kutaki | hxxps://savitriinterior[.]in/drf (3) xn--80asnep4a[.]xn--p1ai

Analysis

max time kernel
299s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://savitriinterior.in/drf (3) xn--80asnep4a.xn--p1ai

Score

10^/10

kutaki discovery keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki
Kutaki family
kutaki

Drops startup file 16 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe	TRANSFER COPY.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe	TRANSFER COPY.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfndjkfk.exe	TRANSFER COPY.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfndjkfk.exe	TRANSFER COPY.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe	TRANSFER COPY.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe	TRANSFER COPY.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe	TRANSFER COPY.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfndjkfk.exe	TRANSFER COPY.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe	TRANSFER COPY.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfndjkfk.exe	TRANSFER COPY.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfndjkfk.exe	TRANSFER COPY.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe	TRANSFER COPY.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfndjkfk.exe	TRANSFER COPY.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe	TRANSFER COPY.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe	TRANSFER COPY.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe	TRANSFER COPY.cmd

Executes dropped EXE 8 IoCs

pid	Process
2924	oyqlonfk.exe
5080	oyqlonfk.exe
604	oyqlonfk.exe
888	oyqlonfk.exe
3648	oyqlonfk.exe
3276	qfndjkfk.exe
2820	qfndjkfk.exe
456	qfndjkfk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oyqlonfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSFER COPY.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSFER COPY.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSFER COPY.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oyqlonfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oyqlonfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oyqlonfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfndjkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSFER COPY.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSFER COPY.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfndjkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSFER COPY.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSFER COPY.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oyqlonfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSFER COPY.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfndjkfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
1132	taskkill.exe
4500	taskkill.exe
1344	taskkill.exe
1764	taskkill.exe
4412	taskkill.exe
2984	taskkill.exe
2224	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133787923109459601"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeDebugPrivilege	4500	taskkill.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
5036	TRANSFER COPY.cmd
5036	TRANSFER COPY.cmd
5036	TRANSFER COPY.cmd
2924	oyqlonfk.exe
2924	oyqlonfk.exe
2924	oyqlonfk.exe
100	TRANSFER COPY.cmd
100	TRANSFER COPY.cmd
100	TRANSFER COPY.cmd
5080	oyqlonfk.exe
5080	oyqlonfk.exe
5080	oyqlonfk.exe
2668	TRANSFER COPY.cmd
2668	TRANSFER COPY.cmd
2668	TRANSFER COPY.cmd
604	oyqlonfk.exe
604	oyqlonfk.exe
604	oyqlonfk.exe
4588	TRANSFER COPY.cmd
4588	TRANSFER COPY.cmd
4588	TRANSFER COPY.cmd
888	oyqlonfk.exe
888	oyqlonfk.exe
888	oyqlonfk.exe
4868	TRANSFER COPY.cmd
4868	TRANSFER COPY.cmd
4868	TRANSFER COPY.cmd
3648	oyqlonfk.exe
3648	oyqlonfk.exe
3648	oyqlonfk.exe
3612	TRANSFER COPY.cmd
3612	TRANSFER COPY.cmd
3612	TRANSFER COPY.cmd
3276	qfndjkfk.exe
3276	qfndjkfk.exe
3276	qfndjkfk.exe
1972	TRANSFER COPY.cmd
1972	TRANSFER COPY.cmd
1972	TRANSFER COPY.cmd
2820	qfndjkfk.exe
2820	qfndjkfk.exe
2820	qfndjkfk.exe
1688	TRANSFER COPY.cmd
1688	TRANSFER COPY.cmd
1688	TRANSFER COPY.cmd
456	qfndjkfk.exe
456	qfndjkfk.exe
456	qfndjkfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1068	4948	chrome.exe	84
PID 4948 wrote to memory of 1068	4948	chrome.exe	84
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 3508	4948	chrome.exe	85
PID 4948 wrote to memory of 32	4948	chrome.exe	86
PID 4948 wrote to memory of 32	4948	chrome.exe	86
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87
PID 4948 wrote to memory of 2860	4948	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://savitriinterior.in/drf (3) xn--80asnep4a.xn--p1ai
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd5e5acc40,0x7ffd5e5acc4c,0x7ffd5e5acc58
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2028,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2252 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4512,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4944,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4336,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=2052,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1144 /prefetch:1
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5344,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5496,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4968,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3552,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4592,i,4090886495566212944,14739195347589860509,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:1504

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\Temp2_TRANSFER COPY.zip\TRANSFER COPY.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp2_TRANSFER COPY.zip\TRANSFER COPY.cmd"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3648
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2924

C:\Users\Admin\AppData\Local\Temp\Temp2_TRANSFER COPY.zip\TRANSFER COPY.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp2_TRANSFER COPY.zip\TRANSFER COPY.cmd"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3612
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im oyqlonfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5080

C:\Users\Admin\AppData\Local\Temp\Temp2_TRANSFER COPY.zip\TRANSFER COPY.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp2_TRANSFER COPY.zip\TRANSFER COPY.cmd"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3276
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im oyqlonfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1344
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:604

C:\Users\Admin\AppData\Local\Temp\Temp2_TRANSFER COPY.zip\TRANSFER COPY.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp2_TRANSFER COPY.zip\TRANSFER COPY.cmd"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3664
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im oyqlonfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1764
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:888

C:\Users\Admin\AppData\Local\Temp\Temp2_TRANSFER COPY.zip\TRANSFER COPY.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp2_TRANSFER COPY.zip\TRANSFER COPY.cmd"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4892
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im oyqlonfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4412
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3648

C:\Users\Admin\AppData\Local\Temp\Temp1_TRANSFER COPY.zip\TRANSFER COPY.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp1_TRANSFER COPY.zip\TRANSFER COPY.cmd"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:864
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im oyqlonfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2984
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfndjkfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfndjkfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3276

C:\Users\Admin\AppData\Local\Temp\Temp1_TRANSFER COPY.zip\TRANSFER COPY.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp1_TRANSFER COPY.zip\TRANSFER COPY.cmd"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2532
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im qfndjkfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2224
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfndjkfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfndjkfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2820

C:\Users\Admin\AppData\Local\Temp\Temp1_TRANSFER COPY.zip\TRANSFER COPY.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp1_TRANSFER COPY.zip\TRANSFER COPY.cmd"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3832
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im qfndjkfk.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1132
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfndjkfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfndjkfk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d6cc7b6c7e456645b84114b5b6644db7

SHA1
e24f6319ead7e61164afb0f6d5318ca6dc36924e

SHA256
5bec192bef72e75919b0b618d5b5274c23ec556ea66a2664c927e39bc62a1394

SHA512
10a931a63248a4a5425d933c47b5c86b3d2c5d73ab60a375e069d48977e6e93e2f2fdaf489c72cd3cbbe93b8cf18e8e0324620839d4cc413d06add496a74ecf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
216B

MD5
70bb7e17292c31051fc562cc2bc0fa81

SHA1
2a4d207870a3bd3c71303cc19e302c45af48486d

SHA256
14b4bd5e1cdf006fadcbe74530f8b76844d4c3e0d8883bc5d59aed3c93ebb782

SHA512
6e070d487ddd3de09f53aa0399457fa1ae7b553a0af70fde36e53f8f3f3455bbba3af6b1cc8eb9b3798d6a4de85ad87eb60c3854dd28ac6e4550a3591f12a69f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
8e03bb6a19a5c735e89ee7c916d68023

SHA1
4512e97770f94328393e23d8c80ee5a9a6a279ac

SHA256
7fb9225e8e2672ae270e4e56d67ef39de54902249acbc703f4ad6ba6a598e6fe

SHA512
dcc7db2353e2c2084319c0524afc7d41581afea5dcd9bec7ab8a8c0c518cbe38172057fec6bdbb2cc79959324a9d215d417d85eed05fab3e0fb7837360f0bf96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
22a66035beb2215c9041d496272b4115

SHA1
f0d51b0fac7833af5c918b0d41cde06c246bcd5d

SHA256
bfecb111b43c17d1ab4c5a6bd5572bb13c148b438408c332082e77bfcf20a694

SHA512
2122ce851b12d8468a6d8eff9c3f3c5edf15628484dccf278b3a3775de28ee64c49e68cc6b37597ff4a2287091e49cee50e147f460fe07b839b17e157b458b6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
1ae01ab149f9ae6964176db0ccf98e89

SHA1
9e17823ce0fcd269e38ec8d9c10f4502545f610a

SHA256
aa10c745e82aad355104c85d651ce7bdfdb9fc8cd63783e0ff4dc1203840e798

SHA512
906fc584f8d493203dbd96bbad36a660ee7953a986674fe4fe572b61893ee05e429ce2baec007ef8e21b87fa4e2ee9f5bc572ec8c0cab2207787855ff6882342

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cfe296d8db56116c5c300c6753e4e2a5

SHA1
0c13819d0844aad731daebe4e9fc5b3441aef498

SHA256
15fe5600a344298e1032134ed8596c2b34a512c4f4c8e72da27dbeea672cb8d1

SHA512
fb721259eaa9ce6a26445262f4d99bcc1e6f2f1ab72f13d49a2da61cea551cdeba5d8fe43bcbe6d047685127433ba5d58116c8e8af4f27d228b364825d80d8de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9db5f29a406fef584934a23c1068ae3e

SHA1
c10cb9a8be40a1c8e6083a967c1ffc9778964103

SHA256
b821504aaf14a4b74540d3f96504283cb5b174143405bc650b911f0dab92de47

SHA512
571986329a50764995ba4900cdd70c671b7eb28a1b73d275d112c29e97e5c4006d49b023522b2fcbc29e5011009672a68b4ba3560126f0d5070b9c6963a631b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8ebd41f0510bb349f974d572f3145b5c

SHA1
358a517c26d2a58883196e7406be0a5a6836f5d7

SHA256
5fe9fd6b959117437df2f7da33f74dcbb5d502990746e5893cde2d72983811bf

SHA512
0fa8dd02d47a195feca19f85886a9e01974b31176e37de19945489cb9931142229d184135ab2a90f12c70b3361dea1881b4d24342bbf96623088ae3d6c3484f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b2f3ed78580e19c6b56cc3803130e20f

SHA1
3cf3762fa77c7222e160569a42388da17786e130

SHA256
3d684bdd1bd5edfc23463e32588515d7d7440044cea3e696d53df9e79b01717e

SHA512
7df8f23e359b405c8e38a32625b793962b51f26c12a930153cef6bd4ceee21a087e8d00cc44ee1373a224082f6460bcd900a9fbd37c403de7478bf469503b489

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
31f600a6b10c196f1719c4054cfb803c

SHA1
6cb8241afa0a4f9775039cd633ede4e48e0fe691

SHA256
e5bff3d5cc1122ce3adb48506e7970bb94f7c2a2cae563dabeb92d2601ec3bed

SHA512
2e2df42f878e76a9950601ae1006585142512370a8d6ca7b531cdc7e438065f1b005a70d67ea944d21355a360744216c7a8c1e570936604084a7216fc622a3bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6b77171e88de6a2d16b8163304e05bce

SHA1
7a1e9d37150c7f2d076ed71e2f6710287c614a84

SHA256
dca6b82078c91cc01d6b17eefa67a4158b33b3ff6848db4e55a88e61e05b1da0

SHA512
3b5c9f3517b6e433c03fd5d5566df5e66dc0c847ace3becff26177c727655ae5037a2b7ac1acf235ad29ffb5688ea58b16356ba9e09299f0c4d138517150d29e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a009cc5c2bebff69a3866879afe7f3c8

SHA1
16d83a07bb7bcd027533bd58609cedaf0a2b5337

SHA256
2d7b339d5683340f2d6dea99c8970ce30d85e33c3c14ad8d2824f4f67e9f1f9e

SHA512
569da8caa1e94766671820a7ec941bd9b553b9e77e18e02e29b95f45de7dac26395eb10f91d7afa4636161633f3f591cbf89a6f12c6dd8fab4d638a3e0dabf25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5b7d5d3a880fea3a9f0b2fea66be00ae

SHA1
64f6c8c914ff9e9168d848139caccd54c1da52f4

SHA256
d919b0f2dcf81b8cb1da45f3fcae79587a0b4f014c68107c1de32351a48b5d17

SHA512
7e85b2dc907b2b866c1d54ced1023b1e5a32b04531cd9a3e258ea17423a5342fb4c3240c107178cb3d8fd21a05234ffd703bd981eb0553148f7d22bb9477a7d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
978b832ff46505ae3d4e7c5d30d8aac1

SHA1
22217d92ccdeb8d7ee9dbd629f8d78028a569c11

SHA256
09f9654ac4a13b5dc0a77246de301b5c0374bb1ef3877d48a4a3661c24469d0b

SHA512
6693382834e6c76aa18cbe2e09cb19c11cb32b05203acd0ebdf6d06019a3dd865ccc84f61816e82b152ac8e396f5dc5045446b38fa08cbd9bf6a6b1165a86fbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4f645c1ceb81e4e6cc508487fd3804e2

SHA1
c11d869b4ba5b6cbf73dd42f1b528c67d2494265

SHA256
dfa329435cb97e8787ec9daf5e66437b22cd695ea6164708f42b033fbade9618

SHA512
07fa531be53e43a5d6d5ec4247a4842e9e913719f86625a307dc3c508e5885b375bbbc530ca9ccef5606f80dceb16a70e8f60f7412d723b91ad68360f83151ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5586950d51fe17dd22b4df6a27a01900

SHA1
9f757a82eac4905de8a47eb2c538600ecce5ee1f

SHA256
1aac4fcda2ca5d3d11fd043d16015fae52e499d372f3c8a672f8227e8b79a736

SHA512
ed9045b8436f8008ffde35d452af3a55d13299906e23a9d04232a8343aa8e3ad2772f6b8ba6e8270735061e4a577b4950da2a3fab326f8369cf3a2427a8bfa84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9811df8549abc83ed1a406cccf48209c

SHA1
c78c05c3e2351e1e3c7a4cd9d4b76479e4f637b1

SHA256
94e7151ba195faffda75b759129751aa59ebc83f7543b9896bc1db8414173c88

SHA512
8b649fb94ad62763de725db3baf40bc4029c082714d023551f5895c9e38084929cfec6bc9eb3df4152499d1d0e0212fbf79df5d7d88de3c888cd6c7d8767735a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
200111a14b2c0b72118137accceb8997

SHA1
ca22be8ea850560438043d0076e5b57d58f031b8

SHA256
a5da4a4913440492c48886cc6bddc873fc97e5126f7945999742d5ce3303ff2f

SHA512
10e62215fc520824853f8e5adc2ae96c545d54a6d4eae8c47c632ad09bbf5037fe9557650a0482cabc434eb2298b6b53b16e9c93ef8fbabd01728a0240341983

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0262a8980e2b0294ab662f1e6522e76c

SHA1
5ca356b5626554b76f882f47e3494cbf8d636583

SHA256
adedfc502c0eea54b1689ef947b371e53788017e84dc274b86c79b5397a1b66c

SHA512
3942a7e63a0f56ac52221e182c850c421ed3cdda0f8ae6a651cd6df7bf1935273df6f3b8ed690fc7b7f48c699f1b88cb59d845a4da7454299c98db4526e3d030

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d8df8f1c141fb726f849215e02622225

SHA1
f5e2f1263b681f2cc6ed72a11a3d53f22d648bd2

SHA256
e687ce4d58987ef123c88188f28d6be359aae00f4ed9b0a2704ebd0ddca52e92

SHA512
3804a4a5a4be7d0a6e15af34b0f8e3beefaa0f6acc5078f97a4b00ea532450d4bbbc541a735768b212a44d308fb4af7f53b65c337df9ac4ed2445ecd963048a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f52e849735cc95939b800efc961d9c98

SHA1
cdb85a66215e2d58fec00f568555f9429cfb660c

SHA256
1fb8d43711335aab90c5d1d8dd873b2cf20704133b428e67d409b7d9e5a1b5d6

SHA512
54cece022cb42ae6a699881f5636d9eb1914cb8926fcbf02bc1180c0f34cb4c5b1f8080989170ff97606389cabad500b0a851eb3dd090538d3e8121e542c9bd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0aadb3e7f27433f1669dcd72392152e6

SHA1
154fe10f5389aa1fd27adbe29ca9fd4d4299c670

SHA256
0f4c42a0002e1b3082d4f41d156615b027f9399255355656857f493f6aa6ffd0

SHA512
49a69969a6cfe70499250f1ba067eeea7e92f6991cafdcd0e4f14c6c19f2df3bcb9e98a018ff23374b697d0b4cb72be56470d6aafaf048d7de3c737abf9e27fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
63e8e67021e43210b49e496e7e4ce93a

SHA1
8f55a697f8ec5c6177019815ff44648f039ffcfd

SHA256
2db5d79ae67e17edab335b8dceb148310c4abcc27fb32b0daf071a7e6e6750d0

SHA512
0ca3c9af505b5ee66d72bba694925b3e72f513d32667bf4d35d919ce0d6ac7b8d6f2c4da9f2c03810567c64168ab72df6b34fb75e5a4ce452579580a779edde5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
818a162847275c628a97dec97609a240

SHA1
4a2d25d6063552276685d84062ed46e9db52a0b9

SHA256
e86b499436a24c4f6d4b7683ef1589628ead6e0b81f88ae870b4d2d03ffa1d21

SHA512
713b650e3853d4b048fdbea69c6e2689deb4d3f46d24b17fb053d661f2db4abe7e5be8b4175773c754276ce11bc520b92cecea76d5203d217825ef157810b875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fed5ae9971c38be848cd1cdd0f6e2a91

SHA1
12f02de2e2a1d358f5e8f59e3ac7f8e8b642ec15

SHA256
5dc1c401b48ec14a5c7467e93a8ea76687626a4adc7f1ffde01f4860f226b7cf

SHA512
d316df326f190e459b036f661e7fb021b9fbc8926d63bff6611047eb8ce9fa7a74c04d7fa8a1b6b24edbdbe15648874ad92682630926345cb0cd4f3648b70f08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f51ecb5d61a1756aa0ba0e917f401107

SHA1
ec44898697f9f021592f5c45f69436c3943d6e10

SHA256
5dd654f58ad0ec20398d86179d5390a84c2888e280029d7ba64771e067a655a4

SHA512
1eaad658c11cfdb0f5627e9e5ce42b025ce158b7105931aee81731d2a7d1e88d84047a61beb15920c598daacaed0ea5a35127048cdefac0ee6672e58c94edb75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b946f6181508a79a7377b336ad59da8b

SHA1
602333d0c1d4def4fe21f90ba997527a04824030

SHA256
819506afcb1df353000934a43a66cf71e8b304758b1f991ae2d45ce46e9b6970

SHA512
10371e3ee25a4570cf41a268fed939701163a9e1711fc7f506aca9fcbba911f457a2b1494e913ad3605c49deb89f6c9cf73def7dbde3c87efb4c554951f68b52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b8fad8a3985f602fdbcedab134bec1a9

SHA1
02f134aa37c5f8e000d5df951ab7eb9d64138d36

SHA256
9e2f670ff936a241209be402f38d05b19142250bc98d416e3e28285c80144c7e

SHA512
b60348ccec374d531e33057ddc2af51177d1d8d3e3e965bdba2e7e0c22a294b8630450f952cbf3d1cb34ae4f4d1761b76c0528f8f952d7603f7a9a99cd90f1e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
71bcb7609f16019f14f8f684e165118f

SHA1
e9e202b9d7f7e5cc79d8d82502f6cee54b2a0a0f

SHA256
7b9ef55ce0d99d0cbf60612e740280ee8837f5b40d1f818823f3ea652533036d

SHA512
6384852f7232d899bb696cde3b09908d56fffd3a9b3f1ce1ccc3d763e143b14e30502fe55e85b3a8f3679aa0d3a532c24fd56bfb25eb75c74a77d93e3e5d0e54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
61ce104f1f085451d9b5b2bba21714b0

SHA1
6bb079d1c87c86713769c733a023715b14c88fe5

SHA256
4d9e968668a7ea90a33792099ca189c1eaa9cc9d524721c3bb7e25962edc6ed2

SHA512
a4ab6f7091e8c08af11f8683968a98bc6b5cd3f5f9e48f1b06b0d2f91409b9f2ef67b8f6091a5604db6c555c191973c8566490c5e10d6fa6d6469533f0b6ab8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d6947a8094f29b0126912ebf29a52cfa

SHA1
40f8653cd7906ed048ae6c3fbb6441eb7309df06

SHA256
0d506020c52cc7f8ff8f84349a25f98f04b4f989988fb13d1b41eb737d1f2fc5

SHA512
9f8c0fdbcd9429abb932c1abe68887711673d97b7c3d611beaf99ebc59e3a6dfe7e8bdc038e7991debb6f4fa4ed9c7e5906471249549c3e754ac490d24b58fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c076ff5ac815bb075dfc8675e26c537c

SHA1
e5b13b6793ed78a2043edccd38a7f75160edf99b

SHA256
4b1b012e23fbe7d6ccd72fb457ca4db894782b880c61a3934ed4f09bffcbd770

SHA512
c923578cf6d435370304a03daf0fa9a33a83693b9e9ff6c2efaa00d042ae6753f9959530bdc1df9556dd8dc762d9686b747c0f901798b5ccf3062a3bca906085

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e6ca59e49785973252b1e4cb2c3247fc

