kutaki | hxxp://4deshebrases[.]za[.]com/uurik

Analysis

max time kernel
59s
max time network
55s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
21-09-2023 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://4deshebrases.za.com/uurik

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zgwiztfk.exe	Inv No 46281.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zgwiztfk.exe	Inv No 46281.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zgwiztfk.exe	Inv No 46281.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zgwiztfk.exe	Inv No 46281.bat

Executes dropped EXE 2 IoCs

pid	Process
4232	zgwiztfk.exe
2780	zgwiztfk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5108	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133397376551899728"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeDebugPrivilege	5108	taskkill.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3792	Inv No 46281.bat
3792	Inv No 46281.bat
3792	Inv No 46281.bat
4232	zgwiztfk.exe
4232	zgwiztfk.exe
4232	zgwiztfk.exe
4916	Inv No 46281.bat
4916	Inv No 46281.bat
4916	Inv No 46281.bat
2780	zgwiztfk.exe
2780	zgwiztfk.exe
2780	zgwiztfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 4352	3352	chrome.exe	60
PID 3352 wrote to memory of 4352	3352	chrome.exe	60
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 4460	3352	chrome.exe	72
PID 3352 wrote to memory of 1288	3352	chrome.exe	73
PID 3352 wrote to memory of 1288	3352	chrome.exe	73
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74
PID 3352 wrote to memory of 5016	3352	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://4deshebrases.za.com/uurik
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffcc8a69758,0x7ffcc8a69768,0x7ffcc8a69778
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1840,i,14396798628981681928,3094588708241144018,131072 /prefetch:2
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=1840,i,14396798628981681928,3094588708241144018,131072 /prefetch:8
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1840,i,14396798628981681928,3094588708241144018,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2784 --field-trial-handle=1840,i,14396798628981681928,3094588708241144018,131072 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2740 --field-trial-handle=1840,i,14396798628981681928,3094588708241144018,131072 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3952 --field-trial-handle=1840,i,14396798628981681928,3094588708241144018,131072 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1840,i,14396798628981681928,3094588708241144018,131072 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1840,i,14396798628981681928,3094588708241144018,131072 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1840,i,14396798628981681928,3094588708241144018,131072 /prefetch:8
  2⤵
  PID:1400

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2124

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\Temp1_Inv No 46281.zip\Inv No 46281.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Inv No 46281.zip\Inv No 46281.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:3792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4996
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zgwiztfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zgwiztfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4232

C:\Users\Admin\AppData\Local\Temp\Temp1_Inv No 46281.zip\Inv No 46281.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Inv No 46281.zip\Inv No 46281.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:4916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3888
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im zgwiztfk.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zgwiztfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zgwiztfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
703B

MD5
c61aaa70c8112eb305416a4517b7c463

SHA1
6f795fd21a2c4a22fc17c71a3218674d046db751

SHA256
f342ab576ba5cf53fdb3571f8b224c69b8602128eac7373a81c4238f4bda003e

SHA512
3d4e4745c1e51d5c1bf108ae62bb698864028c9ef70a2c218b4ee6865e901b56874a4839c6c74e09d5bc4d6be449734a1f308f231d5d7f226078416c18f5f9b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6fed550f65f72a421eb2d32e2a95949e

SHA1
db5765f382afe16bc679aa250e47b92c4d9a1e93

SHA256
bffc9eeda1aded28675d5bad3b598ff7faeb0b7290670844ac4992e5e834c495

SHA512
c497cc76a13a24fac145f7d559b572eddb37db6f23a27fb164735dcb094e02ad4f2c2cc692c49be0e0b99d6c25df96c42900ebfa2b7806ea0c5aa5aa1698fcd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f1c0de5b9de5ab46852cb309aba3a71d

SHA1
c16d45d561720733189fa00a5e011b92057037fc

SHA256
59437d1ac52ca522a058512ed6c47db83a64e1ebc56005f2daa6fa70d5d21510

SHA512
f3b01942cc956e8aeadd25059ab3bdefac45713c5d3d8eb40dbca7820231ee6135a6993835faefdf4425e92eda73bd0a4e01f1908f96cb9e85bfa171133bcefc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
102KB

MD5
699616653d3e14334fdefbb4cfd9e1c9

SHA1
ecb017fbd00ebf6844181363c815ab643a550258

SHA256
4192fe63e60265da92f8d0370f42a07d0aca1193e0bbead448fb2b1edfd868ec

SHA512
ad2551541d818db2254e09a776041ff62a46627a0b65f523be8b58f0f2f14714b14b7be4153fd73512c5fe8c3d6896937bea4dd584cf1145d601babf619d2bff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zgwiztfk.exe

Filesize
2.6MB

MD5
9c55c5482f2599282613a9677dc9010c

SHA1
441e9706756e28d2112f60e1a5fe3c0ed4368a8c

SHA256
c8bc425f3201c25f61942597a5bd5f7ca2410a9c04811ae0180cb047d7701f43

SHA512
07c8da517ad919df750a1c1a13007583be76e8f113960e76f6c1b984b63710ea0ebf3966ce06aef19575fe0a7008bbe2bd802578f8ceb1b6b92b1cc03dd3f19a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zgwiztfk.exe

Filesize
2.6MB

MD5
9c55c5482f2599282613a9677dc9010c

SHA1
441e9706756e28d2112f60e1a5fe3c0ed4368a8c

SHA256
c8bc425f3201c25f61942597a5bd5f7ca2410a9c04811ae0180cb047d7701f43

SHA512
07c8da517ad919df750a1c1a13007583be76e8f113960e76f6c1b984b63710ea0ebf3966ce06aef19575fe0a7008bbe2bd802578f8ceb1b6b92b1cc03dd3f19a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zgwiztfk.exe

Filesize
2.6MB

MD5
9c55c5482f2599282613a9677dc9010c

SHA1
441e9706756e28d2112f60e1a5fe3c0ed4368a8c

SHA256
c8bc425f3201c25f61942597a5bd5f7ca2410a9c04811ae0180cb047d7701f43

SHA512
07c8da517ad919df750a1c1a13007583be76e8f113960e76f6c1b984b63710ea0ebf3966ce06aef19575fe0a7008bbe2bd802578f8ceb1b6b92b1cc03dd3f19a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zgwiztfk.exe

Filesize
2.6MB

MD5
9c55c5482f2599282613a9677dc9010c

SHA1
441e9706756e28d2112f60e1a5fe3c0ed4368a8c

SHA256
c8bc425f3201c25f61942597a5bd5f7ca2410a9c04811ae0180cb047d7701f43

SHA512
07c8da517ad919df750a1c1a13007583be76e8f113960e76f6c1b984b63710ea0ebf3966ce06aef19575fe0a7008bbe2bd802578f8ceb1b6b92b1cc03dd3f19a

Download Submit
C:\Users\Admin\Downloads\Inv No 46281.zip.crdownload

Filesize
2.2MB

MD5
1d966f996dcd93c1a98c9b3c4142c246

SHA1
4d443c9a609d3a7b7842dee42d36b939c3137a59

SHA256
9dab6775890cec31194c3c7d2e0b2e6454806d2f9e5762f501e0cd1c1da8cafa

SHA512
bb2cb6a0d95960bbc33d4c7ce8c32f71575b9e63e54bdd8831f84f8423fe0db02b9c2188b6d40155815d4bb58414eeeccd59e2304d7688ecdfc40c3dc5535f1e

Download Submit