kutaki | hxxp://lifeinfotech[.]in/kkf[.]htm

Analysis

max time kernel
75s
max time network
76s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
07-11-2023 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://lifeinfotech.in/kkf.htm

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://linkwotowoto.club/new/two.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000600000001ab8d-60.dat	family_kutaki
behavioral1/files/0x000600000001ab8d-61.dat	family_kutaki

Drops startup file 2 IoCs

Processes:

Payment Channel.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\osbyfnfk.exe	Payment Channel.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\osbyfnfk.exe	Payment Channel.exe

Executes dropped EXE 1 IoCs

Processes:

osbyfnfk.exe

pid	Process
196	osbyfnfk.exe

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133438155618800315"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.execmd.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exemspaint.exe

pid	Process
4692	chrome.exe
4692	chrome.exe
2768	mspaint.exe
2768	mspaint.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	Process
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

Payment Channel.exeosbyfnfk.exemspaint.exe

pid	Process
408	Payment Channel.exe
408	Payment Channel.exe
408	Payment Channel.exe
196	osbyfnfk.exe
196	osbyfnfk.exe
196	osbyfnfk.exe
2768	mspaint.exe
2768	mspaint.exe
2768	mspaint.exe
2768	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 4692 wrote to memory of 2316	4692	chrome.exe	70
PID 4692 wrote to memory of 2316	4692	chrome.exe	70
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1452	4692	chrome.exe	73
PID 4692 wrote to memory of 1264	4692	chrome.exe	72
PID 4692 wrote to memory of 1264	4692	chrome.exe	72
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74
PID 4692 wrote to memory of 4256	4692	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://lifeinfotech.in/kkf.htm
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffde8399758,0x7ffde8399768,0x7ffde8399778
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1712 --field-trial-handle=1916,i,2425041584165954896,10888639109769066266,131072 /prefetch:8
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1916,i,2425041584165954896,10888639109769066266,131072 /prefetch:2
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1916,i,2425041584165954896,10888639109769066266,131072 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2728 --field-trial-handle=1916,i,2425041584165954896,10888639109769066266,131072 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2736 --field-trial-handle=1916,i,2425041584165954896,10888639109769066266,131072 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3960 --field-trial-handle=1916,i,2425041584165954896,10888639109769066266,131072 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4236 --field-trial-handle=1916,i,2425041584165954896,10888639109769066266,131072 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1916,i,2425041584165954896,10888639109769066266,131072 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1916,i,2425041584165954896,10888639109769066266,131072 /prefetch:8
  2⤵
  PID:2108

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\Temp1_Payment Channel.zip\Payment Channel.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Payment Channel.zip\Payment Channel.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  - Modifies registry class
  PID:3196
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2768
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\osbyfnfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\osbyfnfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:196

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
563041e95ff2835c820fe63c400ca467

SHA1
56c9c25b573846bb76ba2391e199dafb07d97297

SHA256
17ed0034f4cb161f8338a12aba8b9ee0b5e0e94fcd34339d771330f0af89d0d1

SHA512
99767fedf6acb4c20d99a3304e20c547ebd307cca547f6f5f1154b3502f09f0ab98fd1e7ca5df95cb73b59c9c4aec09e6303865efe72d227866f1966b6758da9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7bc2f33233bce0f9e5a603c9f5e04173

SHA1
8b5b14e906897b4db3dfd5a21080989fdca293c0

SHA256
70c94d4b8ba246e087f7e5ba398b9c1e10ff91dd80edcf9db3e648a1e2eb1d39

SHA512
014b58871473c5425b25934d3af12cd96cddb4ad717bc778e4fb6723da550e5ec3bb0fc3477578c33e8cb2122721ec970d02b34a71a77aca1f6d92b2d7156b53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
76fd614c1ffb45a9c56240c2fb406563

SHA1
1faa874b68de2bf4ad7e18e75e82ab3972cfa860

SHA256
1a071cdb562b5e9aadab4da6f9c8849b0fecdefaeb6ba668752333ef1bbe17e8

SHA512
6847ce4c6b071d3f093bdc95f2bc8f6fdc4a31bf73f11c7d1fd34568c43c211ec376bf83c81cb1adba7136fdf194a1356cc9656152919bad9dc4e72e505d9296

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e903f60f6a64d186a86803a660740fcb

SHA1
5528bd7b7fc02d39f0f0e58304705b81516b370b

SHA256
a547748b66f2fa6d1daee1c05bb4f2eb7e17efef4050461d451b1e709ee8589e

SHA512
275d6025eecc9212fd6c3a252c09e2c92408075ce1aa154d7cc03f3758bcc4085d66637318d1c73d0cc7e2b9bb2a3400141cc0c8e907c00bdd8509eb0599002b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
106KB

MD5
d2494e20dd004b27ef4427707e61a501

SHA1
278c95d79c6637ca40ed103ac7c19cbaf1440b0c

SHA256
8f3b3de6943930ad3ba0ad02e85ca378528c6e6fa7e2075f2b298c308360fd63

SHA512
7a3c5be785303e149d545d00ecb311da6248b66973fc8ed04c4f50df7554e5ab988e3a879afabbae771985bcdcd2e072bfd61f862779196e899279841898c3fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\osbyfnfk.exe

Filesize
501KB

MD5
646849ab728ff631b3c70480638e6a2a

SHA1
8f9f70ef43add2a45e0a2430b2d9680616faef8b

SHA256
b8e4bcb3699104e49979cc86b84ce278bd6b9b392d65d465ac1acd7808ed0db0

SHA512
32f0a0949c33e0b34239581bbb86d3ee42acdaddc9856c78a55b88924dcade166663e2c8345040dbc2f383b74ebda88e952d9091643d8a7ea8e5d1fd82002de3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\osbyfnfk.exe

Filesize
501KB

MD5
646849ab728ff631b3c70480638e6a2a

SHA1
8f9f70ef43add2a45e0a2430b2d9680616faef8b

SHA256
b8e4bcb3699104e49979cc86b84ce278bd6b9b392d65d465ac1acd7808ed0db0

SHA512
32f0a0949c33e0b34239581bbb86d3ee42acdaddc9856c78a55b88924dcade166663e2c8345040dbc2f383b74ebda88e952d9091643d8a7ea8e5d1fd82002de3

Download Submit
C:\Users\Admin\Downloads\Payment Channel.zip

Filesize
336KB

MD5
800999621ec6036d4ca4070733a1a76a

SHA1
53ee4f63acd929f3a74f91367535015643f2fab9

SHA256
4e95c654625af3c239740b6d8f1799d5ad938bcb9404d2935c5240c22985d76b

SHA512
3e6509d958f07bf925655996674441c33deb9b92c367b9fbd33f8e942a2b674104eacb8f4ce9df5e34c8cafa83e9366d65ef73021a15a4c8f291e6e71f207a58

Download Submit
\??\pipe\crashpad_4692_UAIYDUTHALAJJCTB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit