kutaki | hxxp://medicabinstruments[.]com/rydbhs

Analysis

max time kernel
299s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://medicabinstruments.com/rydbhs

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

Inv No 9065.cmd

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xzmjolfk.exe	Inv No 9065.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xzmjolfk.exe	Inv No 9065.cmd

Executes dropped EXE 1 IoCs

Processes:

xzmjolfk.exe

pid process

4220 xzmjolfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4220	xzmjolfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133475857227567999"	chrome.exe

Modifies registry class 64 IoCs

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3064 chrome.exe
3064 chrome.exe
4788 chrome.exe
4788 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

3064 chrome.exe
3064 chrome.exe
3064 chrome.exe
3064 chrome.exe
3064 chrome.exe
3064 chrome.exe
3064 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

Inv No 9065.cmdxzmjolfk.exechrome.exechrome.exe

pid	process
3220	Inv No 9065.cmd
3220	Inv No 9065.cmd
3220	Inv No 9065.cmd
4220	xzmjolfk.exe
4220	xzmjolfk.exe
4220	xzmjolfk.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
532	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3064 wrote to memory of 640	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 640	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3340	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 4752	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 4752	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3652	3064	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://medicabinstruments.com/rydbhs
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd67a49758,0x7ffd67a49768,0x7ffd67a49778
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:2
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2848 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2840 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4588 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5384 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=884 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5448 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2840 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5548 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3008 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:8
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5664 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:8
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5848 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4724 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:1
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5700 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:8
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=824 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1732 --field-trial-handle=1872,i,15915879790424613796,3536113847715197442,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:532

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1056

C:\Users\Admin\Downloads\Inv No 9065\Inv No 9065.cmd
"C:\Users\Admin\Downloads\Inv No 9065\Inv No 9065.cmd"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:3220
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2076
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xzmjolfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xzmjolfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Inv No 9065\Inv No 9065.cmd"
1⤵
PID:4456

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Inv No 9065\Inv No 9065.cmd
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
201KB

MD5
e3038f6bc551682771347013cf7e4e4f

SHA1
f4593aba87d0a96d6f91f0e59464d7d4c74ed77e

SHA256
6a55e169bc14e97dfcd7352b9bc4b834da37dd1e561282d8f2cc1dbf9964d29a

SHA512
4bee876cea29ad19e6c41d57b3b7228f05f33f422e007dc1a8288fd1a207deb882c2789422e255a76c5bf21544f475689e7192b9a8a80dc2e87c94ee0bc6d75f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7060cbe39a3c26e9769e8b1fee154253

SHA1
83956e1d46e0c90a9ef6acda8fd2f61e2d55446a

SHA256
b86641dd3d2ad63b74be1df62c67c9bd79f4ceadf4da89415daf600beb7e8cb9

SHA512
ec6d6b63ef0c560d1140d0b44d8a3140e9f410a0cb9b34ff1bfb5f8a7c352fe08c055a373ec9c9e0b7bbe48d60655df84fdc20a138dd9256f05f60aaf3251c56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c3a04bc61c290696e9fb4030ad3c20fd

SHA1
3eb4398412f13c9a59046c9925777b93e2d2e375

SHA256
c528872d4767b82f5cecb1a6c88ac966b39589f302869dda99bbfc188d51d8c7

SHA512
ba919943570005366a3c3ad0e951025988010d4db499d866f5a854d0260e79666e4d8537e89c46674e074c543c9a6abc8008fb98bab3eeac580371c6bd68c514

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
852dd438669b75945c9c650137d8e3fa

SHA1
87feb0934f87c0877a7a6dab559fbb34fe5b1d25

SHA256
ca2d2dd0b4e6d8b643c12f7c1ba7ec2dc21e158c5007d68e4fbff032c9efdfad

SHA512
44a9998f01723358e2eb5bc06b18f90a9fbbb116292336ea64a7cd7dd3c6d961ab34e6243fd7b341e5b6b4de71fd7504958bae6dd7c8c046ab0b0b12fe58f233

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
79ab5ae0629583ce794fcef35d8f31f1

SHA1
007fc96cff911ce3f1e4f3d99c2277621e7a0fc6

SHA256
1e629985f163435201be463d95e6cc6bad458989f60aa13c28472ff0c7f5bbe1

SHA512
d550a42e62de00ab89ec984fa0a18752add15f7c081a305aa89ec2bef97432eff0e2879911cae2bc7f01ace18be216b6d2a3044035c545de2a9357934c8d3ec8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
228945f986d6431f6947f4786aef2f4b

SHA1
09d1904f66dce6c0a8f11fb4c854db3743361267

SHA256
129b7a33da6f836688fe50e7bccd1c1bb23b841662c3af2e5dde29507b071688

SHA512
e55b16ee6d4ba71b39e8ec4664b0d71cbe280142e241e3e7fceb4a466dcbecf4cb6bd4061287132f003f0db12ccc5370ce1f0f945b67aa9ee93cbdf331ea91d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
add3fed8f61101fbc198a46722eaf8dd

SHA1
d32821cb563cb6a94a9d632ef2aa149d9e7701ce

SHA256
308ff4472a08d4beb3dd9d98d2bd07ffbd4aec905ae12c5afd043ac7ee97c0a7

SHA512
8fe0f8261985d799ad5a70892ffddcee74e966b735c79738332413478f0194f865af817b4d284b035f7ee534258dfa285156397164062f1b9ba14e4162590172

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
701B

MD5
01621cfc72c050ca232f9c8fbe83f1d6

SHA1
3563c3b2a3e6b776d5e769bcc2f065e6705c35bb

SHA256
65acb2dd4666195dd4d0412ee50d9d1fa230b55bc3d765c02ead57a530d69af0

SHA512
6c1e483b48ebb1e098f9c7a1297b8e88ad9a2c545bfa46219e790ae305bc1c9653d4e80ecff06b9d69225cb5fdbb3f475cb00f47c2c1c9d2faaae4f434210cd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
701B

MD5
911a8d07604e3943ab55df5051c64e89

SHA1
bc743eb6e05075d68d5bc6264224e274b3950c82

SHA256
2ea018ffe30291239286c614bf1cd442e6b0af6b47543e02de9436ed50a80011

SHA512
0da358a6e310b49f9ff68e12a7ba85e041e2a678c57fda9687125261c229db3c6e258274a255ef1d6baca32d5af3a626faff66c5756eabf3cfbc62c805ead7a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f98628c81d97d2898505fac7412bac9b

SHA1
ab8f3cf7f8116304c39ef33006f5e7c616f33041

SHA256
31c225a8afac1e2b837a551ec9e3ed3f3f06604d281c56ed8b934956b0c8cb2c

SHA512
0a3d4aabeab1d92e18ee0f092fb3dbb4e561d3f5beb5fd17b7f422eb485d1bc9f0759362dc141ee30a39c3d8db4f05698349048f560b6f93a86b3ede6f0ad3f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e000dc1793a4ebbcfd8ce17cc737aafc

SHA1
b248d6e900a463fbc6a287d524abd8c8af292cd4

SHA256
29b2bd00e54c9b3cd938f93fd7f65f519c96bf07745256b2c40f238b3bc792fb

SHA512
15200e2ba3f710ab057dcdd17ef65b8aa366e6b65ab6dda36716662f24e7a447eabb2579885c0dc1771d7444d3ecad45cbe3c42405d0a868bf749085239c61ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3f6d47a44a9750ce9473ee4576dd860a

SHA1
ab5af44245605588b81b9fc5a89482f897628ae5

SHA256
a44b7e69ea01805cccfb9404a58a1ea9755caa679ee0b342c0aee08a4d8d331e

SHA512
61a479b1a1dd07dfe88b28e4747794049654459a469daafe388c47d8c5b8185a2d4b4b9e7ed1e7a23c6db4e4f2db7777fc615717d27d58188ae7453237f109c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3712bf4afdbc15b1a49a3e50df6ae1da

SHA1
69cb901f7d3cbdbc8acbee7a2b69f4bcf34f453d

SHA256
7e4d3a22a8a2242b9bb197b9920a25859433a42b82fe6bf9d59566c9f45608b5

SHA512
4b8b84644e205a52f65796c0f53c8b1e4ac57835ab7c08d07039a239391aa69d3800a264c1752b3d446d0df0436cae9ef55574f811f90f2f6f2b1d643687f3f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
38a61ae97210b9f0d8ce7c193d4dfab4

SHA1
8c50165de20b336193ff14295367ae82d0f866d4

SHA256
5d41463cfb4ad79009913afbfc3cbc21dd0bcba104525980f971d71c3048e10d

SHA512
23586a80fd2e94ffe00b6577c859ca7f5b95f21d27b648ccd727049f71ba016cab6661e53807f7f49fbbc96c6931874295c29e2324ef274e4793dbf3c7595930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59d150.TMP

Filesize
48B

MD5
2e64daacce533c68b16786dae9b73816

SHA1
7274e628cda53aeede4839ccd1cb54b615cb1c28

SHA256
45827e10c65abb1e9fcc75feb8b2ec2183ae0dcf88b75b236ebdec6669a7ba02

SHA512
463ffdbd610dc9fdf81bbc78c33e7f6d27b4bb30eaf8eadd2c472396fa8899ee1317ee6c5cc6d703b45df5c30ea93acd00925d06b97bbc3535fc46f97e733e67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
e322b484f2481c0d5971fdb474253455

SHA1
d43790f5fbba6fb39b1d32fa2ed2c20640089a72

SHA256
27ba3dbc1d906e569927356d1290d39eacdffe8b7252648ddc391a51becf9bbf

SHA512
e57c3cf667294ea34be68acafae60deecdf60388224b84ea71a7aa3c3c1e9da488679a9b7681def0a58afcabd2eca28b3c9faf309d123c8bb62a2bff3996cf48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
f2d80c7b543f74bb7da527d4c04f6750

SHA1
fdca03f56543b15d25b6069066404a1c65551523

SHA256
5b3c0d98beb1864f91cb79430dcc6b2dbe19ab83c716d70af7ab5ec3fabb3eb1

SHA512
a0bc6bdac000265955b6580f8f64d3a430cd31ab41e196c56ffb1bc0ed743bcd4ded6f291683be2352a6c31b7fbbff15a23a9907b6c4bbaade00130e8160f2f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xzmjolfk.exe

Filesize
2.3MB

MD5
2967396a052c3318541c3c30ca7769de

SHA1
08d0737e961490f5d814550a80e5bf2ac092b20b

SHA256
6db72aeee1802c7f1bea8daf5b15650d885a99394f170dfc53d27620bacbf519

SHA512
78c358e2645559f7d4e838f121ef8b3e1e253535ff3fbd0e3dea30d5e18dc6a82b7cc46363e7f76400ee8153645dac929d6744dc21b181a9ff990a6e6ef052ad

Download Submit
C:\Users\Admin\Downloads\Inv No 9065.zip.crdownload

Filesize
2.1MB

MD5
a3c639af8fb0daa5d77588659b8bdf38

SHA1
3e3d4bb4668f3121ce381266489c172038880b6e

SHA256
a015b534f10731e1f6a472b8008b4b78aa2a9ee94ae8e7814c9d74b81605610c

SHA512
d91504792409ff0f6263faf98b9c399ec50586c3ab4ca649b532d5e5941fcb4be2b2361cd9c3fd4b097c7979570eac5d98cf8896bbac67519f1d67462f55b943

Download Submit
\??\pipe\crashpad_3064_BLBXWAMQKKGPGGVT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit