kutaki | hxxp://kothariwheels[.]com/dnehj

Analysis

max time kernel
603s
max time network
496s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://kothariwheels.com/dnehj

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

INV NO 0895.bat

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vgjrqyfk.exe	INV NO 0895.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vgjrqyfk.exe	INV NO 0895.bat

Executes dropped EXE 1 IoCs

Processes:

vgjrqyfk.exe

pid	Process
1072	vgjrqyfk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133509556250237146"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid	Process
972	chrome.exe
972	chrome.exe
4452	chrome.exe
4452	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	Process
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

INV NO 0895.batvgjrqyfk.exe

pid	Process
3540	INV NO 0895.bat
3540	INV NO 0895.bat
3540	INV NO 0895.bat
1072	vgjrqyfk.exe
1072	vgjrqyfk.exe
1072	vgjrqyfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 972 wrote to memory of 4612	972	chrome.exe	84
PID 972 wrote to memory of 4612	972	chrome.exe	84
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 3752	972	chrome.exe	86
PID 972 wrote to memory of 4044	972	chrome.exe	87
PID 972 wrote to memory of 4044	972	chrome.exe	87
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88
PID 972 wrote to memory of 2304	972	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://kothariwheels.com/dnehj
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c6ae9758,0x7ff9c6ae9768,0x7ff9c6ae9778
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1876,i,9889840580968116552,8353448856701483880,131072 /prefetch:2
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1876,i,9889840580968116552,8353448856701483880,131072 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1876,i,9889840580968116552,8353448856701483880,131072 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1876,i,9889840580968116552,8353448856701483880,131072 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1876,i,9889840580968116552,8353448856701483880,131072 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4496 --field-trial-handle=1876,i,9889840580968116552,8353448856701483880,131072 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4868 --field-trial-handle=1876,i,9889840580968116552,8353448856701483880,131072 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1876,i,9889840580968116552,8353448856701483880,131072 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1876,i,9889840580968116552,8353448856701483880,131072 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 --field-trial-handle=1876,i,9889840580968116552,8353448856701483880,131072 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1876,i,9889840580968116552,8353448856701483880,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\Temp1_INV NO 0895.zip\INV NO 0895.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_INV NO 0895.zip\INV NO 0895.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:3540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1284
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vgjrqyfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vgjrqyfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2721ea7701841c27f6a89bd8d4753038

SHA1
7bd577b9bf7b62c86c315d9060ba2371ba2b7c53

SHA256
86ca52aa8215bbb454fa4c364b18c72129468701eafc2a4dfbb773ec325dabd2

SHA512
6dda2b558ae986a847c01d73445b3bf2319582b43900b9909471c981002085f4108f72eeeb01211b9babf062183d1cff5192d6f5ca7ab65c6ac88cca806b6b6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
703B

MD5
93321a6da7ed94f29e7ccff166fda076

SHA1
6f5a17b3afff9d6146eb3e68d8d672f5ef4ecb11

SHA256
789d053ccec10cb872f8bbd2ce4149b23008449bd83195ce76e27a983060a79d

SHA512
40778824c099a8c936a870fb75f0990a746e5be37cfaa98c2342d45fa34f9d3f3e5e1a07053be98ee759b4ecd2590772a21e84474129d9db84276c7268470d05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c4e2f266ff1ad913853c03d74ffaf4c5

SHA1
6758c6225151c19529773b8790a4844f61011061

SHA256
4c0f182e082b05f5988fc3d8af922df4ab2b626a0b3df32420fdf06f2dc61105

SHA512
409a012e94f70d1764eadd45d9e2fd40334b5b88ade159e9130edae8d3246efe73918d0800a7c0e16014528df292ea304fda6b53b7014ef63f5efc24f19c2ab4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a82da096f6485acfa1dd17044977c1b7

SHA1
5d351fc8c455e3cd6b527a52649fe12c2efce5b3

SHA256
bfa17e4ffa93667eab417b8d77131f01a9e73ef75701fc39f5e12eee24945cf8

SHA512
6196d3c3ca1a63a16a5a0f180a1463dc332aff2ad52bc97547211cc415c1eac73697a3e8a0b4bf3dc314b7b0425b4d78c34df917d6c112bc209b7a13639240ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
db4d4acb670365c609ac9949888d623d

SHA1
32420caf0d428d23f351331b7421b3c1901cb835

SHA256
bc129d24fe5c1d45303577f2fd8637c455f989de9ec4349f836685cf91dcc43e

SHA512
ba1a601456fef8d38bec021513ece14d70ad9c238fb965c3f8a16a649631595b10d6947f58279718400588f601dd00870ec6da7f4626e1f632984ca65138c674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f69adb6063fa16e953f7cff3f566cec0

SHA1
c0de88d022e8cb65aed528ae1c2b7fe12bd29e5e

SHA256
a30914cc108e22bb913a33a16f8def923f0b8dd00acc0ad7050235b896a6c30c

SHA512
37ef488dc9fa0844b405d2b85047acd6550ed3ae17e15536249b3639a465afd45cc417ad0837ecc6293acb53235c8f6926c0f9170d1dce08a1a1536fef9de0e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
ad71af34283005649403525d0924189c

SHA1
69e4d78b49b9f27630ce04626e5766770a0843be

SHA256
1823c3a73881289a0664fd0e3cfb9e34f18831793aa4d9c37206d225187345dd

SHA512
406e5c3c709fa83a88091486d871031cf661dcd3b284c4a963f746de10702800240b59db38cf5174489cf066df31e861d3f1c5c52bcbdedfd3ebcdaf34d52e4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vgjrqyfk.exe

Filesize
2.4MB

MD5
bd0317d7d71a80393ad2fd68d6068de1

SHA1
818c874b396cb525864eb0d89dd4bd48d83c89d4

SHA256
3bc228f9d963497944b91f760b97b2c1eac7525c4c0c065da8f8e62833fe5485

SHA512
e130f60ff194a622bced18e59cdaaadc10834833bbd948f8f03e0d13065b74b281f7f803188b4e7dc0077e9dd16684684d838a94e961bede1a220c0211dbdcf1

Download Submit
C:\Users\Admin\Downloads\INV NO 0895.zip.crdownload

Filesize
2.1MB

MD5
d9c0bcf7338442ca4bb55412812d9e40

SHA1
9d6204d46206a40f4f4ac6e78b9056bb80d639c9

SHA256
23f2743e81089acdc8f418032db74020d5e6be8e19a3b1b849648d1ba9e6325b

SHA512
6c3bc5742a0679fa4b538ee245bd6a0f39f7e42156cc0bf4e552659e3a633fba36b0ef5276ae61a0848b4d3268598a4266996f370cd96610346059a24f4a658d

Download Submit
\??\pipe\crashpad_972_OSQYSAJBBIQFCBWC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit