kutaki | hxxp://raagamayuribuilders[.]in/jastef

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2023 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://raagamayuribuilders.in/jastef

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwjflgfk.exe	NEFT_Copy.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwjflgfk.exe	NEFT_Copy.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwjflgfk.exe	NEFT_Copy.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwjflgfk.exe	NEFT_Copy.bat

Executes dropped EXE 2 IoCs

pid	Process
4496	dwjflgfk.exe
3908	dwjflgfk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3456	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133379266664518420"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3500	chrome.exe
3500	chrome.exe
1984	chrome.exe
1984	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3220	NEFT_Copy.bat
3220	NEFT_Copy.bat
3220	NEFT_Copy.bat
4496	dwjflgfk.exe
4496	dwjflgfk.exe
4496	dwjflgfk.exe
4472	NEFT_Copy.bat
4472	NEFT_Copy.bat
4472	NEFT_Copy.bat
3908	dwjflgfk.exe
3908	dwjflgfk.exe
3908	dwjflgfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 1776	3500	chrome.exe	80
PID 3500 wrote to memory of 1776	3500	chrome.exe	80
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 2612	3500	chrome.exe	82
PID 3500 wrote to memory of 4000	3500	chrome.exe	83
PID 3500 wrote to memory of 4000	3500	chrome.exe	83
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84
PID 3500 wrote to memory of 2024	3500	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://raagamayuribuilders.in/jastef
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8352d9758,0x7ff8352d9768,0x7ff8352d9778
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1880,i,4742165303270089900,5974761941195223035,131072 /prefetch:2
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1880,i,4742165303270089900,5974761941195223035,131072 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1880,i,4742165303270089900,5974761941195223035,131072 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1880,i,4742165303270089900,5974761941195223035,131072 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2892 --field-trial-handle=1880,i,4742165303270089900,5974761941195223035,131072 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4576 --field-trial-handle=1880,i,4742165303270089900,5974761941195223035,131072 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 --field-trial-handle=1880,i,4742165303270089900,5974761941195223035,131072 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3212 --field-trial-handle=1880,i,4742165303270089900,5974761941195223035,131072 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1880,i,4742165303270089900,5974761941195223035,131072 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=988 --field-trial-handle=1880,i,4742165303270089900,5974761941195223035,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1984

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2156

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\Temp1_NEFT_Copy.zip\NEFT_Copy.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_NEFT_Copy.zip\NEFT_Copy.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:3220
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2444
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwjflgfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwjflgfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4496

C:\Users\Admin\AppData\Local\Temp\Temp1_NEFT_Copy.zip\NEFT_Copy.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_NEFT_Copy.zip\NEFT_Copy.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im dwjflgfk.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwjflgfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwjflgfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1009B

MD5
b7c94d9019e6ccfc944b8a091dab5a20

SHA1
eb5d705293e763948bb333b1917866c38a17576a

SHA256
3fe1eeae28ac1550673963910be0c4c5bcf812abe7d0b4e518fe145987d717fc

SHA512
5ef991689bb8ad8e5c4d40bad1042fd7c97f0b742e47b692b3866da0a822769b57b5256f21f12a597ba6a2d0d98b12ea7bf46b2dd3837b8ba982b53414bf143a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
b2ce533ab0a1f6dbb3cf3111fbe1e1e4

SHA1
c39e22763a5a1a52ed7132a6a28e297e369e4695

SHA256
ee02fb6dd1dda5f3ef33d3dea549fd31d5466edb81601ef2a8c6bafe925aa77e

SHA512
36f8342b5e54f227fb49346cfc0961fff66550795d8004f63a2f03aa7c13a2afb7a63eea7deb8ece3af8ab12855be7f588247dbbf3d2b96b57349d295af10f53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f02e1c9137d28d462afed794677fc9f9

SHA1
161be7ab1c1990c33183b39981d507327e729ed0

SHA256
0e0249fe4b283491752bdfbb593b952faec453ad8d1424dd75968bf016ad4d38

SHA512
927eadcd71ee32fbde30736cf464610d4a0a00cbf7b34b4f1a93b1a3c936c49d2222e525176ee41a082ce5df454f6603e7e76aa296e40361363a6adcd1617b2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
11945efcdcdb93fd96818db1ffceca3f

SHA1
3cbe3e22bbf4ea21f9b81f536131a8ad63e24f4d

SHA256
b80c6b51d4185a4fd7648aab3b161cba9d2025c22edeac28ef43f65edd1e186f

SHA512
b916ab0800e3f9cef8e9fd15de50aac53dfa7f22dcf06df058e0da5ebc7006f4548a282735f776ec821eb4aa1ebd945cf1e4655ed92821095327e9fba13ebd13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwjflgfk.exe

Filesize
2.3MB

MD5
9c153ac25f02739019b04b0a8ce82c4b

SHA1
64136c4238d140a6fb1ec542744ff90aba5bac09

SHA256
83269040e4f510f11a327807b23dda45d98386676fc309e27b3eebd9cefa8416

SHA512
a7a9bb1eee5470bb4939d61df33c3840fe69e8503e792d474d7fa273f4c77dd42c84a8e6bdd78b3b157b7aadada401c903e46d3237fa5fcfa6f7b27c477bb4de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwjflgfk.exe

Filesize
2.3MB

MD5
9c153ac25f02739019b04b0a8ce82c4b

SHA1
64136c4238d140a6fb1ec542744ff90aba5bac09

SHA256
83269040e4f510f11a327807b23dda45d98386676fc309e27b3eebd9cefa8416

SHA512
a7a9bb1eee5470bb4939d61df33c3840fe69e8503e792d474d7fa273f4c77dd42c84a8e6bdd78b3b157b7aadada401c903e46d3237fa5fcfa6f7b27c477bb4de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwjflgfk.exe

Filesize
2.3MB

MD5
9c153ac25f02739019b04b0a8ce82c4b

SHA1
64136c4238d140a6fb1ec542744ff90aba5bac09

SHA256
83269040e4f510f11a327807b23dda45d98386676fc309e27b3eebd9cefa8416

SHA512
a7a9bb1eee5470bb4939d61df33c3840fe69e8503e792d474d7fa273f4c77dd42c84a8e6bdd78b3b157b7aadada401c903e46d3237fa5fcfa6f7b27c477bb4de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwjflgfk.exe

Filesize
2.3MB

MD5
9c153ac25f02739019b04b0a8ce82c4b

SHA1
64136c4238d140a6fb1ec542744ff90aba5bac09

SHA256
83269040e4f510f11a327807b23dda45d98386676fc309e27b3eebd9cefa8416

SHA512
a7a9bb1eee5470bb4939d61df33c3840fe69e8503e792d474d7fa273f4c77dd42c84a8e6bdd78b3b157b7aadada401c903e46d3237fa5fcfa6f7b27c477bb4de

Download Submit
C:\Users\Admin\Downloads\NEFT_Copy.zip

Filesize
2.1MB

MD5
d0f2c2de0407cefe7a24c8eb22237a61

SHA1
a46ba89e46a3d04fd9c919837441625ddaa4febe

SHA256
23d3f3b9c74b6707db237bdfa797d7425f18938614051ddb633712a42e7f3c96

SHA512
c59e010a958a1f714bd064592d6b0f26619b2efc879a1b8496d6132a598aa5edddec2e6537c34b1944893926f7664a989bf8df752f8bfffeabae4d3f7fbfb3e3

Download Submit