kutaki | hxxp://eekifoods[.]in/kkldh

Analysis

max time kernel
600s
max time network
489s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
09-10-2023 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://eekifoods.in/kkldh

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zjmdumfk.exe	Inv No 47302.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zjmdumfk.exe	Inv No 47302.cmd

Executes dropped EXE 1 IoCs

pid	Process
936	zjmdumfk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133413002561384867"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4480	chrome.exe
4480	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4220	Inv No 47302.cmd
4220	Inv No 47302.cmd
4220	Inv No 47302.cmd
936	zjmdumfk.exe
936	zjmdumfk.exe
936	zjmdumfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 3876	4980	chrome.exe	69
PID 4980 wrote to memory of 3876	4980	chrome.exe	69
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 192	4980	chrome.exe	71
PID 4980 wrote to memory of 3584	4980	chrome.exe	72
PID 4980 wrote to memory of 3584	4980	chrome.exe	72
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73
PID 4980 wrote to memory of 2136	4980	chrome.exe	73

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://eekifoods.in/kkldh
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff4f0e9758,0x7fff4f0e9768,0x7fff4f0e9778
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=224 --field-trial-handle=1872,i,15551682097190842642,1562348966374966699,131072 /prefetch:2
  2⤵
  PID:192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=1872,i,15551682097190842642,1562348966374966699,131072 /prefetch:8
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1872,i,15551682097190842642,1562348966374966699,131072 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2664 --field-trial-handle=1872,i,15551682097190842642,1562348966374966699,131072 /prefetch:1
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2656 --field-trial-handle=1872,i,15551682097190842642,1562348966374966699,131072 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3916 --field-trial-handle=1872,i,15551682097190842642,1562348966374966699,131072 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1872,i,15551682097190842642,1562348966374966699,131072 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1872,i,15551682097190842642,1562348966374966699,131072 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1872,i,15551682097190842642,1562348966374966699,131072 /prefetch:8
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 --field-trial-handle=1872,i,15551682097190842642,1562348966374966699,131072 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=1872,i,15551682097190842642,1562348966374966699,131072 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=864 --field-trial-handle=1872,i,15551682097190842642,1562348966374966699,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\Temp1_Inv No 47302.zip\Inv No 47302.cmd
"C:\Users\Admin\AppData\Local\Temp\Temp1_Inv No 47302.zip\Inv No 47302.cmd"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:4220
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1924
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zjmdumfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zjmdumfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cab6dc0d185b0c90c2f4ef6bbddbc01c

SHA1
3aeb6f872990ade7149473e8b1f5280a221d7db0

SHA256
fe47663f4ff6616fd0f1a5e24e726dd4bc62ede02e609d3919db42366a171420

SHA512
91ef0bb9d396fc486078ca05adcb9ca9bfa6a0b1029b2865a33517c9f5e44761e8d9bea0f4564c81c268b1b2fade5cdab73cafaa7bae7e2f375d66c94790bbae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
6d63605e027764d245912091cb854c0b

SHA1
22fd680d69b087a8eadfa5605fe11353569a777b

SHA256
590342fd45c6e778957ffd155e20c33e081a2dea335f07f4bbd2e640ad2d4354

SHA512
e5eb4e3990e0fb6c11497df1cfe0a5f91ec4c63ecfdebdfdc00eb3cb86702059de0e36d20a9ddecf8a051dcb39a978fdab9297073e4e83c392c6ae5b982a1872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3958dafb7b744d9139cce7fd9896b91a

SHA1
52ec2156f912bfecf674c22fdedff504296f8055

SHA256
b6ee1e40ad16f76141ba85a3256e69348b137ddaa58126104ce7cb70d6b200d2

SHA512
6bd69f3d41afb4d4609196efdc5eac790bb553d4841c5c1fbf314a8971f06f1e509c6d72b7a4a9a8eda536edb37195048c9f121c5db7ddc77ac69ef3e0215d9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0e76b815a056759a29f8fd51c3bad3e7

SHA1
46dd2ec6af03fe28e1732246d4d2438453d231e9

SHA256
e6decb698413971acc5b06d4d722d4e45a1b97957d4dd2e71532d746053731fc

SHA512
ebc1345eed313e0bf7d055bd9260a0bea6ae70f330fed28b0e7da41ffc8f3f119221b11e0adae7fa43c16330eef575c1e57f7182a665044e4cb6a7e8cc19a859

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ed17bd1e9120b3f303a6c5c54cb5a52c

SHA1
cb12211b00ef9faf4d39e38ccf2b4ffc5f4b003a

SHA256
7fa98c6c39eb5b68745df65631bcf6db4cdb28aaf3d99abccf0421be56d81f1f

SHA512
a5b8ddfe6c7509f70c9694fe9c08e2dc2d00423bb0cca446bb8bdcc24d728c75b35aca4c6a8bb8188c7cc321fb3dcf68010e89ad49dbcb93c48f9789841cd1e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
104KB

MD5
5b77b6733bc7038621474bb7c9801caa

SHA1
5d3eb81dd7d1f3f218b49e96207de181477b41a4

SHA256
c40ef1943231fcea566ddba0570317433cf17449540e9c2b6c9648b25cceb5ab

SHA512
849d8b0dcf32ef838f983b1985be372252b7de4965c6e243f4bf053ff691c372048fdc85bec8a0068b6e8c015a88bb943cc3f84fdac60a770bc9ca3c1c6aac07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
ef0dfe1cf81bf6a33c4a984bd9d0caf2

SHA1
941b421495775955dfefb82fe9fba51d1a837947

SHA256
a748693f56a5fbc29253c07fc9b49b8a3af6929707d15b3517d54ca74bd44fa0

SHA512
e896c9246b0e19aefa7ef1b497f5086a87c57547f336301245520fec653ce51c53c7ba9cfc0a58d1acf0865e087598fba9600b4cd5dbb1cd9348ec5fd3861646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
103KB

MD5
1a6f61c89d546d22169b5f49867d9c7c

SHA1
9c241c949018c5d9b98b5fdccc2d1a4f05ba076d

SHA256
64686b135198dcbd92bdd0ccb59b22caa80031d884e6b6059c232f4bd0255ec8

SHA512
9d98d04afe305642946f4d571ed1d40ba66c2c0bbe6d230ef77c71045a15ad68f454f4d1c4b5a915f78710e8fa4b801195449d1209468b4c82c26e8f786cce6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
103KB

MD5
b251b3a6f029ee6b2d99e161e5ad8d8c

SHA1
eed805441cb486c8c31286694e5824e0543c7784

SHA256
8f056f0a1628dd867ae7450f8c2605c5b4ee1f51ebfda0cbfd75e2d3ec05856a

SHA512
cbcf0c17bd735a593f20be0b47a5a07797307510903fa065f7f4c403f00fa14750cea7463b7f023a12a080e18a8ad42d2f87da25d99a0c40e699a77d0d3045ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zjmdumfk.exe

Filesize
2.3MB

MD5
315057e3fa306cd68248a18029e1c63a

SHA1
c13a8a556429f85c9f3365f7dbe2379d040ca9a7

SHA256
b68773eaf1a6a8e663a28cda929f8dcb34030d80507dec54d99aa8d993146117

SHA512
6535997e32c4bab6fadaf7494c3b4b227cd4f7457a6e6b2ef72195f392844e645e2cd44e64353df3f008ea1f16ad663b0b0a8e31041a6db4b31251dcbb587199

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zjmdumfk.exe

Filesize
2.3MB

MD5
315057e3fa306cd68248a18029e1c63a

SHA1
c13a8a556429f85c9f3365f7dbe2379d040ca9a7

SHA256
b68773eaf1a6a8e663a28cda929f8dcb34030d80507dec54d99aa8d993146117

SHA512
6535997e32c4bab6fadaf7494c3b4b227cd4f7457a6e6b2ef72195f392844e645e2cd44e64353df3f008ea1f16ad663b0b0a8e31041a6db4b31251dcbb587199

Download Submit
C:\Users\Admin\Downloads\Inv No 47302.zip

Filesize
2.1MB

MD5
647efd971b659dee52466bee9c074f35

SHA1
68ad9eb05e995a25312244b776ded0a4a8c50f6b

SHA256
d52a1a8bdad75eaa4d109caf29e20dff9c30a249ea195ddf26711b75f1eb87ae

SHA512
ff9a8dd947d11db2716817b6ff48e2c8c61936c16c4c1b9a922615fb1222b4a2eb753568e06ed60372096a8236041d9dae0f0942897f4a154da765fb9062a0c7

Download Submit