Malware Analysis Report

2024-11-30 15:51

Sample ID 221008-bzm34sdhf7
Target Fucker.exe
SHA256 5a9aa67d781dab65141d8951ad5920fca28a1d1324ad2759c665078a01201ca6
Tags
mercurialgrabber evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a9aa67d781dab65141d8951ad5920fca28a1d1324ad2759c665078a01201ca6

Threat Level: Known bad

The file Fucker.exe was found to be: Known bad.

Malicious Activity Summary

mercurialgrabber evasion spyware stealer

Mercurial Grabber Stealer

Mercurialgrabber family

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Reads user/profile data of web browsers

Checks BIOS information in registry

Maps connected drives based on registry

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Program crash

Checks SCSI registry key(s)

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-08 01:35

Signatures

Mercurialgrabber family

mercurialgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-08 01:35

Reported

2022-10-08 01:37

Platform

win7-20220812-en

Max time kernel

38s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fucker.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Fucker.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Fucker.exe C:\Windows\system32\WerFault.exe
PID 1376 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Fucker.exe C:\Windows\system32\WerFault.exe
PID 1376 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Fucker.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Fucker.exe

"C:\Users\Admin\AppData\Local\Temp\Fucker.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1376 -s 1960

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 96.16.53.134:80 apps.identrust.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp

Files

memory/1376-54-0x00000000001A0000-0x00000000001B0000-memory.dmp

memory/1768-55-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-08 01:35

Reported

2022-10-08 01:37

Platform

win10v2004-20220812-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fucker.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Fucker.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fucker.exe

"C:\Users\Admin\AppData\Local\Temp\Fucker.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 484 -p 3056 -ip 3056

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3056 -s 2912

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x300 0x304

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
IE 13.69.239.72:443 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 cxcs.microsoft.net udp
US 204.79.197.200:443 www.bing.com tcp
NL 23.0.87.20:443 cxcs.microsoft.net tcp
NL 104.80.225.205:443 tcp

Files

memory/1580-132-0x0000000000010000-0x0000000000020000-memory.dmp

memory/1580-133-0x00007FFE35940000-0x00007FFE36401000-memory.dmp

memory/1580-134-0x00007FFE35940000-0x00007FFE36401000-memory.dmp

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 3f8242cb1c1230398ed394882f79a907
SHA1 1da25574271ad10b454066bafb20504f243af19b
SHA256 f4d294f7472e2b970fcf7e794e9e67c984707c197552deb4c2e09a1cdd7008f4
SHA512 115430800061f28d6e997a50061b40448d10ab9dbaef76edd3f517edb6c4414cf1f129a1630a731ed1f51abed19fd08e012aa09b44c3122ca0341f25f64d922a

C:\Users\Public\Desktop\Acrobat Reader DC.lnk

MD5 19c70490b8af31da0935d91981bfd840
SHA1 57d90edb800d0bafc71a2c546b25d1746cd99f0e
SHA256 5ed3d74921f27a1d0d145f49ad2ba739d8c860e190f222a34f49c4051a260f35
SHA512 e80d6f06a5a8b5dfc0bd735da7e4e29ee79ab54371f75b355d84ef857be273dd0ad094cc070551ad69343e093b3ef6fba67c950b25c07c88b3f3940344a5a108

C:\Users\Public\Desktop\VLC media player.lnk

MD5 850d6275b0eb83f54e01c4f85844b4ca
SHA1 33bae780bea39d4d16820e939c0c4f9d7d26db8f
SHA256 1e5685939bb27619b7e34dce844ba8478a3e3dd5c50c3947ad1cf7c10f6ce7ed
SHA512 c607b3532f522adbb5ca6505aa58089597c784b4556446fe90a0440cf1b1578038752404eec43ba13b209b7888edde08b5cffffea1e46ebc38d34d8d04d95c45

C:\Users\Public\Desktop\Firefox.lnk

MD5 8950c114e215874819c6d2d5028bf929
SHA1 cefa741b4d777af9d5277c696bd1a34151d24946
SHA256 42cfa67118481944881f1e5d0a02dfb53a58777d68ab4afe419d601cdb5d973a
SHA512 232d0856fb894c3dc057208756903be7965cad37d30c92360599bf4c2de509fb84ec31eb74db21c04822dd5811a70917d6da350cf67db38f3a271d80e61dff59

