kutaki | hxxp://katariatradersindia[.]com/css/Zyr[.]htm

Analysis

max time kernel
97s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://katariatradersindia.com/css/Zyr.htm

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://linkwotowoto.club/new/two.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 4 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231c4-60.dat	family_kutaki
behavioral1/files/0x00070000000231d3-66.dat	family_kutaki
behavioral1/files/0x00070000000231d3-67.dat	family_kutaki
behavioral1/files/0x00070000000231d3-68.dat	family_kutaki

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ifrfisfk.exe	Tax Payment Challan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ifrfisfk.exe	Tax Payment Challan.exe

Executes dropped EXE 2 IoCs

pid	Process
2300	Tax Payment Challan.exe
632	ifrfisfk.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133545963693663999"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
1572	mspaint.exe
1572	mspaint.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
212	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeRestorePrivilege	2712	7zG.exe
Token: 35	2712	7zG.exe
Token: SeSecurityPrivilege	2712	7zG.exe
Token: SeSecurityPrivilege	2712	7zG.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
2712	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2300	Tax Payment Challan.exe
2300	Tax Payment Challan.exe
2300	Tax Payment Challan.exe
632	ifrfisfk.exe
632	ifrfisfk.exe
632	ifrfisfk.exe
1572	mspaint.exe
1572	mspaint.exe
1572	mspaint.exe
1572	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2468	212	chrome.exe	85
PID 212 wrote to memory of 2468	212	chrome.exe	85
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 1612	212	chrome.exe	87
PID 212 wrote to memory of 2252	212	chrome.exe	88
PID 212 wrote to memory of 2252	212	chrome.exe	88
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89
PID 212 wrote to memory of 4676	212	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://katariatradersindia.com/css/Zyr.htm
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd292a9758,0x7ffd292a9768,0x7ffd292a9778
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1736,i,16931487674958178869,5526980847073270502,131072 /prefetch:2
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1736,i,16931487674958178869,5526980847073270502,131072 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1736,i,16931487674958178869,5526980847073270502,131072 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2824 --field-trial-handle=1736,i,16931487674958178869,5526980847073270502,131072 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2832 --field-trial-handle=1736,i,16931487674958178869,5526980847073270502,131072 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4592 --field-trial-handle=1736,i,16931487674958178869,5526980847073270502,131072 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1736,i,16931487674958178869,5526980847073270502,131072 /prefetch:8
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=1736,i,16931487674958178869,5526980847073270502,131072 /prefetch:8
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1736,i,16931487674958178869,5526980847073270502,131072 /prefetch:8
  2⤵
  PID:1088

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3632

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Tax Payment Challan\" -spe -an -ai#7zMap24929:100:7zEvent577
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2712

C:\Users\Admin\Downloads\Tax Payment Challan\Tax Payment Challan.exe
"C:\Users\Admin\Downloads\Tax Payment Challan\Tax Payment Challan.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:2556
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1572
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ifrfisfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ifrfisfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
44a5e9dbc1d7eb2e7653cd21769a0ba9

SHA1
033e374f85a81d56661d13568c774e8a96a476cf

SHA256
53871846ead73a182bf16ca0e2697fc42002c90b001682715cc5bfcad61dae3b

SHA512
af20558a531f2a3999317c5fc69605fd85590d507a8e2f01de5ee28ed7646f5e05d21c511bc733250e2b98c86c928cc689bf319af82b05cbc1cb06d13eb20550

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9fda5925e2eb91443ade5fd465300af0

SHA1
50b023f3f46af019d6dfe4ce4ee671924c659508

SHA256
16676129d21337b3502261a9ddd0f2a5f0b5756ef0510a98f067fa0fab6fcd26

SHA512
2560f6936030f9ea8b6be5dc2bb0f491807a2c70a80b5b909808773c774cd72937d72d5023b716788b31e00452c2b983e24bb4fc60c3b44be2af38364870e5de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
10fb7565de465c706fdba7da23619646

SHA1
4569fd65a587dc60b388bb2cab8f644122d9a09b

SHA256
fdea636ce4371eefcd95ad4707d592b5fc44aa38f2a35bd05f9872f8fef3a608

SHA512
5d0a5b48e1ce446311158e368c8cb5a0dba2394d0af453e1a69b46c22b60452a981aa7355e4323b7ffe94299e6f02f005dc0db6ed9d5cfc1f885c2df83f6047d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
68ceab649c616471ebf83a4333117fc8

SHA1
5d932ee9aeae5d7cf636300fc593e272cab3285d

SHA256
511ee78207fe56dc26d9ac8ceabc526eb13e2aaa2dfda5d59197914ef52d83c1

SHA512
5140465974880b94e2cb107d64198ccc7866693689326ba48f28a8eaf4686d32fcd7f4417fd0d56c9464f835fcaacbddd6d6d25a11b7ab4a931e040fd80561a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ifrfisfk.exe

Filesize
192KB

MD5
e7d66adec86bad9797f46885131e5f79

SHA1
4f6071812e279999ee1a882ef746cfdc6edfd584

SHA256
d0881edab6d76a532b775ac1623ce446e922e97638b30aac7b3d2dbc07fb7a3f

SHA512
668c0ac673c8a9f69739bd17d9a1be0753efa364f19beae6d737191296ec9fd7db5528ae83de89ffebd9f947dd5aa3edd1dcc2d13da3189b75fa08936540d306

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ifrfisfk.exe

Filesize
320KB

MD5
48e4a376953b81d15ff659db71d5d907

SHA1
8f5c9a657b0a49439972c8fc826ee2a88ebbc3eb

SHA256
d4b3ba9959030c480be3071adcc6f37d4eb81f9c9ddebc95ab1e269f16547a9b

SHA512
31e9c5e770ed70acd399b5a66bc30ba3c0e5a049c0c8bba8c0d77414ff683652e45814ad2a35ecf73581b041dc25ba9d48772b07afc918b4e508699586f3dbb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ifrfisfk.exe

Filesize
24KB

MD5
cdbe3aa9840518fcaf999c1cf25578ea

SHA1
268baaada7e3901fac39d1167fb69199420ca520

SHA256
78e83d9dab43cdb0a4de2b68dd24c4d529e8ecb55f2415d7cd303f1a8dfab0d9

SHA512
f4ec53f32896cb088e944d2d2864a28b5917eaee28e1aabc8a4b401518ccea08c124a185352004ae666d36f26ffd90bd558173831f89f359890ea9e36fad7775

Download Submit
C:\Users\Admin\Downloads\Tax Payment Challan.zip.crdownload

Filesize
366KB

MD5
066887603e476d532bc2dbd91cec6f86

SHA1
f589ac8ea2614bb895a483c5701871fdf4393099

SHA256
81a5b647adc7a9049b6ecdd8b0e8f51b03f7d34e247deb266da155ac2253c729

SHA512
9e49118f89cc3a25e71640330a64a84d5b126ce403362cf5a515f6df55ac9f66c232f23b92a6b79c4c77bf5bdfbbdf29727654a0c8b93489c1a870d99e3b504b

Download Submit
C:\Users\Admin\Downloads\Tax Payment Challan\Tax Payment Challan.exe

Filesize
637KB

MD5
bbf998f39ff78309effce75ce3ed0020

SHA1
0050caf84cfc083ea0af0cb8cee13955b7e13d2b

SHA256
4eb1e5e57cada95932e85d71062c1d3f95ca3b7a3764c26e95bc90171d21d543

SHA512
f90c300691fdc6a83f2a5ef986562df0fe06982f7dfa7886ff09096e15cc32a7a842bb20e4493b6afab68a5978a3cfef7b84bca6d17d33bfc0540414615aad99

Download Submit