bda1be7ddf6df993074

SHA1
cb730689b0ca215137f9cb2405e9ea9f6e2862d7

SHA256
820c13167d579576ef1a41ca2e13e16a94b4ac6a3de229210837a9345f07ddeb

SHA512
2ee35bf9547310a1112877f5d0ef666388f084e4520e5bb82f85e03892686e90ac32e0c64915bd19faa5ae36c16d50a6574e40b17f7319506a644e18a24f486e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
cacb88a97f23784e79bab15b608ffae5

SHA1
d9407e13433270e59f54d65b602faef5dd65107d

SHA256
ef6810a4e02a5bb04d25280bc389eb2a983770a87b722769fa3e8d536f446060

SHA512
f90a214b45f3dbfbecd45d7ebd76ec292ec370712c896e8ec20b2cd02dcc14e875ef1ca498adc0e8a1fc30b2070e59fad84045970835ddc809e08fb5d4ce8a89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9135d8df6765356d3430de8f3dfa24e1

SHA1
e3db8ff8e4bab2afa5cc1aca77bb5fb6e25f536a

SHA256
60a7f8924d3f7a798f32d32b5d536bd4ce9281f359f04250fa75440ca0878cbc

SHA512
84307516c3fb627143991a8e89eb10c42ef382f429c61b00d737f27cc72dc255e43bae81a8fb8e46e34dbb34256163fc266522fc20136e16a6b52f4f68c1ec50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c58cc1999882c76f997c1d39c16ccd8d

SHA1
648c314930dc8d1c8986bbaef6fd6eaf5eaf3da0

SHA256
fbd9c954146356599d6cd42a50b5e38ba4807a6a2cf669a8b3a1677c75109934

SHA512
74a64c9f4882fa0af658ef8fe19c4c293c73b18e2f95048ce54c38fd3f2c8021fbb6c403e899c7e41a0a75878800eff5eafdc0d4f9aec1f0e3abc620ad58a79d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e891f0942029ca7265ecc06989fc8b4b

SHA1
f912bda5a8e8f1cccef94a7ac0418bf2fb13bb78

SHA256
20b57e26b25293ed3d10e8b0581bc16d91d5fcdc4c026b0e4b07a23c2a22ad61

SHA512
baccd893adcc76c496ac0c46eb5ed6c2d4386d93b67ef73222c24212e765593ef08c8203cfbb0f76d92a53da41e86f5cdf3caf27fa897268589981459afa4608

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\11c6ff77-4afa-4908-b6f5-c9360d03f8d4\0c3687917580996d_0

Filesize
85KB

MD5
63b8e945ba2c8801984eedeb7166e151

SHA1
b49b75c388bfc38a52668171d4395707b35648dc

SHA256
ce5b29deb3108dc372124736d83d6358112579783a123cfcfe4b0cc87e89bc67

SHA512
ff98e35320fb5d9ab3782f47a31a24ea4ad37815af098eae1e826e8d95f2cdec2f358d56b55b1ec1397db7577f3fe1c5a491b4f65749ddfa3647292f2f47071f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\11c6ff77-4afa-4908-b6f5-c9360d03f8d4\index-dir\the-real-index

Filesize
384B

MD5
420a0fc9510b249825f53e891da0fc37

SHA1
c4f58c56eed4388dddb7d493e8f44fd5cbb0b287

SHA256
88ca8fe4c948414e4ccd50a9dba7608b90fc5efaa2c92d61027330a0185a28a7

SHA512
a52b78f881da8631057674def7d873a4b95d831d04b46426e352f769ea2265b81b16911568769700e04fd551ccccca9af723868fd65b0b5534170ad55ec8921f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\11c6ff77-4afa-4908-b6f5-c9360d03f8d4\index-dir\the-real-index~RFe5c6643.TMP

Filesize
48B

MD5
fcbf36b63f3a38cf8be3d576cb0e7c12

SHA1
fba67316c06fd652712bbe0c0c8efc7f3773d03a

SHA256
5f478bf867973dde41ac18daccc193430d285bb1301209fe54022fa34ee32e89

SHA512
4cc45217a695091a189192d3cd841dee76e147fd2366ae167f6a91d8faede04d267d9262a085e527987ffee09e5b36889e708115d61b57271fdb23c56d7795e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\index.txt

Filesize
123B

MD5
58e2474112d3e9346c73c61ab8094a53

SHA1
778cfe8e6449c826efe884894b8edfee6021d34b

SHA256
45ad2ee4d502fee5c6fc855547c83fba9128e001237cc7378083a12f08b98c3c

SHA512
58f774bf1139732075735fb834d47fef2f19484accc1f80d322a91f10212b931cd7ff286815f16124636a624e53583e9ca1bc8e633fbf3ec0cf50d3e6b4239b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\index.txt~RFe5c6682.TMP

