kutaki | f35a17872d4cfcdf2e425e1552bcfe20389232d58157b117185c2ee810d4aa00

Analysis

max time kernel
300s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VISITOR.htm
Size

205B
MD5

0d9e328d36728020df58014634db4fa1
SHA1

4468af9b6ea60b08abfc1d7fa7bd575c98dde46d
SHA256

f35a17872d4cfcdf2e425e1552bcfe20389232d58157b117185c2ee810d4aa00
SHA512

05a5a82ad73e0bd2d7c23a943c9ec936e500c96fe0d6ec5008276cf5cafc73e8b79bbaed5f99362a3827168d196faf90ef7a4d0b1dec7264c5f14fefb7397adb

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 6 IoCs

Processes:

GETTING UP.cmdGETTING UP.cmdGETTING UP.cmd

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piimdofk.exe	GETTING UP.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piimdofk.exe	GETTING UP.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piimdofk.exe	GETTING UP.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piimdofk.exe	GETTING UP.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ngqdklfk.exe	GETTING UP.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ngqdklfk.exe	GETTING UP.cmd

Executes dropped EXE 3 IoCs

Processes:

piimdofk.exepiimdofk.exengqdklfk.exe

pid process

2256 piimdofk.exe
3480 piimdofk.exe
3288 ngqdklfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2256	piimdofk.exe
3480	piimdofk.exe
3288	ngqdklfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

388 taskkill.exe
3836 taskkill.exe

pid	process
388	taskkill.exe
3836	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133334377819135214"	chrome.exe

Modifies registry class 64 IoCs

Processes:

notepad.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "9"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 200000001a00eebbfe23000010009bee837d4422704eb1f55393042af1e400000000	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 5e00310000000000ea56b825100047455454494e7e310000460009000400efbeea56b825ea56b8252e0000009bda0100000008000000000000000000000000000000b6e52d00470045005400540049004e004700200055005000000018000000	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\NodeSlot = "8"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80922b16d365937a46956b92703aca08af0000	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Documents"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	notepad.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1740 chrome.exe
1740 chrome.exe
3256 chrome.exe
3256 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

notepad.exe

pid process

3828 notepad.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1740 chrome.exe
1740 chrome.exe
1740 chrome.exe

pid	process
3828	notepad.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exenotepad.exe

pid	process
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
3828	notepad.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

GETTING UP.cmdpiimdofk.exeGETTING UP.cmdpiimdofk.exeGETTING UP.cmdngqdklfk.exenotepad.exe

pid	process
1052	GETTING UP.cmd
1052	GETTING UP.cmd
1052	GETTING UP.cmd
2256	piimdofk.exe
2256	piimdofk.exe
2256	piimdofk.exe
2936	GETTING UP.cmd
2936	GETTING UP.cmd
2936	GETTING UP.cmd
3480	piimdofk.exe
3480	piimdofk.exe
3480	piimdofk.exe
1208	GETTING UP.cmd
1208	GETTING UP.cmd
1208	GETTING UP.cmd
3288	ngqdklfk.exe
3288	ngqdklfk.exe
3288	ngqdklfk.exe
3828	notepad.exe
3828	notepad.exe
3828	notepad.exe
3828	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1740 wrote to memory of 1516	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 1516	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 3128	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4988	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 4988	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe
PID 1740 wrote to memory of 2164	1740	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\VISITOR.htm
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b73c9758,0x7ff9b73c9768,0x7ff9b73c9778
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1888,i,14844601214078343937,17408604318705232355,131072 /prefetch:2
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1888,i,14844601214078343937,17408604318705232355,131072 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1888,i,14844601214078343937,17408604318705232355,131072 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1888,i,14844601214078343937,17408604318705232355,131072 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1888,i,14844601214078343937,17408604318705232355,131072 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4004 --field-trial-handle=1888,i,14844601214078343937,17408604318705232355,131072 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1888,i,14844601214078343937,17408604318705232355,131072 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5380 --field-trial-handle=1888,i,14844601214078343937,17408604318705232355,131072 /prefetch:8
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 --field-trial-handle=1888,i,14844601214078343937,17408604318705232355,131072 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3116 --field-trial-handle=1888,i,14844601214078343937,17408604318705232355,131072 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4976 --field-trial-handle=1888,i,14844601214078343937,17408604318705232355,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3256

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:368

C:\Users\Admin\AppData\Local\Temp\Temp2_GETTING UP.zip\GETTING UP.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp2_GETTING UP.zip\GETTING UP.cmd"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2276
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piimdofk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piimdofk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2256

C:\Users\Admin\AppData\Local\Temp\Temp2_GETTING UP.zip\GETTING UP.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp2_GETTING UP.zip\GETTING UP.cmd"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:2936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1328
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im piimdofk.exe /f
  2⤵
  - Kills process with taskkill
  PID:388
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piimdofk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piimdofk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3480

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3828

C:\Users\Admin\Downloads\GETTING UP\GETTING UP\GETTING UP.cmd
"C:\Users\Admin\Downloads\GETTING UP\GETTING UP\GETTING UP.cmd"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:1208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3468
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im piimdofk.exe /f
  2⤵
  - Kills process with taskkill
  PID:3836
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ngqdklfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ngqdklfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f980038b901158fb89a09ff7999a927b

SHA1
948da440674efdd4b3a76e6261ff56794d5af360

SHA256
dbbe33420e9e45f07f1f9b0300d35006a22612bc5fc14abc3eda2b98c2b533f9

SHA512
a7a8f840a00280fa3ccff6a960b21f9693d6b9cbfa20e1ce06c172a98acd2e8f2bcff758f6b044c396569c5d5f6f48ac248bedc6e1d9fa6d8d49293736cccab2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6bae50f2a49a2c81813d6a6bd5c43ffe

SHA1
7ecebcdca29d7ba939c098ece7ffcf79f854919e

SHA256
85609a1e0a884c7fe54ff938989ab2777401958a33299ce61a5d9ae1023dca8c

SHA512
b751d7d8fa2e4a1fbf7cbe749d958e626fb520bebf7ef01f01e1650313ecbf0b88f51ac092f4d890bc769d23eae23357f92f4e8eeb1ef9189c2019581b05c392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
42a0e8ea8be6ac7bc111458488456a6f

SHA1
16ae29972ab1d02d174f562daa20e6d7ad008cd0

SHA256
38fc2438a377004ce54c22b6b9797ba32b2dbb084426ee3bea9f2dd4a597a819

SHA512
5993065b2431445cc950bd118a83d6472982c480b1d462810d3211597283ed2609bb3e38c6cda4e147216f3b2c2ebee77b1ea89cc19b4d183d20b27d96c2925b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
3d3d9b32765340f002447200633f7ce4

SHA1
f1c0a085d5e9d20cda606d21abd3ea7d50876536

SHA256
9df8190e532eaa5adf0870589b752c00caf51de8f42d58a16f4b1f4f94fde814

SHA512
7392f8a534e2ae9272ca3b486fcc402162ef0399afac68088baf98f4c5d1232de9ea8b99440b9a79392f995c985da036cc9842bf72a9dfb62d3083de21698c80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d61c.TMP

Filesize
106KB

MD5
503c1fe4f5b6f80594cb041f4946653c

SHA1
2893c2999761e7d9080831b94484d651f47f566e

SHA256
0ea289c4ae6f49e7e742a9bdca34575343975a397bd52f596cd2e05c217d42ff

SHA512
e991063fab8d3d813aafa364de405d63c662c574767b2663358195c4ea212b8600cb5e45c45bae666a7f2c34b3aab7d1760fb019675b6bbbf8dfd251865556d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\fb9f4894-6964-49af-a431-4a75e503e1ea.tmp

Filesize
172KB

MD5
fd3772b7879dd665ac87d80aeaf9798e

SHA1
d3a1fa2c30d6789683a717aeb0a7a2120a809124

SHA256
57a78057361ddc3ebbb6cad19071b00267079acbbc9881ac60c32b871c5ee0a6

SHA512
ee22f5582a53def9f0c54a5d84cc1c62d2c84030d7b589244090667dcc3d9461d5ef06ae8784f79cea9d5b1635da4f212ac3a4fac9242a613e2ff68995fc3e2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ngqdklfk.exe

Filesize
2.3MB

MD5
b9c876b131b9916df5a95e017e276fbf

SHA1
5026ca0ba6b4301cf0353e737f60cac921c5190f

SHA256
73077188c541952e4cee319a28243793d2bad1d8f1669e5d744bb55733a1ef31

SHA512
88c33d30c445ac218bffdd8e282a8d04685dade95ab2c912f41b6c41b97ef308e2efa4fd17d257946b824d3bb510432f0553765abdb57b07d716d6dc29c9db7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ngqdklfk.exe

Filesize
2.3MB

MD5
b9c876b131b9916df5a95e017e276fbf

SHA1
5026ca0ba6b4301cf0353e737f60cac921c5190f

SHA256
73077188c541952e4cee319a28243793d2bad1d8f1669e5d744bb55733a1ef31

SHA512
88c33d30c445ac218bffdd8e282a8d04685dade95ab2c912f41b6c41b97ef308e2efa4fd17d257946b824d3bb510432f0553765abdb57b07d716d6dc29c9db7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piimdofk.exe

Filesize
2.3MB

MD5
b9c876b131b9916df5a95e017e276fbf

SHA1
5026ca0ba6b4301cf0353e737f60cac921c5190f

SHA256
73077188c541952e4cee319a28243793d2bad1d8f1669e5d744bb55733a1ef31

SHA512
88c33d30c445ac218bffdd8e282a8d04685dade95ab2c912f41b6c41b97ef308e2efa4fd17d257946b824d3bb510432f0553765abdb57b07d716d6dc29c9db7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piimdofk.exe

Filesize
2.3MB

MD5
b9c876b131b9916df5a95e017e276fbf

SHA1
5026ca0ba6b4301cf0353e737f60cac921c5190f

SHA256
73077188c541952e4cee319a28243793d2bad1d8f1669e5d744bb55733a1ef31

SHA512
88c33d30c445ac218bffdd8e282a8d04685dade95ab2c912f41b6c41b97ef308e2efa4fd17d257946b824d3bb510432f0553765abdb57b07d716d6dc29c9db7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piimdofk.exe

Filesize
2.3MB

MD5
b9c876b131b9916df5a95e017e276fbf

SHA1
5026ca0ba6b4301cf0353e737f60cac921c5190f

SHA256
73077188c541952e4cee319a28243793d2bad1d8f1669e5d744bb55733a1ef31

SHA512
88c33d30c445ac218bffdd8e282a8d04685dade95ab2c912f41b6c41b97ef308e2efa4fd17d257946b824d3bb510432f0553765abdb57b07d716d6dc29c9db7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piimdofk.exe

Filesize
2.3MB

MD5
b9c876b131b9916df5a95e017e276fbf

SHA1
5026ca0ba6b4301cf0353e737f60cac921c5190f

SHA256
73077188c541952e4cee319a28243793d2bad1d8f1669e5d744bb55733a1ef31

SHA512
88c33d30c445ac218bffdd8e282a8d04685dade95ab2c912f41b6c41b97ef308e2efa4fd17d257946b824d3bb510432f0553765abdb57b07d716d6dc29c9db7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\piimdofk.exe

Filesize
2.3MB

MD5
b9c876b131b9916df5a95e017e276fbf

SHA1
5026ca0ba6b4301cf0353e737f60cac921c5190f

SHA256
73077188c541952e4cee319a28243793d2bad1d8f1669e5d744bb55733a1ef31

SHA512
88c33d30c445ac218bffdd8e282a8d04685dade95ab2c912f41b6c41b97ef308e2efa4fd17d257946b824d3bb510432f0553765abdb57b07d716d6dc29c9db7c

Download Submit
\??\pipe\crashpad_1740_OFQANJIVNIWHCZSF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit