kutaki | hxxp://snehalkannaujia[.]com/billing

Analysis

max time kernel
42s
max time network
33s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
04-03-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://snehalkannaujia.com/billing

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

D0M-22-INV-1616.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xkvpsafk.exe	D0M-22-INV-1616.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xkvpsafk.exe	D0M-22-INV-1616.bat

Executes dropped EXE 2 IoCs

Processes:

D0M-22-INV-1616.batxkvpsafk.exe

pid process

4288 D0M-22-INV-1616.bat
2720 xkvpsafk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4288	D0M-22-INV-1616.bat
2720	xkvpsafk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133539999287927269"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1020 chrome.exe
1020 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1020 chrome.exe
1020 chrome.exe
1020 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeRestorePrivilege	2968	7zG.exe
Token: 35	2968	7zG.exe
Token: SeSecurityPrivilege	2968	7zG.exe
Token: SeSecurityPrivilege	2968	7zG.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe7zG.exe

pid	process
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
2968	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

D0M-22-INV-1616.batxkvpsafk.exe

pid process

4288 D0M-22-INV-1616.bat
4288 D0M-22-INV-1616.bat
4288 D0M-22-INV-1616.bat
2720 xkvpsafk.exe
2720 xkvpsafk.exe
2720 xkvpsafk.exe

pid	process
4288	D0M-22-INV-1616.bat
4288	D0M-22-INV-1616.bat
4288	D0M-22-INV-1616.bat
2720	xkvpsafk.exe
2720	xkvpsafk.exe
2720	xkvpsafk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1020 wrote to memory of 4080	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4080	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2260	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2220	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 2220	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 1560	1020	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://snehalkannaujia.com/billing
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffec64f9758,0x7ffec64f9768,0x7ffec64f9778
2⤵
PID:4080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1736,i,15202216915487709169,16301965590491553469,131072 /prefetch:2
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1736,i,15202216915487709169,16301965590491553469,131072 /prefetch:8
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1736,i,15202216915487709169,16301965590491553469,131072 /prefetch:8
2⤵
PID:1560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2644 --field-trial-handle=1736,i,15202216915487709169,16301965590491553469,131072 /prefetch:1
2⤵
PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2652 --field-trial-handle=1736,i,15202216915487709169,16301965590491553469,131072 /prefetch:1
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3864 --field-trial-handle=1736,i,15202216915487709169,16301965590491553469,131072 /prefetch:1
2⤵
PID:1156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1736,i,15202216915487709169,16301965590491553469,131072 /prefetch:8
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 --field-trial-handle=1736,i,15202216915487709169,16301965590491553469,131072 /prefetch:8
2⤵
PID:2940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1736,i,15202216915487709169,16301965590491553469,131072 /prefetch:8
2⤵
PID:1740

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:440

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\D0M-22-INV-1616\" -spe -an -ai#7zMap12938:92:7zEvent17869
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2968

C:\Users\Admin\Downloads\D0M-22-INV-1616\D0M-22-INV-1616.bat
"C:\Users\Admin\Downloads\D0M-22-INV-1616\D0M-22-INV-1616.bat"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4288

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
2⤵
PID:1492

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xkvpsafk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xkvpsafk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
699B

MD5
a8ad358a19db74c0cd84ce8d877a087d

SHA1
d3ee11fffdd8436d9a7b1f45f715f0c4c9bb2d92

SHA256
4ebb383f43aa1c41444313123bf760f97e848adbcebd2ea380fe5ecbdd1f83a3

SHA512
b30f157cfae9e3bb4a66810fee50a8798230f7ddce7b0aa706429c0769a1936b27554fd2c603e0ad11d138a0f33d9d2dde6ebc78f14448939ab01a5adcdba544

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
1a1daf5782f4c6bdbe650423f05f98b8

SHA1
266dbe44ad70d3aab1a52323315da65ddc984e3d

SHA256
fc31945346afba964684946443d3024264a689c4d93d7b857f693dea21e65da6

SHA512
80ebfa51736b28fb3e114104fda4851d41ca8dd5741dd998ed2456eeeff0d2830213ba6d3ef3e2dcf403d0124cef99d854a90e7d53d44098f8b08645e60d6521

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
7813c65f02764c035d1f8ea2a92cccfd

SHA1
e05fed057a9ebd397cd5eba5d482ca964eff0903

SHA256
28c2b80d536e447aa6ffc2676e62d7e0aee1f73b3b57eabb7e16f6438aeba83d

SHA512
1055090dfa2d98754fc1f96445de66e90b76f6ab8f66b0fbce9886f4f5c4b7aa33ed5d50174a57cc84e81e7d85b6489ef6df24ccd03511912b916bd397f37dcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
254KB

MD5
75e4b5be90dcd13e754aca2a2d13917b

SHA1
d050209168d03f2f01c4067f494f225e17db7c34

SHA256
94c506a8a2f1887c1af5d2972f0c777777efed83103123cbdfc8e3c398bfb8f9

SHA512
c3eb5ed6dd9c712a7b2ebcd42813af8060b94789a38404fb02d7804d332d924b327578c27682d07aa6179090cd233f99b4a935ce646b79bc06e1925b14c17fbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xkvpsafk.exe
Filesize
1.2MB

MD5
2a6cd1d8027513eb52e236083e81720c

SHA1
bc6241a0f546bf83523212b4345cf47f682cdeee

SHA256
4aa654ab8dde8cdf8abaab8fea848834ba375b4b3b7298fea01db8bd41288461

SHA512
96969bf53d2ceb30087b5950b36668a9699489455db46448297ff4abff05eb07221877bf999b6bc39fdcaed1f6fdee7424d82bee8a35bba9fc715b26034230d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xkvpsafk.exe
Filesize
384KB

MD5
fc0175fca1c46172eb8c482ac22c8891

SHA1
be3192bd8c095a69f5cdbf60ef3d0ff70bb87861

SHA256
7a427635f30940a3333a7dbae59d1f715fd1ab4fcf84b29d495154262a9db003

SHA512
b98591de67bf547044971253b099814d89a410226cdb09b5649be9a7dd12ff5ab108d0e40c966461004ea348dd35dd971816e225a8215c4b1cfb5368204ad77c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xkvpsafk.exe
Filesize
1024KB

MD5
f49e26741599e9f302deeaa1e40c3c2a

SHA1
9ecbe622b5447798cc2625da8bf7fd326bb91059

SHA256
5d83e4730465b7f448732f2beeb51a0e70c2450b0a6540bae9ba261ab4135caa

SHA512
900acf001be72e636ccb5d8a467267627f3aecab5b8f551a57e346a7048867105c2813b81f72fc46b5cbb05ddc14e4c380d8b0e9c27a56bc613244a369c6ff50

Download Submit
C:\Users\Admin\Downloads\D0M-22-INV-1616.zip.crdownload
Filesize
2.1MB

MD5
650ff96f8d8eeb972eafdea0dbca1774

SHA1
3cc99b9379c7ee32267e63a6d4534c97ae06d88d

SHA256
24479a4c1ff26ec73c105e864d49b8fe26cc7ea0edef401b3d9e2d87ff8f99d9

SHA512
e0531b2616e329e1c188d79e3fad5f5ace537eb6f2546d4b5289f7af59739108030d53e8a8691eccb59639de6ae91ffd997e7e1870fea236fe715d5eb464aa82

Download Submit
C:\Users\Admin\Downloads\D0M-22-INV-1616\D0M-22-INV-1616.bat
Filesize
2.4MB

MD5
2812497ecf1a0d3b204e5bc8a5bd4919

SHA1
067fc6e06fbf6f87b5572b6e472d0c47dba27000

SHA256
927931074f1761193ffe70e8bfedd0377410d9c4e5f93850cb73f7a5390820b0

SHA512
ab4dae46352665343d14ff8880cfb7c35ed9c0ff959850db74a65dd1a34f071a65d5a1831fdbceefc513832f18b258c11f861ac1ecef8214469d5888db1cff45

Download Submit
\??\pipe\crashpad_1020_XVJOGEQIZSQMYBDE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit