gurcu | 9c2c8a8588fe6db09c09337e78437cb056cd557db1bcf5240112cbfb7b600efb

Analysis

max time kernel
441s
max time network
431s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2023, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

calc.exe
Size

44KB
MD5

2f82623f9523c0d167862cad0eff6806
SHA1

5d77804b87735e66d7d1e263c31c4ef010f16153
SHA256

9c2c8a8588fe6db09c09337e78437cb056cd557db1bcf5240112cbfb7b600efb
SHA512

7fe8285e52355f2e53650dc4176f62299b8185ed7188850e0a566ddef7e77e1e88511bdcf6f478c938acef3d61d8b269e218970134e1ffc5581f8c7be750c330
SSDEEP

384:OtF1XO9GxgL7ol+WSvYWCiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiLiiiiiriM:QOOgL7E4r

Score

10^/10

gurcu redline smokeloader pub2 rocket backdoor discovery infostealer spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

Rocket

116.203.35.84:1417

Attributes

auth_value
206bd0635ccb8950f15fa014dc1e3c9b

Extracted

Family

gurcu

https://api.telegram.org/bot6169554051:AAEZlwZXnAXKuZLdP2sQ_Y6XeagcNpaF4i8/sendMessage?chat_id=5547954789

https://api.telegram.org/bot6125631937:AAHzA1e2kkAXSFSX6lSoyDACqaM80kXHnEw/sendMessage?chat_id=6155788902

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Gurcu
Gurcu stealer is a malware written in C#.
stealer gurcu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/6000-5498-0x0000000004E70000-0x0000000004E80000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	buildjack.exe

Executes dropped EXE 22 IoCs

pid	Process
3988	buildcr.exe
460	rocketscamjesus.exe
5432	crypt.exe
4392	Client_zffz.exe
6500	Update_zffz.exe
6936	ColorMC.exe
7084	lab.exe
7024	buildjack.exe
7016	rrrr.exe
6852	lab.exe
7164	0002.exe
6572	ColorMC.exe
4008	0002.exe
6700	buildcr.exe
3872	Client_zffz.exe
6936	crypt.exe
6976	rrrr.exe
6600	Update_zffz.exe
6920	lab.exe
4576	rocketscamjesus.exe
6112	lab.exe
6000	ContinentGroufs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023773-4884.dat	upx
behavioral2/files/0x0006000000023750-4910.dat	upx
behavioral2/files/0x000600000002374d-4924.dat	upx
behavioral2/files/0x000600000002374d-4926.dat	upx
behavioral2/memory/4392-4916-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/files/0x0006000000023750-4912.dat	upx
behavioral2/memory/6500-4938-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/6500-5026-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4392-5057-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/3872-5285-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/6600-5286-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/6600-6161-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/3872-6256-0x0000000000400000-0x00000000004B0000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
424	ip-api.com

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/6500-4938-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe
behavioral2/memory/6500-5026-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe
behavioral2/memory/4392-5057-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/3872-5285-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/6600-5286-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe
behavioral2/memory/6600-6161-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe
behavioral2/memory/3872-6256-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3988 set thread context of 5248	3988	buildcr.exe	132
PID 7084 set thread context of 6852	7084	lab.exe	143
PID 6700 set thread context of 6932	6700	buildcr.exe	161
PID 6920 set thread context of 6112	6920	lab.exe	167

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6048	6000	WerFault.exe	168

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lab.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lab.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lab.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lab.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lab.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	java.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000060ac268a6d45d9017241bb37fb6ad9017241bb37fb6ad90114000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\MalwareCrawler.jar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Desktop\filter.txt:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2312	NOTEPAD.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3964	PING.EXE
316	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6852	lab.exe
6852	lab.exe
460	rocketscamjesus.exe
460	rocketscamjesus.exe
460	rocketscamjesus.exe
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
544	firefox.exe
3184	Process not Found
5956	java.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
6852	lab.exe
6112	lab.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	544	firefox.exe
Token: SeDebugPrivilege	5248	vbc.exe
Token: SeDebugPrivilege	7024	buildjack.exe
Token: SeDebugPrivilege	460	rocketscamjesus.exe
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
544	firefox.exe
544	firefox.exe
544	firefox.exe
544	firefox.exe
544	firefox.exe
544	firefox.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
544	firefox.exe
544	firefox.exe
544	firefox.exe
544	firefox.exe
544	firefox.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4388	OpenWith.exe
544	firefox.exe
544	firefox.exe
544	firefox.exe
544	firefox.exe
544	firefox.exe
544	firefox.exe
544	firefox.exe
544	firefox.exe
5784	java.exe
5956	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 544	2236	firefox.exe	89
PID 2236 wrote to memory of 544	2236	firefox.exe	89
PID 2236 wrote to memory of 544	2236	firefox.exe	89
PID 2236 wrote to memory of 544	2236	firefox.exe	89
PID 2236 wrote to memory of 544	2236	firefox.exe	89
PID 2236 wrote to memory of 544	2236	firefox.exe	89
PID 2236 wrote to memory of 544	2236	firefox.exe	89
PID 2236 wrote to memory of 544	2236	firefox.exe	89
PID 2236 wrote to memory of 544	2236	firefox.exe	89
PID 2236 wrote to memory of 544	2236	firefox.exe	89
PID 2236 wrote to memory of 544	2236	firefox.exe	89
PID 544 wrote to memory of 4876	544	firefox.exe	93
PID 544 wrote to memory of 4876	544	firefox.exe	93
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 2828	544	firefox.exe	94
PID 544 wrote to memory of 3420	544	firefox.exe	95
PID 544 wrote to memory of 3420	544	firefox.exe	95
PID 544 wrote to memory of 3420	544	firefox.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
1⤵
- Modifies registry class
PID:4508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4388

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="544.0.460004465\1995896081" -parentBuildID 20221007134813 -prefsHandle 1812 -prefMapHandle 1772 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bbcd74a-5c03-4e4c-94ce-1b5c80e7e53c} 544 "\\.\pipe\gecko-crash-server-pipe.544" 1892 21b0e57f858 gpu
    3⤵
    PID:4876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="544.1.877822181\1301018445" -parentBuildID 20221007134813 -prefsHandle 2280 -prefMapHandle 2276 -prefsLen 20848 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {281d1b2e-fa97-42de-b1ed-c038c6668931} 544 "\\.\pipe\gecko-crash-server-pipe.544" 2292 21b00570a58 socket
    3⤵
    PID:2828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="544.2.181463318\235905821" -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3084 -prefsLen 20931 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a805c97-62a8-4cb6-98e6-b6c245a1f64f} 544 "\\.\pipe\gecko-crash-server-pipe.544" 3100 21b111d0e58 tab
    3⤵
    PID:3420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="544.3.628283414\825069653" -childID 2 -isForBrowser -prefsHandle 3524 -prefMapHandle 1180 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cabcf32-1a6b-4836-9a49-e08d5164669f} 544 "\\.\pipe\gecko-crash-server-pipe.544" 1464 21b00570458 tab
    3⤵
    PID:872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="544.4.67712557\1401949933" -childID 3 -isForBrowser -prefsHandle 3752 -prefMapHandle 3748 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a870c74-d8ff-4f54-ba1e-eed3e9274fbb} 544 "\\.\pipe\gecko-crash-server-pipe.544" 3764 21b121a6b58 tab
    3⤵
    PID:3792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="544.5.1834953384\227411193" -childID 4 -isForBrowser -prefsHandle 4948 -prefMapHandle 4684 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54887def-30ee-4f52-8e8a-851da0486d07} 544 "\\.\pipe\gecko-crash-server-pipe.544" 4960 21b13669158 tab
    3⤵
    PID:3572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="544.6.1268597817\1879375466" -childID 5 -isForBrowser -prefsHandle 4968 -prefMapHandle 4964 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac7e7e99-0881-4eaa-83ec-89b3185e58da} 544 "\\.\pipe\gecko-crash-server-pipe.544" 4988 21b13669758 tab
    3⤵
    PID:4416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="544.7.44704167\1364859293" -childID 6 -isForBrowser -prefsHandle 5104 -prefMapHandle 4960 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51da4510-7382-4738-863b-cf7184d3b48b} 544 "\\.\pipe\gecko-crash-server-pipe.544" 5208 21b1366b858 tab
    3⤵
    PID:664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="544.8.217931532\2096746144" -childID 7 -isForBrowser -prefsHandle 5888 -prefMapHandle 5892 -prefsLen 29967 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d01c1dd9-e9b0-4aaa-adad-4852a352635a} 544 "\\.\pipe\gecko-crash-server-pipe.544" 5908 21b1860f858 tab
    3⤵
    PID:1724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="544.9.733884841\1987270433" -childID 8 -isForBrowser -prefsHandle 5372 -prefMapHandle 5468 -prefsLen 30191 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fac8d196-c748-4378-b827-2cb2b6ec2814} 544 "\\.\pipe\gecko-crash-server-pipe.544" 5560 21b0056c758 tab
    3⤵
    PID:2780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5044

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4132
- C:\ProgramData\Oracle\Java\javapath\java.exe
  java -jar MalwareCrawler.jar
  2⤵
  PID:4620
- C:\ProgramData\Oracle\Java\javapath\java.exe
  java -jar MalwareCrawler.jar crawl URLHaus
  2⤵
  PID:1836

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3320
- C:\ProgramData\Oracle\Java\javapath\java.exe
  java -jar MalwareCrawler.jar download 300
  2⤵
  PID:4972

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:772
- C:\ProgramData\Oracle\Java\javapath\java.exe
  java -jar MalwareCrawler.jar run 5
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5784
- - C:\Users\Admin\Desktop\download\buildcr.exe
    "C:\Users\Admin\Desktop\download\buildcr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3988
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5248
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        
        PID:3628
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:7088
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3964
- - C:\Users\Admin\Desktop\download\rocketscamjesus.exe
    "C:\Users\Admin\Desktop\download\rocketscamjesus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:460
- - C:\Users\Admin\Desktop\download\crypt.exe
    "C:\Users\Admin\Desktop\download\crypt.exe"
    3⤵
    - Executes dropped EXE
    PID:5432
- - C:\Users\Admin\Desktop\download\Client_zffz.exe
    "C:\Users\Admin\Desktop\download\Client_zffz.exe"
    3⤵
    - Executes dropped EXE
    PID:4392
- - C:\Users\Admin\Desktop\download\Update_zffz.exe
    "C:\Users\Admin\Desktop\download\Update_zffz.exe"
    3⤵
    - Executes dropped EXE
    PID:6500
- - C:\Users\Admin\Desktop\download\ColorMC.exe
    "C:\Users\Admin\Desktop\download\ColorMC.exe"
    3⤵
    - Executes dropped EXE
    PID:6936
  - - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\download\ColorMC.exe"
      4⤵
      PID:1688
- - C:\Users\Admin\Desktop\download\lab.exe
    "C:\Users\Admin\Desktop\download\lab.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:7084
  - - C:\Users\Admin\Desktop\download\lab.exe
      "C:\Users\Admin\Desktop\download\lab.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:6852
- - C:\Users\Admin\Desktop\download\buildjack.exe
    "C:\Users\Admin\Desktop\download\buildjack.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:7024
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\Desktop\download\buildjack.exe"
      4⤵
      PID:4492
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4340
    - - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:316
- - C:\Users\Admin\Desktop\download\rrrr.exe
    "C:\Users\Admin\Desktop\download\rrrr.exe"
    3⤵
    - Executes dropped EXE
    PID:7016
- - C:\Users\Admin\Desktop\download\0002.exe
    "C:\Users\Admin\Desktop\download\0002.exe"
    3⤵
    - Executes dropped EXE
    PID:7164

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4860
- C:\ProgramData\Oracle\Java\javapath\java.exe
  java -jar MalwareCrawler.jar run 5
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5956
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\download\0002.exe-up.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2312
- - C:\Users\Admin\Desktop\download\ColorMC.exe
    "C:\Users\Admin\Desktop\download\ColorMC.exe"
    3⤵
    - Executes dropped EXE
    PID:6572
  - - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\download\ColorMC.exe"
      4⤵
      PID:6444
- - C:\Users\Admin\Desktop\download\0002.exe
    "C:\Users\Admin\Desktop\download\0002.exe"
    3⤵
    - Executes dropped EXE
    PID:4008
- - C:\Users\Admin\Desktop\download\buildcr.exe
    "C:\Users\Admin\Desktop\download\buildcr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6700
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:6932
- - C:\Users\Admin\Desktop\download\Client_zffz.exe
    "C:\Users\Admin\Desktop\download\Client_zffz.exe"
    3⤵
    - Executes dropped EXE
    PID:3872
- - C:\Users\Admin\Desktop\download\crypt.exe
    "C:\Users\Admin\Desktop\download\crypt.exe"
    3⤵
    - Executes dropped EXE
    PID:6936
- - C:\Users\Admin\Desktop\download\rrrr.exe
    "C:\Users\Admin\Desktop\download\rrrr.exe"
    3⤵
    - Executes dropped EXE
    PID:6976
- - C:\Users\Admin\Desktop\download\Update_zffz.exe
    "C:\Users\Admin\Desktop\download\Update_zffz.exe"
    3⤵
    - Executes dropped EXE
    PID:6600
- - C:\Users\Admin\Desktop\download\lab.exe
    "C:\Users\Admin\Desktop\download\lab.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6920
  - - C:\Users\Admin\Desktop\download\lab.exe
      "C:\Users\Admin\Desktop\download\lab.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:6112
- - C:\Users\Admin\Desktop\download\rocketscamjesus.exe
    "C:\Users\Admin\Desktop\download\rocketscamjesus.exe"
    3⤵
    - Executes dropped EXE
    PID:4576
- - C:\Users\Admin\Desktop\download\ContinentGroufs.exe
    "C:\Users\Admin\Desktop\download\ContinentGroufs.exe"
    3⤵
    - Executes dropped EXE
    PID:6000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 2012
      4⤵
      Program crash
      PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6000 -ip 6000
1⤵
PID:5980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
4efae884fc29ae27994108afc16fd6d3

SHA1
43433ab7e626dbc0bb1d95121d3e44758bcd1f62

SHA256
1c42d2beb9da57230ad67854a6842fc0d4050f5d23887ba9a97d001b97be9b51

SHA512
202a13b80374c34f250b550fbaa7645a2f0b20de6ff86d2ca02de31b008247b151568c85ac7e5b0a9db85332d45f8043a55fe62fa9a504fdc8d95dcd27553a24

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
40da35235d649f2c43aced35b32b5962

SHA1
61f20f8622f902d3bbaf871846fd2ef8f9fd8b8d

SHA256
8fe4dc6e0744657ae77a6284fcd3d1a732db7639b7d0f60208c8542c9dda3e59

SHA512
d9dff5244cdec9c0b59d939942c7407670839b37f63f3890df5c02f8fa25170bdd029d5776295b2bf75a8467b45fd27ffaec58a83fe90ea0b711edfb2bdeb423

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
1ed1bbc2d4a71acece80ec2cf089f72b

SHA1
0ab7f7c3385024881dbcfcf5af780c5d8d6a12b5

SHA256
03beab24610c2e48c341c31b2d8b1eb4495411618087e356eff624032805d116

SHA512
548ee1087c7596704505682188a5e0e82f11e9a68a8fe42383f753ae39fea3b0868262558d4d42aca9453309f101a485326169f8957d155ca33db36e6794a0c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\activity-stream.discovery_stream.json.tmp

Filesize
138KB

MD5
0a3d852c825a4133f897ad10199f364d

SHA1
de2788985dc929bf7bf64ae227ca2061fac5a3ca

SHA256
2a5e2c5a1e8ea559805bffe13d015be2182d4aece38b3ccb86fcf56e5270808d

SHA512
02d61c5cdc231ba93fb44df027a708a86830d2ea947ba79df3aa02ffa6c92f9bc2bb7801ce70d4c0b86d8217ef3c09a72f2c265e03b6c777729f7418ca04473c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\cache2\doomed\2977

Filesize
9KB

MD5
95c0b0e6179af03b3704276af9966cdf

SHA1
09702e2393bfeb10e4276ee0f6237438a7a94c94

SHA256
996c75569361c5f74fd63828c2e65f28bd282f8446396831cf7c088e882314d0

SHA512
a3c6ba5d2a6e0d50036c75c11eb3d3a7780a676556b5b7d89e3b67f9cfdbb4eb5f09bbb9bd395ae8828981825dd9df6ecc24b815772a7845c8f68cb2d98e6804

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\cache2\entries\A4BC0C99327D7691FF360F07D11373B5791EB30C

Filesize
14KB

MD5
003f3fe8d6d1e68c52c7a699c09f74f5

SHA1
464097426831a4ea95b7481ae3ae7e4d2c2d25c1

SHA256
813f338ae4fd58d80ac86521314d7cccdd57e9b69e381a402a240cbc7fabf6d2

SHA512
1ee36a625b7d634a8b683a7152ed17a963c0afb41a9063d55fd40c48eecf47d1f475a04753c27d3444e2d1372167245fac1d7967fe7705ce2e1ed9a913e27953

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
bbd1abe1a90b1ccc9d52ee42f61f0f6f

SHA1
3ad0b14d46b02afefc5b94ace053e17b45a27c66

SHA256
34e6e2ef852ac21225151cef9918568ba92a62a8cdb3dd17c5282e1160dfa62a

SHA512
f8fea18923307ae7e9285f2c46c4270ab7aca5ac9cb8b2d64d6823d9abe07ce00d8b775188087a163fd8bee315c6cb7ac7950f46893a76c4b5b78fd5844a911d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
11KB

MD5
40e574d11eaecc2724620fa356fbeda6

SHA1
4c3d3dac202159c6f06e768d22358749751c178f

SHA256
c95a577a98ff8fa0108e18bb5ed881a6c821c089a6e5aa612d516d4696b77fd0

SHA512
145652df9bff618a29bb2914eb68ac85ee2b40c5d03ccc93c6b96df1beb519befdfb709310d6fce4a5e7dc3b3de3cd4e01ab1b189e0708aa555bf4ed476d2102

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
43fe35ab38d5ff34ec00060ee149211d

SHA1
e72d5cfe9ecc9334e45335b107d0d35f6d3de8d0

SHA256
3bc66acc337c5535af99f2043e2ef42b5df9e9027df991583f7ed4bbbb917038

SHA512
1162a96f927e4ab25fb1e1dd84798d5cc0335599252593cc363bf06cd75532afe1c74d2bd5cac52b4a21e45aed5b48830ad9e963896f189f12ed08cd2f0dc396

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\cookies.sqlite

Filesize
512KB

MD5
4aa2192faf633cdcfced4aaf741cfbf7

SHA1
afd3fbde5233c3c66cd9fec153eb3a7c448c69aa

SHA256
954aab47208abc46160d3b91452c3e6e17ddf1bee8d7ed03b2ffa71dfad90b2e

SHA512
b99f60c71d3a5c56d3d8f33444bb8a2b1ee97233b42269c53739f1488eae94c3a91ee0931883f767ce74762f098920e82be2b374d8e8832cd0ec99917783f47c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
611c00652f0e553299bf506ed7ee9b0a

SHA1
92b3552fb3ac60d8fb19f7cd9b1f291b2a0cb67d

SHA256
b9ad2a7c56acb7e9b7acbd1a4a8d978679082142c0aafae04b8e99bb70c09240

SHA512
167f34e3350e30b475a3574c886996feeba970c8c7516cca3f4b668294682232c0d7069af6cbabe6879743c1a126bad58ee7e4de1e8423748359a847d5a0b3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
10KB

MD5
e6339c912aaaeae4211ab1ae25beba67

SHA1
4eda4a6c469416774d00447b27af3b60c0e52a34

SHA256
998a6e5f47ce7c943ebc37d89459751aeb2178e6d252338b37042c7c026c1af8

SHA512
62c5bfa93398ca8e331c934b4a6658df8526fe079cee5a966ade06dee086143d596e38555dd95c4f006bc9cf24314c809b3c24f6f60c7bcc856283b877cebd6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
5f2c48d5b8d92d56a425dbf0529cf9dd

SHA1
8ddbffaac9166e4dec76e8f9c279aaeb8ba82864

SHA256
cdc91f06b3dc1fcfb72c7a61c5fbd0c9cedbc65878c7866814d5a759169bc27a

SHA512
5fb87cbba9a2a12b702149357792ef435b9861e24072cf7bfaea76f10b85f2a8ab580b857971d288b2e1e19b874498ec733a463444d512138c984af0d6289d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
8KB

MD5
2471f31aba6124f9bc626c34287594f5

SHA1
5bc1808ae7b84469371650ae1e968b2adef2040a

SHA256
78c05e6c12dcaa607d6b0b683d8ea5a6cfe7045ae71a80b7c15692de385f661a

SHA512
edd77a17db7354152f61c489aa1cf196439662c28054fcbe00e0fc8a439a069704407537ddfad5d06ff069b1a75c18d379c958a825d57d23dda9c595735f7ffe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
9KB

MD5
0b5bbb59184f1f3d2143ef238567cd17

SHA1
7738ff3645eec236a3e928fd0407f916ee7c49cf

SHA256
57b74c6a62d18f320d39a7926830f8977593259dee3fac141040dc448918ea0a

SHA512
e7c5b9f6cab4c313914eff7a1ca1b6568e37cc9f10fdf2092797b2f5e322f23b180539e9e1cb5b565a9f6dd8bb9056b737480ae8fe53d391b316c73745064257

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
10KB

MD5
27792ed924c714f42953de53ffb9561f

SHA1
3b2eaecc8251383743fbe30c06f891958eae76ac

SHA256
70b76dd43987aea09afb671b361cccaf8c6dedaba54e0e8a38c39cf0eb9e5592

SHA512
ad7007bee30b5c2ffdd723f8ccdd16908c890476c0643baa756da665d1b3d226547afd5ed3e14a2ff7e86114a19e543cef91c1cf0938671856304f27ab354da1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
10KB

MD5
59fc93c8f83b3cce15ef020dd4b5f65c

SHA1
502228790a775a179d8970a012a9b98eb6230cf2

SHA256
f3ff238e49611453b7a37e58a99cd23cb2f6820ed5b8b3e34383669f27eae6c1

SHA512
21ac89cb050726c2038023cf59094caa51a2fff36d12c4bbd9a4de3482e6458d9448b16145b527dc2f49f87fd27340cf709ccea14553eb43488f74b0a289ffbf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
10KB

MD5
05cd4d661c8d5247ed10fb56e1bb30c3

SHA1
9d6ce876b790eb23f66a4fba33e370d042ae9624

SHA256
d40e48bde865578da25bb8397bfe1b3f0b191cf8f942982e6ce7d27fb0e69e5a

SHA512
f96f631ab6d5fa5f8e41f7864e289f92ffb436fd9f24ac6494ae2e44990be2230c27314d42d033321f735c76d8635ff235c21ab4233605f35adfe9d0978ad527

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
10KB

MD5
56a5ec986154e6ea73b04696320bf187

SHA1
809189ab705aac0646340e4b62b237eadf203d9e

SHA256
460cf2f949bcdc9a6890b9021c4365ff5deafefc0a22c443ff297b603716d0e6

SHA512
2e1c9b5fec310a299e47b1c6b5af8c85a3103a40b6fa9b9b771a3e1ecc7df24835c8a87312e994bbb0d75053f31d3db83c52063b52efb2f3b3f2f20a2e6b0b4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
10KB

MD5
419f07b5e9577b0b07d81c57bca2b41f

SHA1
5ac0d714a7fdf18cd21ea5a797d7714edd15359d

SHA256
bad066a841db1194de1e6b0724a97665352c5b90f56a1e0464bfe9de001488e5

SHA512
c13d1a21b3ae7095cd0bf71fa2cc5428fa729572e38747b0de3ede7ff83c199b479d86a0b3eff9b6f22634d3ae6c2338a9c2daddce122620109a46b5994718e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs.js

Filesize
6KB

MD5
9971fa8fa89a208685d3e30835832fb5

SHA1
5d9972a3bdbd4c18b3648597d2fd9f9fd6e30300

SHA256
13417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084

SHA512
02b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
8c54a0e98df4c756d4070c51535baa58

SHA1
d524c6fa6d543c650f2fa0c24cab75c451dde8f6

SHA256
4409ce489e704824e4087bebd75bab3429b3c5a0516baf0c262fa23cd2ab2a09

SHA512
1b86737947f2632bcb92cdfbbec5edd81761148d2311f39a9cb9a810cbd659e6116540583fcae373e3fa3f6bd5291c578671bd989aec50660408fb86f9653df1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
56412e1322778f26140f629d22479844

SHA1
4c143f72578d8ded3f23e0fc965ebf984d5b045f

SHA256
ed3c708e90a8be78f5ab63d8fbb87a3f646e8b2e26560685c902824a7a2a3e7f

SHA512
d4ae465ecaf6260a25fb6d865b135acc6784749242bd52bfb6c528d812557e18c4827d5fe3f425a1c17bca5774074beda5197e7efbbe2f350b2b1bac441a8d40

Download Submit
C:\Users\Admin\Desktop\download\103.exe

Filesize
303KB

MD5
ad0849f96d5a85520f93ff44921ec04b

SHA1
de96ec47a29b6757caeb8357eb66723a2dd18299

SHA256
ab8a7067c90a1110f16a50a91cd7c199469bf12ef47e2f073748f5bb4895bf40

SHA512
f15e61c17022f740bbb138141b505b61c262d989dbeaec73256a67ad141530bf6e14ed654d458c39f223dcd9c40566f14b45e8b337ace510ac86df60176286ba

Download Submit
C:\Users\Admin\Desktop\download\105.exe

Filesize
220KB

MD5
bedaf50bda3098976dfc3b8e36f51430

SHA1
209dcbfdd0350c23563640a9b62602f9546c324d

SHA256
a81b34c72244c517259238fdcc591225a822d1d6d71660638d8a9844e0879a8b

SHA512
019522be6d7591a5cf6fe780dc352edb50f164782d15b69d3657571b2b1cb94723199343b5425e13bce3c29b741308fd436a3a99cd0ab78d62de2c36746f27f4

Download Submit
C:\Users\Admin\Desktop\download\CHEAT-MENU-LINK-1.exe

Filesize
351KB

MD5
3c2bea8b0be8af109a930e71fb82e338

SHA1
7898c0f1cb3b6ad4a87f9368a450b2dd17296e68

SHA256
0bcf500c157b0fa51fd3afc3f846566bda2939c44916e2a28c8395a49dd54704

SHA512
dc75b2a057bc1facd9a48b917eb61c2ac90d5a2362cea1c87cf7f0af7d6f133aace94190264ce65d7bf9e10979a9cd59614d2f38d50609f15df51abb63a7cb02

Download Submit
C:\Users\Admin\Desktop\download\ChromeFIX_error.exe

Filesize
1.1MB

MD5
902df63c5b978c21e419abde9ac3b16f

SHA1
ab3428c9aafaf62fe18c1e206a9d122ea5cdf422

SHA256
18d146039b557c3e236b833b313c27aafdde505411a90980cac1470a3c5be453

SHA512
cfd11950d5e37a2365b358e8b4878c722a9be6e330eefb6d64368a2444e3ec50bf45c5cba6eee67e7321cb2f4b1e9059ce591547dff1ee044e3abbe34ccbff04

Download Submit
C:\Users\Admin\Desktop\download\Client_zffz.exe

Filesize
383KB

MD5
7c471a7950f65bf60494c86bea37d451

SHA1
214fe1c8f2acb7db03d148839975ed77e3f4aa70

SHA256
1dd0ca8cf0fd2954ebe6a619726467ba262c696f224d0a3520d569b964eabb98

SHA512
201685314c69b02b66393df61d79884b0d8f9bc4f8f44b19e8525ee5286fb25fb3e3169ed40cd7550bdfa6d97607f794044c7703d260fec293cd997af4b1427c

Download Submit
C:\Users\Admin\Desktop\download\Client_zffz.exe

Filesize
383KB

MD5
7c471a7950f65bf60494c86bea37d451

SHA1
214fe1c8f2acb7db03d148839975ed77e3f4aa70

SHA256
1dd0ca8cf0fd2954ebe6a619726467ba262c696f224d0a3520d569b964eabb98

SHA512
201685314c69b02b66393df61d79884b0d8f9bc4f8f44b19e8525ee5286fb25fb3e3169ed40cd7550bdfa6d97607f794044c7703d260fec293cd997af4b1427c

Download Submit
C:\Users\Admin\Desktop\download\ColorMC.exe

Filesize
304KB

MD5
e2e3eb8130a3f44fcfe8571d97067839

SHA1
911bdd71cc19800462e156eec6621ea2df002265

SHA256
2044a657c2061eb09c846c8e439c91e5fa5f7a92a095055741c75c7ad5b45c00

SHA512
c95c4673429d3f4417bb96be89ae4aac095e1460bc88b1defe558d61c39fb2b5c62da8429125476d383b21f9d137fb6cf7c6717f91532c86b89738c0e3f552a6

Download Submit
C:\Users\Admin\Desktop\download\ColorMC.exe

Filesize
304KB

MD5
e2e3eb8130a3f44fcfe8571d97067839

SHA1
911bdd71cc19800462e156eec6621ea2df002265

SHA256
2044a657c2061eb09c846c8e439c91e5fa5f7a92a095055741c75c7ad5b45c00

SHA512
c95c4673429d3f4417bb96be89ae4aac095e1460bc88b1defe558d61c39fb2b5c62da8429125476d383b21f9d137fb6cf7c6717f91532c86b89738c0e3f552a6

Download Submit
C:\Users\Admin\Desktop\download\DS.exe

Filesize
447KB

MD5
b43068d56a941a7b2e4a0528a866668f

SHA1
75a1dda604f269d6a428c122fc30925ba10a6def

SHA256
10871a812bf209c8986bc823bb067ac8f60952e86ee08fde4c9450aae92bf2a6

SHA512
92797869045926e750f3ec29b012bb1a496b93222bcbadaf20f7d8d28017445a2e3d8a4497d9dfcb312da4fd292442634033a44f7001b3226819fb082d8964db

Download Submit
C:\Users\Admin\Desktop\download\DefendUpdate.exe

Filesize
238KB

MD5
a4e2d134ecc58012026f7db04546c008

SHA1
06a6c9246fe75ae3b47566646eaca280bc523228

SHA256
a2c9d8919468130dd9ec24c4160a7a1da363a398ca59090a78ebf9e4fb3c50b6

SHA512
2bcbb9eeb162a6f5bdc3c4ff077fd1fb25f0b65826b5b0e5a135db0c15238c17fb78f5e48780ca9ca1cb96ca8dcef4234bbe57b811624d824daf4ec778828894

Download Submit
C:\Users\Admin\Desktop\download\Kgilth-LIME-2.exe

Filesize
349KB

MD5
052fd84270984e878a76da92ecbc6abd

SHA1
21916fc075f94dbe1ca56ca9b4c9d6abf6f3c5f3

SHA256
6db0fccfe25c6c87deb9774c7ade4d0d79c74d71a1350693018fd9b8bda94b1e

SHA512
65083a771cdfd23ee8df32b2f3db2045a3c9f79c0f4cbf72f9179349fcc3622d68a043a64f962f1e9ff311d0a8f8b5f25981440980dd1dc32d1b589bfc3731f4

Download Submit
C:\Users\Admin\Desktop\download\Kgilth-LIME-3.exe

Filesize
363KB

MD5
68c38c60cfcc05cf19027fc20472c2fa

SHA1
2a81afc895eb3cedc63dd94364b94c94706faa3c

SHA256
88d71a6bfe1e66441e66ba75ed6b292823a03d1c042b9113c694474ef5f0a6a9

SHA512
16667e8344f62fadbfdae82db24a842b7cc10f0607b1bb80b3f1e873c1a70126e58a094c3c6427b244c203b0319de6d210fa451f106635d638191be7624360de

Download Submit
C:\Users\Admin\Desktop\download\NINJA.exe

Filesize
762KB

MD5
4507f1c4e9599058bb3b4ca669ec08cf

SHA1
e89bde1610215aafdd2e3128c849321cdc46b430

SHA256
e4e8cb044067341d5e1360197bea96b32600270849a06817433931fb3a4e894e

SHA512
ffcee6389c621228b3db76a228569fe321184e4e7ab5df99893dd288974b52831f50c5cda4e74ac2c86d5b23d0eb955beb09ed0848638c817bfda14ac020c07d

Download Submit
C:\Users\Admin\Desktop\download\Rrobknnz-LIMETORRENTS.exe

Filesize
349KB

MD5
788844a6cfd4e866e84667209cd5415f

SHA1
921f7cc20fdb5081407d34c68fa29b5f37cdd620

SHA256
67f709a641a2bac1a258acf2e1c3aebd75b321eb23d55512fdd6def2a06fda80

SHA512
a7f9c52df78c9ee1a38c6dc1c1536b6b5eb20767f7d139907af3efa9379051593209d0c1aa89494f10c9ade83fb69be642b62a6dbc0b2b27fbdaff7f1430d6e2

Download Submit
C:\Users\Admin\Desktop\download\Ruzvelt.exe

Filesize
303KB

MD5
47036934455ce21f19d12d0d32fbfae9

SHA1
015136a3c6459dd272f2a7e8d18a0e9ca08a966b

SHA256
e0bb3df3ec1d18d738ce29b202ae6a2cf96797b38269cb4226e1a17b966f0555

SHA512
fee8d5a63ff982185e0cf0c2f37bbbe1d6ee0229f912a15121bd61272fd319e2d06276a55bfd24965fc48d2b5d1f4341d5d17286bbbeccd7ecaa4ad83357f414

Download Submit
C:\Users\Admin\Desktop\download\Update_zffz.exe

Filesize
292KB

MD5
1c119aaf490871a918c246d8921aca8d

SHA1
0fd253281645b7ce0e0fb28e6fdaf464dec4c889

SHA256
a5313639742adf80e58f5adc250b431694bc8889dc61536cf3b3bcd010cb23cf

SHA512
350ada2c17f5151b3bfceb1fe6fdc2ea2228083f5607825cfbcb38a480558c2aa82aaa33cc8557a3537388edeea85d2eb905168852f2209cd82a6644685a5b57

Download Submit
C:\Users\Admin\Desktop\download\Update_zffz.exe

Filesize
292KB

MD5
1c119aaf490871a918c246d8921aca8d

SHA1
0fd253281645b7ce0e0fb28e6fdaf464dec4c889

SHA256
a5313639742adf80e58f5adc250b431694bc8889dc61536cf3b3bcd010cb23cf

SHA512
350ada2c17f5151b3bfceb1fe6fdc2ea2228083f5607825cfbcb38a480558c2aa82aaa33cc8557a3537388edeea85d2eb905168852f2209cd82a6644685a5b57

Download Submit
C:\Users\Admin\Desktop\download\WW2.exe

Filesize
457KB

MD5
c2064a215f66f973bc9d6f3374a9a6da

SHA1
e449a5ca2bf974e0848202647aa4851c377fa84f

SHA256
d5fd440a0f64be6b458439c2b2239dffdaf83a284c82544167d98074eb741788

SHA512
9c2d73fb74a210aca3f0d2c3df1b961ab430b4abfea7f48072d589a827ca2dc4950afee5dd3c5ad20399e88cc8105fe52714f1b053adaaf09888d5b4dfd8e6e1

Download Submit
C:\Users\Admin\Desktop\download\Z2K-1.exe

Filesize
468KB

MD5
01b57358bea7e906484524da8eb25310

SHA1
933f4f5b962d58f12920bacb73a7f3c7730a4153

SHA256
b51b7908e463951b751651802b73e6312976d290160c77785f64935ebd722820

SHA512
7d2d135b8154a97ef5d2c88fe780a2c62f87e62008ee422d6d78bd0f5ce6f2f20e0905f3cba481da766cd157c0ca3f559394556bf3520e66e2d0925fc3c3fb39

Download Submit
C:\Users\Admin\Desktop\download\ahmedzx.exe

Filesize
437KB

MD5
d0bc1f2a7db56e5d4b48447327d8382d

SHA1
3f0af6a22cacb2729cb7127259224bdbe6d89f1e

SHA256
df7ff344f649a63e06975593098a1880cb3de5a155747e02f42dc2c015a108b7

SHA512
5dcad58db03cab782ed3957acfcae2f2f2d59f0b7e3a01eb570f32b28018c99074874988eef4fbecef11686e34289f11239683c510df6dd01f764183eba64ac9

Download Submit
C:\Users\Admin\Desktop\download\arnoldzx.exe

Filesize
666KB

MD5
3e394a42df2b4b209aefde5fe1c80548

SHA1
6720191b964869652597c7f2fd6f62455d9fae79

SHA256
a4f01a23be607b721895e39d1831416e138b4e6a757a706210b02e51452b4ffa

SHA512
99fc122a58c0afd5ffcf7232b0959c82b6820e80b4f26c394500ec130c906025780bb0374396b3b0e5effa6690394656f16279d7b9cbe55c01b08e94e1026086

Download Submit
C:\Users\Admin\Desktop\download\aurora.exe

Filesize
1.1MB

MD5
da27a5bf60ae6e358d575d26f876d074

SHA1
0b4109e10e1870c2e433e36449c56c2803c2a773

SHA256
84b05029af1db855d7ff8223d4bab9d06812f4951a3c7311ed958610149aa5e8

SHA512
bb039a45b83f98cca5af780e28e1675cb474ee16e57968693e206b11bae88dbc1204a56a244bdad09a958f30e68eac27ff3ea5b0161bdb8966aa5b0b49fe3752

Download Submit
C:\Users\Admin\Desktop\download\bdr.exe

Filesize
17KB

MD5
734e54d8feed1167a3c172da0380004b

SHA1
95a5fa2cb38345fbc740225f66da848af9c8d66a

SHA256
a9426ffa15501bf8f8e33917c5911079f057baebe6efcb7adc3843a1ecbeea3f

SHA512
8811af24728c6fe08ad55bb481bffdeed445c6246e8e3c5ca4840f8da69ec17053a61c83ed323e42ecbd2694104689c3228029e7f5f010a49e1d9546edf7c87a

Download Submit
C:\Users\Admin\Desktop\download\bkzx.exe

Filesize
717KB

MD5
33504cd01f18364f0aab00e1edbca0ef

SHA1
f30b954e51e9d01da8281fe92cd39e7a3169e6e0

SHA256
d5088a589a9df19278232a46e4657eb7be1a272ef4657a88a290310201c5247c

SHA512
662db613a1ef84d6298692750c00e115a87ed9f2abfad455ac06d0b8adb9bbc8c1a543ef63b2d90fb2ecf1906fa7fab19c51dc08c95696eec1db6742e9a379da

Download Submit
C:\Users\Admin\Desktop\download\buildcr.exe

Filesize
165KB

MD5
33a45fcbca9c96cf4d9f456d27d87820

SHA1
6a0d9eac1dffd5321c909adc2ac26ccc66470844

SHA256
b36ef72aaa0d415d8b11c46f330258ffee9dd5030e1c7a07398c706f7c048598

SHA512
59749a6f4bf499ee81671a2c1d95aff551cdfd02ece7b4303b1083e3e2a02858931d4f8075dcef035167fd293272ac7b9fa54813609e9a0ed50b6ea27895cdf2

Download Submit
C:\Users\Admin\Desktop\download\buildcr.exe

Filesize
165KB

MD5
33a45fcbca9c96cf4d9f456d27d87820

SHA1
6a0d9eac1dffd5321c909adc2ac26ccc66470844

SHA256
b36ef72aaa0d415d8b11c46f330258ffee9dd5030e1c7a07398c706f7c048598

SHA512
59749a6f4bf499ee81671a2c1d95aff551cdfd02ece7b4303b1083e3e2a02858931d4f8075dcef035167fd293272ac7b9fa54813609e9a0ed50b6ea27895cdf2

Download Submit
C:\Users\Admin\Desktop\download\cc (1).exe

Filesize
48KB

MD5
78398b1c603784bdce160f297ee2b831

SHA1
b5f13106b4bc19f4ad0ac32252357e382a273e2c

SHA256
6c2b79c2b249630a075dd09cdbf5671e5fee1c71209d458980edc6cf4fda6f6a

SHA512
9fed00ff0e143a84cb8d4a1d9a2ba807f5e69d569d7d1ca137a410b8df244ee064fb2b2c403ce52ca57015a965d7878042680b8e2b164d2e42504b85198ac401

Download Submit
C:\Users\Admin\Desktop\download\cc.exe

Filesize
256KB

MD5
48aace56e631113eeea6613038b794d4

SHA1
f21e9208328c3ec1d8bf09fe533793aaa5e107cf

SHA256
cf5b29f8c6ea470d3ef96ef684c7bf6ff26c7374421d6a751fd1effc44584df5

SHA512
f9539e4048f8568a065af4b5080477a2ce2e7fd65c7ccd6621ce27097dcea0915c5f00bed7016904c8226fc9d0d226140729a57ad4e14bfe61bfee28cdf58835

Download Submit
C:\Users\Admin\Desktop\download\cheziezx.exe

Filesize
727KB

MD5
e7050a9405bdeefe78833c6ff3380ae5

SHA1
ce965e9cc08a4a4d4400d16d0d4ffb74bf994a10

SHA256
28c5baaad17ee5d9c14f2262eb92fdcdcb113c7555c1b6cabab987e7d039f132

SHA512
a9ef6950346c246f5d930c6b6ec617b7ee8fec55d248253cf9b9e66ede19043794717442b46ae9d0a78a451f2f9d84b0f8362aa1dc869fa3cd5b0ffc1439b619

Download Submit
C:\Users\Admin\Desktop\download\chimezx.exe

Filesize
393KB

MD5
7cded4672d7352dd6dbee75e2bab54d1

SHA1
85bd2584c01eeb8443385caf04a4a94e88e6be62

SHA256
ff7a1eec98590a3a1a1d94bf03f87a92bd5975a151255722d6b70c5f15c0e587

SHA512
0573d01a08e30027ceb01409e05926cdad6ab232e2b63dbf113a85a824fb1ece5b953114e2a881fe0bc27d8bb2ab7c56780965de9be7dd5e9d96cab24076250c

Download Submit
C:\Users\Admin\Desktop\download\conhost.exe

Filesize
513KB

MD5
4a1bcaac1a0bed16ee5200851caea153

SHA1
a1366880626a64f0a05c90b95611ec48ed287e46

SHA256
ffb789f00206b6037c408298c7d4bd4b73ab74179d56da33d2cc1e3b1a04fcf6

SHA512
28a917f3188d947821cde7cfb66bda4492ea8d2a37df5df1ac71d9565b5c521b7b147146beeb1a00c2a68f0f9ec5423ef054e05ab67156704caae53610c54196

Download Submit
C:\Users\Admin\Desktop\download\cronoupdater.exe

Filesize
123KB

MD5
b8b25509a0f940e85f8cbf378f1353af

SHA1
4748e87627c218a123650cb28d04d563e43eff46

SHA256
80564d8584a907b4ffcf4def6dcb63c06a42c36aba54be9126674939ca7e692c

SHA512
fd622935cea6d4dd3fe3aafa222926b012592ee83cb86ab9bb0bcaf8b0fa85d9bc0e210b2dfdac63f8558b46213718ecb80a132a039070b2ae713d98a928a34e

Download Submit
C:\Users\Admin\Desktop\download\crypt.exe

Filesize
322KB

MD5
f3c824320c110de382eb960a4a934740

SHA1
a9d529f5f64acfd30c72a7f8fcd4b4db6f6354b0

SHA256
94608f0b0e41b0a1cf98c3678d488e4a60bd5cc9c382d43a6eb2d3875b25a440

SHA512
2e941a29e77b1260c3d96e3f3140bdbabfdcc54da77b718dc3e479a1183e3691e1d13683d993143ccad56f535a7c06eb608d91bbaf463ba9e08a9dd38fce7b3b

Download Submit
C:\Users\Admin\Desktop\download\crypt.exe

Filesize
322KB

MD5
f3c824320c110de382eb960a4a934740

SHA1
a9d529f5f64acfd30c72a7f8fcd4b4db6f6354b0

SHA256
94608f0b0e41b0a1cf98c3678d488e4a60bd5cc9c382d43a6eb2d3875b25a440

SHA512
2e941a29e77b1260c3d96e3f3140bdbabfdcc54da77b718dc3e479a1183e3691e1d13683d993143ccad56f535a7c06eb608d91bbaf463ba9e08a9dd38fce7b3b

Download Submit
C:\Users\Admin\Desktop\download\dialozx.exe

Filesize
365KB

MD5
132e4f98ed2150850b2e01e71f0b0e96

SHA1
00f2faf45b2afc5280751daa9608a3a86f878cb3

SHA256
a13c9d32291e3ec29b6f82a23831354a703d091d96a9de6d6711c7d324785875

SHA512
4b0837303e8ccbc41f20287601d54ee2079fe897a7e73e40ae24562812c0803e01420da4674760ec874c8b1b9faa7e7dd762ed6c69542dbde058180bb429d515

Download Submit
C:\Users\Admin\Desktop\download\divinezx.exe

Filesize
536KB

MD5
9b6cf0d35ab54949b5c8c90de851e7b0

SHA1
5b367200bc1dffefc981b42dba3f181543b43715

SHA256
520076a4f51a8f93504427ddc128e8db4f41866c8b745073142bfe32eddc186a

SHA512
3e72b5270349e7c63f26462693ea029dd436f68bd1ca8a55981c4914829cf093b258e0d57e35b4a56c191240480c268e6ec73edc01ede9a31afba57c78a2b2c0

Download Submit
C:\Users\Admin\Desktop\download\fotocr14.exe

Filesize
644KB

MD5
2e290e706a4e32fb2919577c76f6a268

SHA1
85a08beb183942a9f142c890f77161b602418b34

SHA256
d144d1389d1ee3a400164bba3df81d1a9d7f70cbb59a024a3d6d79f768c190c9

SHA512
9e5b7177805e1b1d56a92838cf6175b00ad0ed88ebc656d5f88e5a78e0aece0324c3342e1015b1a89de3331a6ec452a56a542f36d5ba7ce10662d22284c0800d

Download Submit
C:\Users\Admin\Desktop\download\fotocr17.exe

Filesize
761KB

MD5
9650b68e915cc99629168ef83979d811

SHA1
28e349a96a82cc807ae385cc0a9e94ff30db1e14

SHA256
da5a86b29fb263b183080eae0c33b93879e7971cc4d076a3a3ffd118d980127e

SHA512
a5b7905004fa1dcf275ebbe5a56f4fa0d75b11a07970e91f4d40485d4b66e515630c16b059409b176177d7896ff2318eb88d4f20c632bd1bcd16b5ff63b7474f

Download Submit
C:\Users\Admin\Desktop\download\gambozx.exe

Filesize
533KB

MD5
40a0e790be3b1373779ea07748c7f58f

SHA1
377031cc06b241936bf60f51e69a6f4105d9d4cf

SHA256
c5756613996ad61958854410a951ef3b50dfa7fde7e8c7d5505b915ce89e6428

SHA512
914ab438b6aea667434a563cd9a9dab56e1afaad5d804fb0e9d8767853919ec2fee1a24fbe680fd0bd81b93fca8a2dd3284e18700976a30f69f5fe5bee9f62e5

Download Submit
C:\Users\Admin\Desktop\download\leafgrey.exe

Filesize
658KB

MD5
c88e3f2129e30fc33b51506085091596

SHA1
a2a4ede7fd05ae535ca1f88042d553746fdc2f1c

SHA256
05642c93b33e436a4647ce4a87ed5b6a5326641c682f93a09b53571dbf537f43

SHA512
0b3548156948091d3b29a235378fb16cc6030a78d398330f423e789ee8e4e5f275fd68f51fa7219efe8f58423645aebc294df0fa0484c6a9e0ef8024e583dd32

Download Submit
C:\Users\Admin\Desktop\download\lega.exe

Filesize
793KB

MD5
16fd6af1b85ade682eb89cbe065d85e8

SHA1
771cef9870d50dd08f10ec8c86626ed73eed135c

SHA256
03d8d87762e492140ae873d1fe3b8898ca32255ec87b67a40a9b9275cff3c1af

SHA512
987c3794df130ec7dada1a5080fbc113fd0902565d86ceb6121b90dcdfb524287e3269f0f2c7610420a38e9a74f37868f9c3623c5b49a148f81a0ad95de1683a

Download Submit
C:\Users\Admin\Desktop\download\lunazx.exe

Filesize
392KB

MD5
483496f675288530591b32f1d97f2b3f

SHA1
1b6547f1e0ce1f81a087fb0388d12d705234b4fb

SHA256
9dc0264c408dfc2ec2e60e6d3218d4eb99454947410b14f8095132721ff5af7d

SHA512
8fc588b9d64f98196ec559f8c0953604c7af6633f125811569f42321f8bd6747f760cdd372891a721f20fc331055ee857810817fb3ba0cb439aca2f2bafbb926

Download Submit
C:\Users\Admin\Desktop\download\mcb.exe

Filesize
942KB

MD5
7f259ed5cfbd7a4c409ca9ef8d976bd7

SHA1
16302911b24bf3087355f0478f4ca6b71576e693

SHA256
4f6d41d722714b8e491f3e8198925ed9e8063b51d8aba4580295c8a21913ff45

SHA512
9a85672dea80df8b44fa95bf0783683c2ad2378a3b06ce226a6441d5261bf688391bc434b1f537f867009488f88fc87fb79cff383d9b8d3c3fe80c2d5355ca10

Download Submit
C:\Users\Admin\Desktop\download\newpinf.exe

Filesize
16KB

MD5
fb2503a3e415a522ff4c5d4b126fe4f0

SHA1
43c4fb12e1775870d3f769d0410f88c3c2e87c6f

SHA256
928dbff1f8e5b83c30e79809c97c1026e3eaaaba3a19e418d430dfdb6b86f85e

SHA512
8acf85b28303a32b6ba533f46d9634c1a97c4d416533302326116c974ce7e053520ada7cf8b25af3e1e1e36fd4174f281ead89102025e90f44824d17d1847482

Download Submit
C:\Users\Admin\Desktop\download\npp.exe

Filesize
5KB

MD5
131e328b33f66c9270b73fc5f4cc52b0

SHA1
4e9e2fd890cc2a568832726386888804b41d0d7b

SHA256
3dd64e1a071e373486f2fc9ce1148e3f9808491b53c6f7d11f6c9e5698bc0ac4

SHA512
761846c7ec1bf4eed9f40370e072203df8010b20ebe94449c776e36f4fa34ebcfef05841e6520c4c3ecd362af7fbef6c612e859ac343ee190a87945442987931

Download Submit
C:\Users\Admin\Desktop\download\ohoyeczx.exe

Filesize
715KB

MD5
736fe73a3418c2487fdce38d75fcde12

SHA1
d2a416771be94ae0e188aa08cbde3a67a80fac72

SHA256
844c78062a5c4c7a5f84306ece747d53701581fcb51031f3fed7e6780fd6af52

SHA512
b0d8f66c5a706a38ab50046b3c5e1f56a5d69819867eaf6fa2c2d386e1057d6d6272c7a92c5a9875423e38eb8d3094b6bee04e32f6fef58d2a431ceee0bb1670

Download Submit
C:\Users\Admin\Desktop\download\ok8.exe

Filesize
1.0MB

MD5
d88bb1822c828b791427d55382f695c3

SHA1
c369edb1b391dc67a8576f797e60d2f5b7619377

SHA256
525c53df9fc9ffc25ef31b70f69c290f1ff6e5c4eab5e83e12da327a4f405920

SHA512
bb36237146afbfae37339ffba779220258c31299963d61b2a28a460ee8e4b168ccbe232a66780d16cad7c73566960c59f11308236af73f656abfb716109212ab

Download Submit
C:\Users\Admin\Desktop\download\pei.exe

Filesize
5KB

MD5
131e328b33f66c9270b73fc5f4cc52b0

SHA1
4e9e2fd890cc2a568832726386888804b41d0d7b

SHA256
3dd64e1a071e373486f2fc9ce1148e3f9808491b53c6f7d11f6c9e5698bc0ac4

SHA512
761846c7ec1bf4eed9f40370e072203df8010b20ebe94449c776e36f4fa34ebcfef05841e6520c4c3ecd362af7fbef6c612e859ac343ee190a87945442987931

Download Submit
C:\Users\Admin\Desktop\download\persis.exe

Filesize
569KB

MD5
07479c5a049c4006a4a3c822b113d0f5

SHA1
c5d5ff95d485f13cc513c4ffb0aeaf9710547a67

SHA256
21b710ae9fcbfe11b05d19b81c9cfb0a2c212370496cfd92f94c0cbaca39acf5

SHA512
a2ea24707c8dff2fc77dbcce5af5c650c0050aec1012e176b5d88eacfce85ee8eb6b4e72fbeebfa0c22827819f953e6b92709613897bd5ca2c63533bc5703a7b

Download Submit
C:\Users\Admin\Desktop\download\photo_112.exe

Filesize
465KB

MD5
c84b2929005ffe8b292386ba53567f61

SHA1
3f0e853285ecd1a3a5e2fb21c7f6721db2ec88d4

SHA256
f227baeb10ac013c40983c4665532544c0aa2aba8efa94d3d8f007fe1ed9a8d0

SHA512
c51c2b43905e7be83c319a6ad0ce49e6c928983d2c507da1738fe91c1fdf1a815c806fab14546b1e7bef1e63af1af012635144e4ee5c899a484d8375226d14e9

Download Submit
C:\Users\Admin\Desktop\download\rocketscamjesus.exe

Filesize
175KB

MD5
065b5810275d9f18cb2724096f96a160

SHA1
374bd13124b8487dfd6985db26bd50d1e3bc2591

SHA256
662fef862b3afda158dc5c9efa394647ba43eed3f28b6ab7195480feda097553

SHA512
9c125b3ce6c857466564c22a6c8500c6ee20362c975794930aa30dc2e4103a8359ae8ba82c33da021eeba31efe737451ba7b21b40d0f40089c9e8237b719212b

Download Submit
C:\Users\Admin\Desktop\download\rocketscamjesus.exe

Filesize
175KB

MD5
065b5810275d9f18cb2724096f96a160

SHA1
374bd13124b8487dfd6985db26bd50d1e3bc2591

SHA256
662fef862b3afda158dc5c9efa394647ba43eed3f28b6ab7195480feda097553

SHA512
9c125b3ce6c857466564c22a6c8500c6ee20362c975794930aa30dc2e4103a8359ae8ba82c33da021eeba31efe737451ba7b21b40d0f40089c9e8237b719212b

Download Submit
C:\Users\Admin\Desktop\download\sBJ42BUkUv.exe

Filesize
655KB

MD5
6afd57467bea36082070122a0085febd

SHA1
7c7e634b0ba817100b33fdcd6e6e9de16acf2709

SHA256
f52654d3809238bfb6e0b0bf9754f106e5e8c9ee7ec5ef95c23baabcaaf331d0

SHA512
e779bfcc690fe2e27a3b11c0ec3e13ce44100da0cac3e51ce695bf5946147665bdd739c254a0368525fd3369455cf9d4db0c980ab702bb627d367bf80cae63e9

Download Submit
C:\Users\Admin\Desktop\download\secagodzx.exe

Filesize
807KB

MD5
b6952ad1fc0e75e7ec8130b2bda69b47

SHA1
b6dc3ad19f0f75aa95b76f7b40912459a27c0a45

SHA256
cffa09b0687b2c41c443dd5011d831ad7d24b423d38c297fba71a18eebc143db

SHA512
8e5eb96662706e943cc9881fd62236d87a7520dd91e4e67f2ea5533804f548cb464d336087006f730e36100b0289cf6b62da52e6a395ae383b4e0edd0e7ccc6f

Download Submit
C:\Users\Admin\Desktop\download\sesilezx.exe

Filesize
928KB

MD5
d7461ada75b5744df606e5e21c8001bd

SHA1
e769ecd86a48770af28ff47b244a1b3d469617ba

SHA256
36488d40138bcfe073387dedc6068a8ee95f180cbe57e877d536bb24c15e3173

SHA512
7c1e1b952c1fe60320bc16969e47ba93c72ca747c465efdf8731386b256a9c8ac309c0463ac2c577fc249f6a09906c19f1c9a185af8158614c107149277b312a

Download Submit
C:\Users\Admin\Desktop\download\svchost.exe

Filesize
79KB

MD5
c19b4223ae09efeed6507716f67eca1d

SHA1
24608bbcb020678600e5ee374958dedfb04382d5

SHA256
2ec1567577e1e1184e8fb3df8d1bad49a723893fc38bbeb81cca535c62d836bc

SHA512
a6957031fd049ccbc7afd726dfdf5eaf87049aa372712a833ea932b2055902631634bec4242442d7d87d8461ba1a77cff4b4cb5a51c46c0206345c7b8c365aa8

Download Submit
C:\Users\Admin\Desktop\download\toolspub2.exe

Filesize
33KB

MD5
0b8f1168d3a5b9882a0d96523c00978a

SHA1
a66f274faf7519431806fcec68a00a0938d8ba78

SHA256
d9a7d17f0bff2f8961d7b7e22bf5a581a5d93599eea050b20225566f519a6f3d

SHA512
fb8335dab26726f9a51bd27cdcf248f42c8644c965bb10074706a8819bb33d8adc909d6593d068da489a357a6807be078d7f8b8471b9888c0dfb420d00448a09

Download Submit
C:\Users\Admin\Desktop\download\vbc.exe

Filesize
757KB

MD5
c677ae64c6d9e07188fa019b693028c0

SHA1
31f270ea7f8257a7021693341d192711508a45ad

SHA256
e74ccdd23cd0f3eebbbf54fee51464cfdb4bf1f27b1439c664805afa951538b0

SHA512
e9ac6f2983291000990fb53c38150f216893ba46fefd9220f82b270d29d3344084042f3542ce70d3c29921bb2eb21325ea4c6c4ede0d7c91c2085d7562c5593d

Download Submit
C:\Users\Admin\Desktop\filter.txt

Filesize
31KB

MD5
c9b74a1eecd7e7ae224300cbe59164ff

SHA1
a2d586d5537439e0c4b7d8f53548556616463c5e

SHA256
88a73785fb4e251963cc15b148337d7819be3645d417401950bc53f26282daba

SHA512
a991b2940a63a2470834b9914a0d6533ba9ea2017423ac5a889a3cece3c47977019140d353c92cb12be4a614da84a38e102f373ab11f489aae4926dfcf224927

Download Submit
C:\Users\Admin\Downloads\UEF6YBkE.jar.part

Filesize
14KB

MD5
41c45957cdcdb4a6b3531dfb0df523ab

SHA1
d5628fdd130fb4dbd6c2d2834d0c8a22a0743c4b

SHA256
fbba0eb61a7d2f7ea993a90b96f35894cd3c40f517cb6ed5f2d3d37c7f1cb423

SHA512
13d20e971c55e52b0e19e092a45278810c9fafa3fdb34fae7727a076efeb20464346680717aa8791d5a7ffc9454e153593dcfeb7105f61f1382d2abab1132881

Download Submit
memory/460-5073-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/460-4915-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/460-5061-0x0000000008E90000-0x0000000009052000-memory.dmp

Filesize
1.8MB

Download
memory/460-4927-0x0000000005890000-0x00000000058CC000-memory.dmp

Filesize
240KB

Download
memory/460-4925-0x0000000005830000-0x0000000005842000-memory.dmp

Filesize
72KB

Download
memory/460-4900-0x00000000007A0000-0x00000000007D2000-memory.dmp

Filesize
200KB

Download
memory/460-4923-0x00000000077B0000-0x00000000078BA000-memory.dmp

Filesize
1.0MB

Download
memory/460-5062-0x0000000009590000-0x0000000009ABC000-memory.dmp

Filesize
5.2MB

Download
memory/460-4919-0x0000000005E10000-0x0000000006428000-memory.dmp

Filesize
6.1MB

Download
memory/460-5054-0x0000000007CE0000-0x0000000007D56000-memory.dmp

Filesize
472KB

Download
memory/1836-3366-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1836-3348-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1836-3311-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1836-3341-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/3184-5063-0x000000000C280000-0x000000000C296000-memory.dmp

Filesize
88KB

Download
memory/3872-5285-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3872-6256-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3988-4914-0x0000000005B30000-0x0000000005B40000-memory.dmp

Filesize
64KB

Download
memory/3988-4901-0x0000000000FB0000-0x0000000000FDE000-memory.dmp

Filesize
184KB

Download
memory/4008-5275-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/4392-5057-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4392-4916-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4576-5303-0x00000000032C0000-0x00000000032D0000-memory.dmp

Filesize
64KB

Download
memory/4620-3224-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4620-3223-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4972-4283-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4429-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4266-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4434-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4261-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4259-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-3908-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4373-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4272-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4273-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4368-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4275-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4327-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4372-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4276-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4319-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4307-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4364-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4306-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4274-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4293-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4299-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-4300-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/5248-4944-0x0000000005B70000-0x0000000005BC0000-memory.dmp

Filesize
320KB

Download
memory/5248-4958-0x00000000062B0000-0x0000000006854000-memory.dmp

Filesize
5.6MB

Download
memory/5248-4911-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5248-4928-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/5248-4937-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/5248-4955-0x0000000005C60000-0x0000000005CF2000-memory.dmp

Filesize
584KB

Download
memory/5784-4858-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/5784-4889-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/5956-5242-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/6000-5488-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/6000-6372-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/6000-6348-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/6000-6350-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/6000-6349-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/6000-5498-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/6000-5491-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/6000-5486-0x00000000046E0000-0x000000000472B000-memory.dmp

Filesize
300KB

Download
memory/6112-5302-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6112-6272-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6500-4938-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/6500-5026-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/6572-5258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6600-6161-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/6600-5286-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/6700-6321-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/6700-5284-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/6852-4998-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6852-5009-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6852-5064-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6936-4968-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/7024-5006-0x0000021DEF560000-0x0000021DEF570000-memory.dmp

Filesize
64KB

Download
memory/7024-4997-0x0000021DEFF50000-0x0000021DEFFA0000-memory.dmp

Filesize
320KB

Download
memory/7024-4990-0x0000021DED9D0000-0x0000021DED9E8000-memory.dmp

Filesize
96KB

Download
memory/7084-4999-0x0000000002BE0000-0x0000000002BE9000-memory.dmp

Filesize
36KB

Download
memory/7164-5042-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/7164-5008-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download