SHA1
339a1b1e38941aef29cc0a54a9f9b6e799cde149

SHA256
c96cac23251c47c7989de3e4667b0b8c8b96e0ac85589c6cf74cadbf057f5c03

SHA512
34a04375e9000e0235dcdbbb5698e303a455e6fabf053778834daf6fb1bdaad054c667f218cef2eb1d5fdc29959a55549a8483841de0292868e5c0bc57f7d988

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
62a5b8c8718ceac716da16bef3396304

SHA1
67ab7bbb53d819ae6c8318e90c0c95a4bf07208e

SHA256
cec2fee7d0adc310e34b24e23e945f2c9a1de2f4a73a11faa31982939f2ab399

SHA512
9084af53d34839a3a6b987407d11245021e1760a7779af565b4184cb9492414077b587c237666869e5882925ca4cb99c677bc9b9ba5bed6cd33ec9452c15c162

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ea73573096de9ff2f24ffa64f693677a

SHA1
927a1066a0d98c662817d6a20183a3404c85cd6e

SHA256
4d3f23d5c5f4e3bd4a95f28c6d8f0dad7707557f4b583d3d6f0d2f448173a92b

SHA512
05c8fcdb664bfa7c7d4f41603f231c102e87bc9b19d7a9a6d3cfc750eb7bfac690866530d949512dae435b7e539719cb1a09a239075dc82bb4ace173bfb519fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
387c44551a0205b83ab9ae94599ae451

SHA1
647c590a8143ee2633eca83b1a54546b6c405184

SHA256
6a464ac0c8a3575b8df1ef8ce5a83bb5537a26baed0bef8e935cfd8a49f65488

SHA512
37718688ced4210bdbf307e32a7c02f467b058eec5250b0d175dcb146ea28f98a34c7469e49977dcf0686c8c9ce3b2c2e27161c10823d0230fbf7189b219bbba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
7e4f3d38e9411fc408650bfc718e73fc

SHA1
0795108eaafc2f93a9b1d3a075fe9c4d1c2c4d0d

SHA256
0d983cd9dc3fc5ecb3ac15dfc15e9c09dd8ec3337f67eb17e0f7e9a80c38d12a

SHA512
47f97f4035c00ffdd1112d36a8cfb539ccccb072da27514803644d43c40488ff2514a99c36d6e7dbdb3630c49c85e3fa28827f390ac8401ec488abc0d9ab1afa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
d0f9cc886e470f5863430713e715e4b6

SHA1
8da1775deb5c814202c7f12943424136e7d7406a

SHA256
e0d635ebbd5ac6e6136d74b49d10f0355731de770a931020846ac17b849e91fd

SHA512
ec8deb1d29dac82bd4223aa970a7eeac925ef26199209b60be4cb240c9fd240ab81def1718fbd0db16d7a7c367bd6d0e365db1cc3aa4eda2eed1785b80f655b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
c2255509114d0571e429ed2941ef895d

SHA1
12f67c1487a2939484ba0d4d765745a4f0894152

SHA256
5722a919c2b64c2a49ce0bd6f43ef739debd43a03e07c9b1955e2c865c08377a

SHA512
cea9abc98d4d03ce19719e69db6d3b3d55db633c7d3834f52ffa88df71468d1ddbe6de3a977bfcab0e5ec4d81bf5f806e08991be781d077b6fdb9dbf38eeff63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oyqlonfk.exe

Filesize
488KB

MD5
75a89cfe719ef99ddf685ce5c30d9924

SHA1
13940f856c8b4ecf2d45f58fa8bbc53a7c7f40d0

SHA256
f520e5e6be76823ce0b328ee1ce1a268353227dbad9c160f9f18f8e2256ae549

SHA512
d174aa7dd03947ca7bd384fcb98cb96119e1d60736a21a48cf7a16f0b72d213a8b4ce7bfaf81f4a70e45a2041f0bfb51dbeab6b351b389c02e309d0f449fe128

Download Submit
C:\Users\Admin\Downloads\TRANSFER COPY.zip

Filesize
327KB

MD5
af8f427f45502d7aa6b81faa872b8352

SHA1
f945d2fa6a7a01cdfc72fe02cfc1f88137425eb2

SHA256
73663fc736e703f2ff10cae080df6a94a9b3c874b247e35168e10ad2c837ab95

SHA512
f658aaca3113043d79808f1ce1c2442d87f21f0b0239b22a2bc05181998ec084f2ffce0f521c736e7799bfac760254e11bfa4cb0b9b7a1558b6f765528ffadb3

Download Submit