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 100a0c96fcf2ea020533a36eabb02fe0
SHA1 577538ddd9aa7a5ca56f1bed55ef18a9e9fd1f68
SHA256 7263e56f052074e9226dabbeb8e36b28c37662bdd05bc205c929cb435b84732a
SHA512 8b83df9917b02fe9eb5861bbae9efc60abe569a1908918cd318f1cd5c913efc80b21966f481aa412aac5566f16a5ce6ae8782b579c3935906736e1b87c020f23

C:\Users\Admin\Desktop\CompressJoin.mpa

MD5 cf26fac664f386a1325b1f8ef67b3209
SHA1 c139228bc54fb29bf206a45a002e2c5afcbe667b
SHA256 289052eae3e52733a88fef33b33b29c368afb99fa4d295424c6870b9ec03ceb7
SHA512 d3911dfb5fc38a21a450060122c321b799c04bff7aa39f309a18871e7f02bf6f8364f28f675aef8001542f7bb074dea9c71378d1e2db54c948881bdcd43018e5

C:\Users\Admin\Desktop\CompressStep.cr2

MD5 0f1527f2dde42ab2af33c8e528168860
SHA1 6939df91a297caf25beafab605cbdabc1e4a9545
SHA256 821b473b964e1ac8b15f223c213f9f8cea5413aceb891c2a00968420fd8711de
SHA512 6cdade964d7c6f186efd082e3dedffdcc5397f6ae6df08556142a3a384f15d2720696f283dc1029a7111fcbe6226f33fb7431db3765214697c63e9d495e6c0c9

C:\Users\Admin\Desktop\DisableExpand.cfg

MD5 6dce268524a424f44a2a495c27dfb2fa
SHA1 97b7fa54f80634961d20e384face3b5009a152f7
SHA256 8f4a76dac3bfd736f8f93ea322e3b5c3e1d5d59761f71a93a2b96c858762a185
SHA512 335326bedec31bcaee1c2a198ba1882a49feb6af3f4503d36cd2579b63e194652fd585a96f74e7fc3bb2a540c63a4f7720d0c95c0ddead1e77b8b3033a10a439

C:\Users\Admin\Desktop\DenyDismount.rar

MD5 7e03539257d12795c9cf8a5cbeb20e66
SHA1 35d0a950e5cd6dee165e7a2114293db91878cbb9
SHA256 962e5834c7bc75aa95280d0f9a2daa60e58730f86968667233266728b16cbc80
SHA512 af95ea927921ebd130f28c3fed167fefe0033efe88a92c0c059f28441acd3179f8c23061132164e6fecdb653c647bb6922599ef5c4ed90d56519accbf2ca19f7

C:\Users\Admin\Desktop\InitializeImport.xltx

MD5 63833798777b4a9b5bd24bfd83cbf5a4
SHA1 150b6895c21f34eaff6395635c1e5ff69a85ffa9
SHA256 cee4ec0b788dc1ee34e1ca34c2e60f0cbd2cc6f9486503f19fcb9aa946cfb12d
SHA512 ac3e9ccdb12681d43a80b192291589effdb353414949683631d816becbc28c523a304c2c1fd8ac41a64de7d0a42e158f0c0a0cbb1518fafbbce60445dd026edb

C:\Users\Admin\Desktop\InstallGroup.wpl

MD5 34098870da044472671d34a57f18b302
SHA1 b9509d06c94f4dd1e15f74411f7a2a81106e9941
SHA256 a8c57dc95b4a323d5f53e6fcf33775fdf39058a193edd718a7d56474e229d98c
SHA512 8e63852d9c2aefc50b77f9659f6db05bbb312dd09bbc6c87ad2868dc8b4b5299da2ee44406f1050bbc833150259ed68797313055cb34f1499411cfc06182e618

C:\Users\Admin\Desktop\UnregisterSearch.hta

MD5 c801425dbc418d770cf6ac0c8fb879b7
SHA1 473c23ec8aad8397f6d6f663c1fd52f570c2b0ac
SHA256 3dc616ca592eacaff8f057d91e0188c785c821300e387af313e25d9519c8f7d2
SHA512 dab40bb5b921c08da322073b70d728c7e2d4506006af0ce97404896df9d27534a2f356f085216bb5a8076a2195720dce53c091505223d2cd3c14214b6c611374

C:\Users\Admin\Desktop\PublishEdit.lock

MD5 658cdd68ffef16d032cddd1f04004715
SHA1 1fbd49ddeabd26de2377c58e7bc837cf5c41f5df
SHA256 796be3bbd6f8f188acec4919e153babf71f27977dd391ce0cc4d90035a99ffd6
SHA512 c8e03eeb3c8906c085361222f05542c4532e90a5e140f646d76f35594bdd20735a50b619e03eea9076cdbe866a10c22f6e658bf9e341424b4a4e2ae4577aa01f

C:\Users\Admin\Desktop\RegisterUndo.xht

MD5 f49d125b20e29bc395ceb5c4cb77ff7b
SHA1 745765ec28679b3c989c86edb504c008d9254f52
SHA256 f08a9061907d258b265ab3d6fa8971a3016fccedef8c2b75d7a344f40bcc28cf
SHA512 086ab153a520603f4bc48ccff49cc3630cfb0f325b7dfbbe5ac21cc27bab8dbc33cddfafd8d3a291b6cb14d2a613c9ca9e5d769cbbf0d9c3670583b909f6675f

C:\Users\Admin\Desktop\TraceRedo.odp

MD5 20f6451bbc42f6d1896c3612338d4d88
SHA1 60fcabd6d4d935132c71b12922b6086f6a643d4c
SHA256 3fba3fc38a9970903ae2c7c9cf2644ca660a3c1497dcf9c528c443a61d5691c9
SHA512 5dbd03dd137a7ccb6faedbfc59ef192abcf31f2c3b404df3025855ae1b22432909a9756aea594715e51bba29823f5be315f878b6aafe5fd7d0d2fdb6e569d563

C:\Users\Admin\Desktop\SetJoin.cmd

MD5 82b36e7b7b9bfa01380d7688ca25dd90
SHA1 15870f91559c67ca3ad1049be7d31af9e0519e00
SHA256 cd92602032dd8fd3a9598f08453b8484dda35e0c6869004133465c3d50dc7794
SHA512 04e56632ca64b4cd4b71a8caa9ee36648a018ee5c440b590b02bd5a4628ef3349fd2c9fffd669006922b2c70b3ad06b262b5acec038908852eb4b591a01378c9

C:\Users\Admin\Desktop\SaveClear.001

MD5 39419a4cb41fa496384cf30cdc5f2df1
SHA1 bb89f5434ba6da4c52f5939d2d39683dcbc2a665
SHA256 d0a5ef869fd2923f9fc15b6c9dc750d79e3fa9614f541c72778b48d039011a83
SHA512 ade5738245d216fccd8448e42f1c705d13f4a31332ffa23aafb6988cd44a7eb3409f048aa9823b6782521406941094fa41175c85cd350eef74003dabbdcc2745

C:\Users\Admin\Desktop\ResizeTrace.TS

MD5 b99414d68ff4f9d4d0dae0462b4a2467
SHA1 9f48387ee881d07ffe2ccf2d6886f5d6324e72b3
SHA256 17cb3e70fe44bc7a26298c3eb9d018932fe9f4e31670004ddb5994ef808c685e
SHA512 f5ce37c3d805fb1c064f6307f423d2eae5b676811b604262a487306baa4528e6e43177642177873a238f011c664b0e27e51291dbaf712443f86c9ca575179561

C:\Users\Admin\Desktop\ProtectSelect.vb

MD5 c20994c8d41e76bac2836feb0c778f95
SHA1 0df64d8bf123b2194b8ec259b75e2e3547b1f143
SHA256 9612ee1660ded7401fdf0202a116109355e0c8271d2be5513dae99199a7391c2
SHA512 e0a906ebb82ad91d13d3d2cd9cbfdf4bf117f89536188115cd745b11b99b8791e7c73f9381c2af455d1b32ca81a4487db5de3dc0a47885a6a04fd50fd9b34607

C:\Users\Admin\Desktop\MergeBlock.avi

MD5 a03b5e80b51f616c31b09477746f014e
SHA1 392d8552360727ddc31de77df5b5c40f123008f4
SHA256 f776c90a0a6f73b1c47b3332de3666fa675d3f0ab668bd5a267fb4065d37d9bf
SHA512 01084172cf799298ae6004a9343f329e61833fd64acd95e1afaf48b5bab141dfffb550f821fa23700b5b1811f09767d7a4d3b971cd3713ea1af5e2a14d8ce36c

C:\Users\Admin\Desktop\ImportNew.asp

MD5 1489b0ed9607efba9944225f5c510fe3
SHA1 b75fc814147934b7b8253e28d6d64817f20bce46
SHA256 253ed7031f32d3c9ebbfd43167fcf2c0d3a880f374b1d0406e6d5685a8523fea
SHA512 cbed42c4d5afe0314d7c690ee77e1a91bfe32710db8d259366e4bd31c47892f73d9c0f9a1b7a09b947d687b12d51dd99f3f266d22d97d5d4ad7dc5b80a9f0c07

C:\Users\Admin\Desktop\BackupMount.mp3

MD5 8e0d9150c8e6b6f303a9b57f7f2c5be1
SHA1 0f8808e97245b9d1d3a994417e881fff62b6e34c
SHA256 ccbbf3ed49f73e72606cfbe9b5ee87ca67597569426c0083978ccaa23ff0d0e2
SHA512 bbb1cd17eb93dec90d5285af1bae5af809488fbfb2226b9a1a147789172467a4953f99ed7f693088bbe91174feeebe949e8ba37166f5847c0dfa6975d4eb6e8d

C:\Users\Admin\Desktop\CheckpointSuspend.ocx

MD5 51c6675db50c10fa6f176e030b12a221
SHA1 32c84f2f08a8689d45077cf462c02b8614c0efe2
SHA256 3bc53a98b1653088bde036e6a0df5edf9f09b658b31b908825ff17e5621a2b5e
SHA512 10cab83cf68ead79f500cba67ff46adb9d4c0c7d525dc1a723a6b630e663e3da26757b58746189430d41e6748edcd97eb86f5ed71cac3dc428c195a8baece4dd

C:\Users\Admin\Desktop\EnterSubmit.ram

MD5 c79476f4aaa2cff24849e0b3cda54260
SHA1 15a64944d843dd333a7551977217ac51c1fc493d
SHA256 c74991feb19d9943172c69bbf1f9acf6b238e981dc7912d76ff68fc013ae1a50
SHA512 4083560f2024d00e3b5d1c83e2cfb915cfe704379efa1a4849910e8ecc1d4aa2e3173af573ed60ddb8a6519980475b2ace86d5cce6d87074bb1dbe2d167a84ab

C:\Users\Admin\Desktop\FormatRead.ps1

MD5 f175b80bc2a45f1a52c9949e81aa1cd8
SHA1 f5ea59820baca1c7381a7e31b095a988477f2395
SHA256 235ae7d497312c29668e1d7d6cf9c3f31f35d2ed13487b7dae7501929bc03990
SHA512 fc06c92c780ddb734cc78829ebca2a4b56a23d2943ad71983bfc598041b9289e0bc39ba87db60ef86469e159a9292f1e0ee5dd27d3cfb1e4bec23beff52dd68f

C:\Users\Admin\Desktop\PingDebug.exe

MD5 3d822f962754f3dbdecd7cb07ee71a8c
SHA1 dd05034745f275a7e60113e2048b3a6a689a3d76
SHA256 8e61d971f2bc646e1561999e6a5360e6adcdd47867fb38671bd2b4f13bb0d3b1
SHA512 c0a64f98e0e5fc618fa43b349d9b083a7af5bcdc0bc67e459dc490afeaddf324b15a2e146f82a5c6288a5c4edf726293c2a7acc62149746132aad48e78e1e1ca

C:\Users\Admin\Desktop\SkipExpand.htm

MD5 b15c65724d5da6c79c7bde725c2a512b
SHA1 0da3da6f99bca5eaf3a343ce5ac8b4470d3b051b
SHA256 3cc2b6df907b3fa1bdd7f17ec83a789aad1b3c9c3646255e8e17ea7aa6f1d9a9
SHA512 9fe0be9ddc7997ec4899afa1516f35c216c106d715bde130d5944519fd6a06b0d5904062c747e02dc65e70f880dce7e441b550370d23b1929d26d074fe4e5dbe

C:\Users\Admin\Desktop\ProtectMove.mid

MD5 5a34c87d1e478b9bf2774ab685394a4f
SHA1 ab4af542392b7f148f26a29fd0906cd79d25c92b
SHA256 801703c5c2f3a4a04eaf96256393568fe4c7d7d24033705414df5641bf436204
SHA512 85a19fea58eb00868360c2e9ba6567cddf9cfd9fdee59d5ab51853e5c07f6dcbc33564c5e791aadc8de5f0112166c4ad38f2a90ba3ef2b8705a2308cc43eb79c

C:\Users\Admin\Desktop\StepRepair.bat

MD5 9e85751b1d818ac27f6c98bda3db1f54
SHA1 c76f1aa2a1106fe5f7a4e3cd124c39157476f366
SHA256 f2b7109f8e5c0d4bdc20b2837e2d35addeb05b07164bf0cff02a5d4efc28e267
SHA512 3fd79c6e3e0c69182afe6dfdbf773000ece56b200d6ef0b884db11a0fc96dcd07d67f1ec534f3d08735ae9e6f98e6e02ee421f49adf1d8f2bb784a15c4851e1f

C:\Users\Admin\Downloads\EnableReset.DVR-MS

MD5 f5a7c26d6591ddefcd3a3ac43aace5f8
SHA1 6820c5ffba2e099e121db74ed50cacf066e1de12
SHA256 311602384fb3551a7e6953945a55a170c57cde5b9f408294a52f0d8fdc57dfd4
SHA512 a319fd80c5730f2d7d6d80a36618511b72bf61beb217f40033b0f6f0bdfc7dc38437da65a0dc25aa8103041bad38ea60c898b031d599c5b16f11b53ff7df5624

C:\Users\Admin\Downloads\ResizeBlock.pps

MD5 ed809d24837e169fed7890ad7fb58da6
SHA1 9af530865fc222abee596ca92188bfacdeca88ae
SHA256 e1d88c16d53b128be5b13b6cf86a9c8724a63751cfa564bd4b1840f38f37e2fe
SHA512 cf650d68eb8328a84c59afd460cf7aae4f1d8761f3b60d14a488568be4a860c2ddc483ccb154450806d33ba01211f3dfdc5c52a8cde8a5c083575579f881cb9a

C:\Users\Admin\Downloads\ResolveComplete.xps

MD5 e47b1be55c76cfe85231a614326f3353
SHA1 cd6ab58accb1ce6c0edacad930a507626411eafe
SHA256 8e9ecb425ff2c485bc444cc0b1c24352dd7c8f02cfd289657ea93e3b371a6b83
SHA512 c9463e11c85e1ec574f363c6caeb3336a892f0541961932f5a26579cc9db4138f7c5cd12dad9f76393291ccff1b40694a5055e25005727394aa9fe233176dfbf

C:\Users\Admin\Downloads\InstallNew.bmp

MD5 d9e43e7cb89db5221d75f7d20773b4c9
SHA1 969442c998ad6048960db596555e999c31107b20
SHA256 682f4e21b1181c8240ccf99305e20b14a5bafc4a1084268c1c2c8923c164bdd0
SHA512 a38dbcc57c47f1458dacbfed83993374df59b09bfb703ee413110b47139662216124251e39705b56c52b8f0d87cbd8aae42be12be86fba79181973da1f821709

C:\Users\Admin\Downloads\DisableBlock.wpl

MD5 9e78e2f3ade39591d987a1c4b1b7db66
SHA1 58bb4d2ca7d67243e42c5dab7462300cc54b8226
SHA256 97e3297e2a0971ea5014034ebf3c9e8bb5a01c6a7cb0e9f3889972619983bdc7
SHA512 f3813903440cd2f84eb42b7825601dd026d0a57a0f2f7583f0749b4e8df145792100082e5cd35d6ad0c8e6dfb32c13de1b74930b1605356b3587e771dbe8760e

C:\Users\Admin\Downloads\ApproveRequest.eprtx

MD5 f570e65da830c2a39a42b83f50c2fe78
SHA1 4f183e1a0071d8f0b45c44b0f678b88e8b1d2932
SHA256 6db6362d8a3e3def0ffaf8563fe18393aedeea5637e1ace229c2ee36a8384f66
SHA512 f816a2bcee4de73b0b56449be4b2125198e3a7c0e91f2eadc4d2d8cb9052ecec39d11f610b4ec1c852fe26779fb28af147fc04f9c1da265120a5128bd7297d7f

C:\Users\Admin\Downloads\UnlockSwitch.3g2

MD5 6d64ae52352ffdca9813c912733e689f
SHA1 f776a07c518a6537eed69e230bdac6ed944d6387
SHA256 d0bdf140306d8e82466b7420684f1219c26973908ca6589d88f79613f38cec17
SHA512 561b6fd74d4cd07561b2f43204e9144301ce0da5734a40242ef9535c1b38c1930b39e3180b71cd292a2837bf66912fc7832b93c07de925575834467432c05c87

C:\Users\Admin\Downloads\RegisterUse.html

MD5 1ede017cd38c74d4a3b5944f38f89374
SHA1 d8fcb24d29ac165cf631a91d348a9d7d42576d62
SHA256 44b858f0192ebe73fefa0423dd5471330e1a1dd92e521ff8fbd9eab3a992fcfe
SHA512 4cd1a6f420e4b0ec35af85b6bd6eb37b16a3ca145367b89271fe1c2e9fa534c91c29e6b1cc01c4a0d27a7f51196dacf3f2e80d359e42ecda9743af7af44fbcd6

C:\Users\Admin\Downloads\UnlockDeny.csv

MD5 62a242a2e8c59d8648053151cf0fed97
SHA1 675fc68a826fc595d304f2c918ee34a933d97c41
SHA256 b851c2577439b6fb87f828e089b97d40e5b058973c44319c8f3eca8261a6b0ef
SHA512 0580aa5a778683f49c382e89063c8a5e09fbd4bd6ea0f83eb54f4799b6bdf72a9c5f5a58993ce6d9c36530d4aed5d7a21c53d23ac8456d0716254bc0aa765a9e

C:\Users\Admin\Downloads\ReceiveSwitch.i64

MD5 dde84a38b900f4159ebcd2313bab679f
SHA1 7973ca5c34301387f312c53cfbf5b51dab0fdc4b
SHA256 5216a9c2a8be279574a62dbb117c2584162bec6494514349706114e144d598a8
SHA512 9da4c18f7cd3dd59bd5a50dddc6caf3d2651eed7c6ec86ebe5addd54680c9b8d13199607519d8ac6b1a0927759c2b8758599c2a13547d45e80d67dc7df334691

C:\Users\Admin\Downloads\WriteConvert.xlsx

MD5 065c1294145f6a30b56f61c1f20b8bd3
SHA1 d85b27c8447b9a2d43ccf6534ae4b50e91cd5310
SHA256 1480e8a9dc901c9c55a4583306d0815821412d91df02abbd3cd73451ca6c1152
SHA512 08a598eef3403092fb995ac2566e8938a2139528b47c418764a29901230097628d0cf9de95ec1da2a16bb26a81dd5a7ffe6b1cc31dbb1e58d593394a663d6862

C:\Users\Admin\Downloads\OpenLock.midi

MD5 68b5a3eff25d16a2c811bee1d028f830
SHA1 4e4e7d28ac397bfc832e0bf5cc92e70adda7915f
SHA256 7db6c6e90d51c9b3ceba2fea6fb4b459671775a3e7a6289129c94c2e91264689
SHA512 b944b8163dd63bb62a02cf50ad64432419852789fa80d5c7489308a1c6aabcafe3d1af917204ddcec0bedc77e9c6bb9d8b0a0c0c25da011c71eba4e809ca295d

C:\Users\Admin\Downloads\StopComplete.mhtml

MD5 82815930d5178f534970ce6a87c012bc
SHA1 a00da503a7caec2a2d08b58dae3678676f218b49
SHA256 e756bf730c5df75f8ae1b94af142766d5a87183447ed6d517bf31a1922390316
SHA512 20cd20360f384b6a91688a6c4bbbdb573fc19f8911d52bdd7d3ab26027e7f6b245e26eb8f9d77ef306f082693b76986a6117ec660715bc763c2c012c2cd0a983

C:\Users\Admin\Downloads\ConvertPing.vst

MD5 26571e0ad2b96e631e5b0ce7b7ba1053
SHA1 dbaaa1ce40ef23671cbc1c9e5f5ea3ea9fa4237d
SHA256 e066900539b18916777e5197cfd0c1c24f3f5924d8ae8c981453ea426cf6c9c1
SHA512 bd33d95e6e909ade013c46594e65e292450af076119152cb471c94823f5ee936ed46027b4afcabf928596b2cb7f7ad3f30b1622cfdb0be9cc3e36c6d2e5cc918

C:\Users\Admin\Downloads\UnblockConvert.wvx

MD5 f0879bb4a074dbdaec9b70f1f2b049e8
SHA1 a265252dfe9a26035e3aabb998c6e591b6627aab
SHA256 73891a4fa09825cf74df1470f2903b1ef810e0a33994d1664e73c8f49050cc0a
SHA512 208f588585a114dbb2187c4e1662afaa12840404ac66be33c6d07b39dbc919093ef4f00a8043dbd537fb8d341c1007a869274bd56c4bd446549260baf7a62f7d

C:\Users\Admin\Downloads\AssertDebug.ocx

MD5 f4eb4925b124673363cf6722b7f22c39
SHA1 13dcc032093ec392e7f6aa8837cbe5b5a5e2f2e6
SHA256 259740883f358b26f402bec978c2e0ef2c72c8f002d3665c4f043f31d1e01321
SHA512 eda828825ce9d43801bd5a2d002785709d76ef0f7998294dcb8251f017e722b641ded55e6f606f3702d58634d421b1dfebd4593e4b79197b53430a9496a15a75

C:\Users\Admin\Downloads\UnlockUse.mp4v

MD5 cab8f03e96bdc28549342a019c13f5db
SHA1 c03163286709f6f1fd72621d1048727627334d12
SHA256 477ec25d7a24f3dc552c3756488ac2fe55235b10394e4e42e89c537d7f7b2715
SHA512 612df47f3bdfc1bee75f6dff49d8c235af77b0b15081a8ed60d6e8becaed6b24a6a03e10436e6ff2130d6ef196afd37e763ad11aab9aecb4d441bf9aa6929775

C:\Users\Admin\Downloads\UnregisterRevoke.m4a

MD5 c480e4ca690c595d859bc24c6c0ce195
SHA1 9d1ccf3ca713c4b750e88db5e796df17a2b827e5
SHA256 7f73eb194d895072e7cae52ffaab24f95b4baabd06098b71dfb5048cec828e3e
SHA512 cc7d6279828ebb27769189748efd88d838dff2871c70d764fbada1beb9f8cc9dac588985cd8556e9749c89836ecdeb89111c6e1b848450fafb556787eb2dadf2

C:\Users\Admin\Downloads\FindConvert.xltm

MD5 26c94dd72a68332da94e6a60c7b945b6
SHA1 f606dd52c0afe910c59ba3ce094dbf80c9fdb0f7
SHA256 864267ffb093390e68cb0ba57ac3d6ad6b92d44d14e24544ca21ef47f554b335
SHA512 90cac194cd1d887ac280c4c6b5e936941f70bd1634cce04409b5208c58c3276ebfc7e086e5b0332b59c48d970dffaab20c2f54ed8c70c9d57bf6bdeb4615b2e0

C:\Users\Admin\Downloads\ConvertToFind.ttf

MD5 448c274a5775452639779b05368391cb
SHA1 9e6af845851f217f57d5f1bf286d33da91960031
SHA256 a50ad0e59ff4fee65c82a36bc087ba0aec7aa61c9dc8e0d9932cdb917e2d3d3a
SHA512 10e2ff30d94fd90dae43a5434fb75327d4dd1146008f6e38099bc3168466443e68367e2d3d457c89773021af2c4bde65f4ec506cde5f5fab3ab5427d7c45496a

C:\Users\Admin\Downloads\SelectUse.edrwx

MD5 6eebc6985cc16381f77fd2374e49bf92
SHA1 552021caaa328073412937ea0c8a4f8baccd9cf1
SHA256 d6e3c29aa3397be7b27a4d70f94fcc7c3a34bd03d2c8a32f2e87233994edce6c
SHA512 6907fe43fcd21a1798af3f709028bed365b05898f389d9f262782b9e0774497d9916cf28f637c734bb26c2ecc991c6a76c868d839b96bb53c9a27107b48007ac

C:\Users\Admin\Downloads\ProtectDebug.ppsx

MD5 971c0aecbd356fdcf11303ef26d5c49f
SHA1 58cea95f20c4fa2065e8befe416dcde1073205c6
SHA256 08e342088bf0f922ac7e8a401eeefc7b9370ef652717c6469a44c911a37e4b18
SHA512 30c03a7676fd424b580068d88847009f0e5e742f86b358f64fad72dc96927345ac611dc00f018b7bf35e2aae9942d54dc49233df4bc40a1d55b638768485c8d1

C:\Users\Admin\Downloads\GetCopy.cfg

MD5 9de21edad53509a1e0636a24c10ef75c
SHA1 250f585bf5a039d11fecf4b7f72a4e0e82752bf2
SHA256 f7aa76cbb32a1b6f14ec8968cf52aeb662ad6e0f9ea2c11cd53b81c340aac7b4
SHA512 a832fe8eb534f26ee1bb06acc253d47c0b4983ab94d3eca75924bd4cae6f92961b2d3f904bd61c0ac7c74b4b13901585d20d9b0ec3523da00886a9a2f88f3b05

C:\Users\Admin\Downloads\ExportJoin.mp4

MD5 88ad06b8fc7feabf3c0e11ec65499bda
SHA1 5dbc47fdfca7d79710160dc8a5c5e22ec7f7eb5d
SHA256 9c8c072debc7cf511636dd1fab998bc4877a90e53ad50f82009679d926c1635c
SHA512 4d0fdb0bcb82eafb4be894910e8e671965fe771e99e2370a4648da126cb2ff28aca8e3a330a00f3f006bbc6746d6ed2845c667f332159a3f5fad3fbd4d5d48e4

C:\Users\Admin\Downloads\ReceiveRestart.easmx

MD5 7834e92e52abcf691a59090e4addfec7
SHA1 7d4c3d9e2c787fbcb3b36cfb45e42275392ee6ac
SHA256 f3833d7307fcfd36222ee2eae0fe76341c4033a8c5346388db198c18daa45e1d
SHA512 d56b6107401ebd3fd9d11f480f1d6940bdb1f43d2dfb5431ea42a708bff2ddc0973d6d9d6b381b56039fcbb807cb4fede743dd15e45ec9fb3b1dc904edefa075

C:\Users\Admin\Downloads\ConvertToMeasure.WTV

MD5 779d75c178721cdc80b196c0e8ee3880
SHA1 4333e99e268d02126af0b2ca1ea3571442ff4c10
SHA256 a841fd8058825e2038ce6d1d4cea08adb200a990f67604c4ee3e5df6d7aeecd1
SHA512 0b182fa536c9592ac95cad122d7035a6cf71ac1ea4c38dd20e62455017e65227b5bb944472157c82537b863a7c12f9727a91f9ba315d36b7a321953311a0424a

C:\Users\Admin\Downloads\AssertUnlock.ini

MD5 91792db8716e23c3e3231c2596738965
SHA1 b30e45ec2f65ac1997c97022b405803c14d0fb44
SHA256 9a913a513d6a7461dd56ada38a4b9b0fc787a09f7c2540493ed167e573ea08a6
SHA512 f153cdacc074ef9cd3e723ac2a4f844aaa0268b50ea9c617aae3e0720bf6bdbf579b96f23b2353eac5736e32f121da804813b9506fb5a1e9678e20c1405734a4

C:\Users\Admin\Downloads\SubmitReceive.rm

MD5 688b091bb2a75ae26518954ea300ab9a
SHA1 18db50fd8eac1256058897c564ce8f4070923544
SHA256 adb3377775405ae8354461e886b4eed9fcc487b585552bd1374e13315d0bd8c5
SHA512 c3eda09760c7ce6d9458e31692aea669f001a39a40dc979e1d2c28203d5d661f41f93cdbc371d4238c1212cb128d73a95fa80656e1ba93e58bd1d2c0b681b23c

C:\Users\Admin\Downloads\CompareTrace.potx

MD5 5963724417878747c53ead7cf8c3e65c
SHA1 d71b1aacf92d8a2f8958ed0469e9d3ccc404d649
SHA256 57ecb20e56775ae31829ae9dff0b7a630fcf6a265cf0f5ddeef0c2a52f4ae69a
SHA512 9d7b7f89e7595d43fac84ba489de0623fe759660f54a1e85d2577b6252849efd14ee4013e76ee5f37f9a00d778b874de483b17f56be427bb958f313576180b4a

C:\Users\Admin\Downloads\UpdateRegister.ogg

MD5 0a3f57684d2e5dfcd2db49b0c0df8fb5
SHA1 ccd0ab8748876e96a78d1a0e554651a57a3eb803
SHA256 1d3c37e8ef5f31493659911d26b9b9740efaae566234c77ccabb13f7c1e42b1d
SHA512 139791de96449d53c7bc7b38c2c968c875633300454b060f6bde327e7cad64c2dfc6c9f9b38afb539deb4a08ecf243c98da65b57e17ea2cacb066a59f8b66068

C:\Users\Admin\Downloads\MergeCompare.vdw

MD5 8cb2cd0c665d3d0f108f5e7547e634e5
SHA1 e57b037ed9349e10ea09cf57cb1aa66b9c7acf0c
SHA256 498c8919cb12db15240d3ce206d954746797d4496531e519f91ad3e9da7ae2d9
SHA512 75feec0b6fe110a8beadf82836603577773a04f7dcda6ad48e7eb402cff5abb2181c219642dfbc46cf0dc907869b30f535181857c040fa7932107fe70509f798