Filesize
128B

MD5
879253225c936227b7ca26e463104897

SHA1
3332284f623f41224095230fd77be1cb1b34d53a

SHA256
74eae483dde2dd4ea0f190ec13b701822998c8ddbb5dd8328e05ac434b217d47

SHA512
8162e5b36237a0bfda7ddc129c7baadcce0e95c0fa31982c0c2604c21649fafa1e8604e2a2262f125afd75a0b33910bb7a07ebc5d76303b5156b55de75012e0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6666f41193feba7f2516b2f907eae31a

SHA1
10215c060086aa85897c4397f5082a485d1979d3

SHA256
316d478e8ee2db6e4e243a38c1dd855d636a2553b8acd8573f58de8cc8d1cb86

SHA512
69b5e52f7d41af16baa07278acdb48936ff8e6ed5574c77883b7237a6b36cbdcbfe3e48e8f46711bdf261b20afbefd79d9cfe43cfc92545b7890b3cf8443172c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d513.TMP

Filesize
48B

MD5
c2595aacd0233ad4e883162c9ca4eda5

SHA1
11b0b9189aef77e87248c49f3f3c90a6de0d547b

SHA256
10e836364f63501ce86e8182311b3c8f2d45672ab8278e03d6e516649cf9d5c1

SHA512
26038d50146112535085af151f6edd02f6c623ba68dd81ade17b26e31cbece0474c046c599ae25faf69eaa51b6314f0c69d02e619e2e465ba3903c83c161f651

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
160KB

MD5
463f61aaa88cf6857c9fcb2530f7e1a1

SHA1
431149b99eb70ee07fcb56685ea4f7971775c273

SHA256
1d01f01aa9bd795f59250aaf88412e389f6aecd089ca60da9b17b8a8c2d3ef61

SHA512
ff11710317f0b8b25ade27fc5a6ae0c242603605c780ee757c62d26eaa6886891cca2b4732c0a24bf9784e674b006d298763ac569446488819f2c92df32e3d2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
160KB

MD5
ce9491a4934e6b080aa1bfae2d36ca1e

SHA1
18bf01d87489c54a3f1220b255db20841ab71484

SHA256
5ef20827eb1590adb11641726eb26026dc692a1775a7f3c2002e493560b2c432

SHA512
fe146fb8dcb8547844db3c764920b20c4d4f0a200c896b948b6c2bc87e0c57bcc1162b5a979a79a4aa4b64307365d4312216dd29be4b56ca0cb17f5adb89a130

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
160KB

MD5
ffe2dd1dc400337c4ec5c0954b58c8ba

SHA1
54a959c5b2c840f9dc6b55e77c0cc0292a75776e

SHA256
bead0a06125f92a23431a85cb81504d1ab743510341edc0230b32d72fe94a9fc

SHA512
712d7913ae58d1a75b54827cc5fc15ed3cd4ba784c5f2ef4cdc2e94a320529efa418199e4cde2b98b3f73309a15bcc1cc00aadc01ecb72b070a95b8c699ab8fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
2f7378d39337aeb697449422b7908985

SHA1
f76dd241022cd1cb8ecd63f899adc236c3c608fc

SHA256
935e65f7d2780eaa9750d4accf46f1df39e86d441dd997881b84540a5fef402c

SHA512
e69028e8f777b76e762957c5bffd647cdfb4d274614025d96d3910375c7e9fcb1c3c11adb7e9ee7c3eeff594c4a474796b5a68c768e732d986e95d97190869f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59feb9.TMP

Filesize
105KB

MD5
561d4a2b7f8cd6fccd7f1400f9b06c79

SHA1
6a788dbeae15f2ad07f777c73e1487ff17685f0e

SHA256
433f0ec338d5c6fe5bd87b642e8e71055f8d39fd330cf286725611e971f18643

SHA512
cd4ff99fa081574edcdb8b2f4b118366b2ff16d1c660d3bad201935a73ddbbfc58186e4e3e5d782fcd6078ea2551d4d4f2598ddb359a3d4197016d3fccc2edb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe

Filesize
2.3MB

MD5
cdddd8232da357def75dff10433810db

SHA1
db9baea3a6ad49dafd943557225ae0e64cd30f1f

SHA256
844f866e40c6583928887ee90e32d332f9673a7f4aab6d6c933d7ca84ce07d9f

SHA512
453f11b2700c533c01c9887c7855a585cdc2952a046878bb26bc4daee9bde0e969f0744d6f3a81f996a370794715ab660be8c9101470129fd48fe94a29f713a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe

Filesize
2.3MB

MD5
cdddd8232da357def75dff10433810db

SHA1
db9baea3a6ad49dafd943557225ae0e64cd30f1f

SHA256
844f866e40c6583928887ee90e32d332f9673a7f4aab6d6c933d7ca84ce07d9f

SHA512
453f11b2700c533c01c9887c7855a585cdc2952a046878bb26bc4daee9bde0e969f0744d6f3a81f996a370794715ab660be8c9101470129fd48fe94a29f713a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe

Filesize
2.3MB

MD5
cdddd8232da357def75dff10433810db

SHA1
db9baea3a6ad49dafd943557225ae0e64cd30f1f

SHA256
844f866e40c6583928887ee90e32d332f9673a7f4aab6d6c933d7ca84ce07d9f

SHA512
453f11b2700c533c01c9887c7855a585cdc2952a046878bb26bc4daee9bde0e969f0744d6f3a81f996a370794715ab660be8c9101470129fd48fe94a29f713a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe

Filesize
2.3MB

MD5
cdddd8232da357def75dff10433810db

SHA1
db9baea3a6ad49dafd943557225ae0e64cd30f1f

SHA256
844f866e40c6583928887ee90e32d332f9673a7f4aab6d6c933d7ca84ce07d9f

SHA512
453f11b2700c533c01c9887c7855a585cdc2952a046878bb26bc4daee9bde0e969f0744d6f3a81f996a370794715ab660be8c9101470129fd48fe94a29f713a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe

Filesize
2.3MB

MD5
cdddd8232da357def75dff10433810db

SHA1
db9baea3a6ad49dafd943557225ae0e64cd30f1f

SHA256
844f866e40c6583928887ee90e32d332f9673a7f4aab6d6c933d7ca84ce07d9f

SHA512
453f11b2700c533c01c9887c7855a585cdc2952a046878bb26bc4daee9bde0e969f0744d6f3a81f996a370794715ab660be8c9101470129fd48fe94a29f713a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe

Filesize
2.3MB

MD5
cdddd8232da357def75dff10433810db

SHA1
db9baea3a6ad49dafd943557225ae0e64cd30f1f

SHA256
844f866e40c6583928887ee90e32d332f9673a7f4aab6d6c933d7ca84ce07d9f

SHA512
453f11b2700c533c01c9887c7855a585cdc2952a046878bb26bc4daee9bde0e969f0744d6f3a81f996a370794715ab660be8c9101470129fd48fe94a29f713a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe

Filesize
2.3MB

MD5
cdddd8232da357def75dff10433810db

SHA1
db9baea3a6ad49dafd943557225ae0e64cd30f1f

SHA256
844f866e40c6583928887ee90e32d332f9673a7f4aab6d6c933d7ca84ce07d9f

SHA512
453f11b2700c533c01c9887c7855a585cdc2952a046878bb26bc4daee9bde0e969f0744d6f3a81f996a370794715ab660be8c9101470129fd48fe94a29f713a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arywnpfk.exe

Filesize
2.3MB

MD5
cdddd8232da357def75dff10433810db

SHA1
db9baea3a6ad49dafd943557225ae0e64cd30f1f

SHA256
844f866e40c6583928887ee90e32d332f9673a7f4aab6d6c933d7ca84ce07d9f

SHA512
453f11b2700c533c01c9887c7855a585cdc2952a046878bb26bc4daee9bde0e969f0744d6f3a81f996a370794715ab660be8c9101470129fd48fe94a29f713a2

Download Submit
C:\Users\Admin\Downloads\Invoice_0615.zip

Filesize
2.1MB

MD5
20f6d2f4fdfae3aa3a2ddc01340b7337

SHA1
b0eaf546678852f5c779f97a8ffe2712a74051c9

SHA256
b800bf14dd38bec0d02bf60b08a34fb603a0c8a2b9e2157083e682b74bd64a0a

SHA512
9594156104d9d809c6b7f5742afafcd3f84890c2111df14453397bba66a02c217e9f66f29c7a4977a0d0ff90fd77f4d7198dbd71c83ab98e79b4b28da59afd2c

Download Submit
C:\Users\Admin\Downloads\Invoice_0615.zip.crdownload

Filesize
2.1MB

MD5
20f6d2f4fdfae3aa3a2ddc01340b7337

SHA1
b0eaf546678852f5c779f97a8ffe2712a74051c9

SHA256
b800bf14dd38bec0d02bf60b08a34fb603a0c8a2b9e2157083e682b74bd64a0a

SHA512
9594156104d9d809c6b7f5742afafcd3f84890c2111df14453397bba66a02c217e9f66f29c7a4977a0d0ff90fd77f4d7198dbd71c83ab98e79b4b28da59afd2c

Download Submit
\??\pipe\crashpad_2028_FQVRVOGVMWLSKFWL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit