chaos | cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6

Resubmissions

25/01/2024, 01:57

240125-cdn9qadge6 10

24/01/2024, 15:56

240124-tdhwdadfb5 10

24/01/2024, 11:55

240124-n3eblahecn 10

Analysis

max time kernel
135s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe
Size

3.4MB
MD5

f64a5c6fa180acaee93d4fac406c579b
SHA1

bacf88f16fe670ef2d87df154929c51b28b12263
SHA256

cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6
SHA512

01687ae73126dd6540308efa140e56c5410d5971415881a3747cf961c4abcd2e9be4dcd75181f865070bfb4e296617b8e3d61f55de747407a4c459e6a2bc0197
SSDEEP

24576:SvFnlgEsJu/SqXF3mh8uNFr95+CUNHEes4pyQquVexXCP7OigudxcAGZLqrDIjHM:QloJ0wtfSHO43ZpTLiADL

Score

10^/10

chaos evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\PLS_READ_ME.txt

Ransom Note

Oops, what happend? All of your files have been encrypted Your computer was infected with Frivinho Ransomware. Your files have been encrypted and you won't be able to decrypt them without our help. What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin or Robux. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Check this pastebin to get the my newest Bitcoin Adress: https://pastebin.com/raw/wZnisRDV And by cheking the pastebin, you can see more information about how you can pay.

URLs

https://pastebin.com/raw/wZnisRDV

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 5 IoCs

resource	yara_rule
behavioral1/memory/1152-0-0x0000000000F70000-0x00000000012DA000-memory.dmp	family_chaos
behavioral1/files/0x000c000000012242-5.dat	family_chaos
behavioral1/memory/2064-7-0x0000000000800000-0x0000000000B6A000-memory.dmp	family_chaos
behavioral1/files/0x000c000000012242-6.dat	family_chaos
behavioral1/files/0x000c000000012242-497.dat	family_chaos

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2924	bcdedit.exe
3012	bcdedit.exe

Renames multiple (196) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1804	wbadmin.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PLS_READ_ME.txt	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
2064	svchost.exe
2592	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3601492379-692465709-652514833-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\t7kw5maxa.jpg"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
812	vssadmin.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\Pattern Upgrade = "TRUE"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop	rundll32.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1112	NOTEPAD.EXE
2904	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2064	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1152	cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe
1152	cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe
1152	cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe
2064	svchost.exe
2064	svchost.exe
2064	svchost.exe
2064	svchost.exe
2592	svchost.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe
Token: SeDebugPrivilege	2064	svchost.exe
Token: SeBackupPrivilege	2856	vssvc.exe
Token: SeRestorePrivilege	2856	vssvc.exe
Token: SeAuditPrivilege	2856	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe
Token: SeSystemProfilePrivilege	2216	WMIC.exe
Token: SeSystemtimePrivilege	2216	WMIC.exe
Token: SeProfSingleProcessPrivilege	2216	WMIC.exe
Token: SeIncBasePriorityPrivilege	2216	WMIC.exe
Token: SeCreatePagefilePrivilege	2216	WMIC.exe
Token: SeBackupPrivilege	2216	WMIC.exe
Token: SeRestorePrivilege	2216	WMIC.exe
Token: SeShutdownPrivilege	2216	WMIC.exe
Token: SeDebugPrivilege	2216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2216	WMIC.exe
Token: SeRemoteShutdownPrivilege	2216	WMIC.exe
Token: SeUndockPrivilege	2216	WMIC.exe
Token: SeManageVolumePrivilege	2216	WMIC.exe
Token: 33	2216	WMIC.exe
Token: 34	2216	WMIC.exe
Token: 35	2216	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe
Token: SeSystemProfilePrivilege	2216	WMIC.exe
Token: SeSystemtimePrivilege	2216	WMIC.exe
Token: SeProfSingleProcessPrivilege	2216	WMIC.exe
Token: SeIncBasePriorityPrivilege	2216	WMIC.exe
Token: SeCreatePagefilePrivilege	2216	WMIC.exe
Token: SeBackupPrivilege	2216	WMIC.exe
Token: SeRestorePrivilege	2216	WMIC.exe
Token: SeShutdownPrivilege	2216	WMIC.exe
Token: SeDebugPrivilege	2216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2216	WMIC.exe
Token: SeRemoteShutdownPrivilege	2216	WMIC.exe
Token: SeUndockPrivilege	2216	WMIC.exe
Token: SeManageVolumePrivilege	2216	WMIC.exe
Token: 33	2216	WMIC.exe
Token: 34	2216	WMIC.exe
Token: 35	2216	WMIC.exe
Token: SeBackupPrivilege	1120	wbengine.exe
Token: SeRestorePrivilege	1120	wbengine.exe
Token: SeSecurityPrivilege	1120	wbengine.exe
Token: SeDebugPrivilege	2592	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2064	1152	cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe	28
PID 1152 wrote to memory of 2064	1152	cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe	28
PID 1152 wrote to memory of 2064	1152	cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe	28
PID 2064 wrote to memory of 1748	2064	svchost.exe	32
PID 2064 wrote to memory of 1748	2064	svchost.exe	32
PID 2064 wrote to memory of 1748	2064	svchost.exe	32
PID 1748 wrote to memory of 812	1748	cmd.exe	31
PID 1748 wrote to memory of 812	1748	cmd.exe	31
PID 1748 wrote to memory of 812	1748	cmd.exe	31
PID 1748 wrote to memory of 2216	1748	cmd.exe	35
PID 1748 wrote to memory of 2216	1748	cmd.exe	35
PID 1748 wrote to memory of 2216	1748	cmd.exe	35
PID 2064 wrote to memory of 1288	2064	svchost.exe	46
PID 2064 wrote to memory of 1288	2064	svchost.exe	46
PID 2064 wrote to memory of 1288	2064	svchost.exe	46
PID 1288 wrote to memory of 3012	1288	cmd.exe	38
PID 1288 wrote to memory of 3012	1288	cmd.exe	38
PID 1288 wrote to memory of 3012	1288	cmd.exe	38
PID 1288 wrote to memory of 2924	1288	cmd.exe	37
PID 1288 wrote to memory of 2924	1288	cmd.exe	37
PID 1288 wrote to memory of 2924	1288	cmd.exe	37
PID 2064 wrote to memory of 2276	2064	svchost.exe	45
PID 2064 wrote to memory of 2276	2064	svchost.exe	45
PID 2064 wrote to memory of 2276	2064	svchost.exe	45
PID 2276 wrote to memory of 1804	2276	cmd.exe	41
PID 2276 wrote to memory of 1804	2276	cmd.exe	41
PID 2276 wrote to memory of 1804	2276	cmd.exe	41
PID 2064 wrote to memory of 1112	2064	svchost.exe	47
PID 2064 wrote to memory of 1112	2064	svchost.exe	47
PID 2064 wrote to memory of 1112	2064	svchost.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe
"C:\Users\Admin\AppData\Local\Temp\cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2216
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2276
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1288
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\PLS_READ_ME.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1112

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Modifies boot configuration data using bcdedit
PID:2924

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Modifies boot configuration data using bcdedit
PID:3012

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Deletes backup catalog
PID:1804

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:784

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:692

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1604

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,Web,0
1⤵
- Modifies Control Panel
PID:2784

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\PLS_READ_ME.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2904

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
3.4MB

MD5
f64a5c6fa180acaee93d4fac406c579b

SHA1
bacf88f16fe670ef2d87df154929c51b28b12263

SHA256
cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6

SHA512
01687ae73126dd6540308efa140e56c5410d5971415881a3747cf961c4abcd2e9be4dcd75181f865070bfb4e296617b8e3d61f55de747407a4c459e6a2bc0197

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
429KB

MD5
9428bfab4d8d0660e56577c1a669e11d

SHA1
0610855b608c609866d1cf52310b2af2fc392300

SHA256
97b6c61edce55665937a28d814defd2bc5408227d568accc58abd694012bbb0c

SHA512
76ad3e8d6feb752da4ef551a1ece98406c0f23b0e9a252f3cefff987f02534c473b821ae23b5ea0e684b85c5a1085c98f7cd8a7c83080bf06a92fcba1300c20f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
330KB

MD5
936a10967a1b1850cfb7677fab16c18a

SHA1
0a93a5b7e511af8243f5a421f2a1d685df1fc882

SHA256
a1581e608837ed4f2f6ddbe28779c25e30f44568744c690366f2530dedce0052

SHA512
e085a1b2497ba74f28d660f82b3ad67be7f60f8b32afb6f541895b824e02f71f5a9b9c8f2f4be4982510b76d4dfb15f01ebbb0b16a3ba9fc46e69138b3748f5b

Download Submit
C:\Users\Admin\Desktop\AddClear.M2V

Filesize
919KB

MD5
440fe5358993d11d0e0e7e6966a88dc7

SHA1
49245b36aca8358d2949c1b9561bf3cf7692e903

SHA256
c09bef9a2bf36a5175fdb6f2032d9265dd052a38486ce148d00b3e3075f35542

SHA512
dd00748c8e417a66c2997799aac03caa9036769867985fd4a41d2d4172149bf181fc0b4debd0a796ddf48eaefbfc8a6bb9662c8755dc5adc2a2c48124306d51b

Download Submit
C:\Users\Admin\Desktop\CheckpointSet.reg.Frivinho0

Filesize
812KB

MD5
7728bcfd78d4d622266877aaaed337e0

SHA1
ef94fa5bcbf2a68858ca206cd6075c3b15784bd4

SHA256
370674f90577d3db8a82413db438748dbc9ca6a342d9a1296ed33fce1d16c799

SHA512
0a195315b45713b3f3e2bc7ff8a6fdb5954c51b204bc325184220ca3cf1d645d31c04a463dfbd981ab154c0b5ee18ce37b30b76e0107a6b7324a8509b1ba7e2e

Download Submit
C:\Users\Admin\Desktop\CompleteAdd.ps1.Frivinho0

Filesize
535KB

MD5
5fd4f490e7d7de5d5a51fa092242548d

SHA1
d83708fe60b19f3049abd9f3f537b63fddd4fee1

SHA256
597ff88cb20e72da5c74956d8fd36a44a4295cdce58557874aed5c05f4def6fe

SHA512
f0a537e11fe4d7ffe76998ff8d4e3a616aa4ea70e9bd7eb141c426cf070aa8a5ccd33a0272f8ec66be2971c509a4f1bc0c7eab2a5b3c5216ceff1c038d1ae2a3

Download Submit
C:\Users\Admin\Desktop\ConvertToExport.exe.Frivinho0

Filesize
484KB

MD5
bad68afd7e7d763ae337cabcc6020864

SHA1
9811a71be8dd8c47bfafbc97b91aa2f3e6154c2b

SHA256
5e7ff6ec8ed0230ed81b60023d0a5dc81116e211f42accdaa5236a7b3a007113

SHA512
264caae4739665607abdd88a90c1460e5d2df579adaf797b0b4bebc3394f077dd88e89f7eac70e33ad307ba111db5bd7cb7c66466174ae9270d3e77e0185f5b9

Download Submit
C:\Users\Admin\Desktop\DenyMerge.rar.Frivinho0

Filesize
430KB

MD5
7a35de66bc4b5438f21e9387192f8cae

SHA1
ebc3b07e079defce90033f935134e69d5012c5bf

SHA256
0717bc1101805f186a1ed674ff29cd48752bdbd11afe0e7f5d26616d1fec927c

SHA512
3db23b17f0f437e50a013e19e2dec6b735fa854708cf85181762159441c90bf444c138cc8f489328e78d0e6fafb431a5ee40b2f9e5fffecfac0003f2af1e3e94

Download Submit
C:\Users\Admin\Desktop\EnablePop.vbs.Frivinho0

Filesize
843KB

MD5
34548335b46e3b4e5b6f8928a0bfc4fa

SHA1
1087a401118dea604f75643bd036ecee85a11054

SHA256
85647737b1b68d00402c1c5ef622950c2d7a79e6413ec7d0fe0a49979b6a8826

SHA512
83dccba425b63a4bb5101835b6b760a79489ceb5307787a66246ab43ea45c476dac79e3093687d244d53d4b663fc76f4fcf5d5dfe6f981d969600b10d82d630b

Download Submit
C:\Users\Admin\Desktop\ExitCheckpoint.mpeg2

Filesize
346KB

MD5
89c9db88c8f3e8649eb99a03a4814ba8

SHA1
9e50ce84a11c6624f91af5685117461a3c065e49

SHA256
42af38487353effafcacdf6dad3d5b588e0d4fff3ac8534b27678597b907edcf

SHA512
2134aaa2e23da63cefbb4275f53cbfc2e4a2e16d1d7326e551d583602e4e410bf328d9406ac497582bd3bd91d3199e6272ec876423992dae5a3611092b253760

Download Submit
C:\Users\Admin\Desktop\FormatFind.vsx

Filesize
390KB

MD5
20083292543b9b9b09e4886a94ae3f26

SHA1
ca3519dee423e3a141c2c9c823cba227938b7d9e

SHA256
a9eaa592d144ef692eb4cbdfdc7a25cd38517b56b01693fdfd0f669dbd11fc1f

SHA512
8ced9ade0332295528d00c3a08dab5560f9da2fbf1da34da0b636d841b91af209ed6de6eae94ce17180db466a0b66d3547d0e693c07e244d19cfe8dd4020b83c

Download Submit
C:\Users\Admin\Desktop\GrantRegister.wdp

Filesize
483KB

MD5
b101a3b0b3cd2392ba7836874ece5d3b

SHA1
9b1ed9eb79e12d754b4f23ff102ad018b2f91eda

SHA256
f25c4491bd3b67db3b2471899489560c75f8aa577ca9e001fdac329a9fdc3666

SHA512
921eff162d0c4d76e94709e28c0696f8a6b922ef878dd065221596cf24f6b6535c0236619fc63eb27658397780124eb1770f17ff43b8556c6209963aa7ee342c

Download Submit
C:\Users\Admin\Desktop\JoinDisable.search-ms

Filesize
440KB

MD5
9a6e6a6489bcdeda8077aac85d70ec7c

SHA1
4bcf7b8af54f177bbb6e2e2ebaa33bc4b6736bbb

SHA256
7a94e1eb6d7670351ac53239c0758e1a86a3595670c8eb3e202621909cba4107

SHA512
657e4584bfdb9c2e8e0c1eb6ecca99d350971c91308ac5a69734c0c2d82366abb067481aab98a190e1a9e6bef26785906237d3f7349d2eea9703defbc7d60ea1

Download Submit
C:\Users\Admin\Desktop\MergeMount.iso.Frivinho0

Filesize
557KB

MD5
01441a9b5b8d56fbff0b0bb9091b6808

SHA1
31b5b48b03b2ae87267a30b03bc834bcea13e423

SHA256
fd6aff585ab38e0ccf4bb52c6531e95587dc682d355c32b1231f6c7835477182

SHA512
eff3f399777fd16550825afdf2306a4adaf8b91b6c6e90f48b5853df3a77e10f2a408f85a153b377601959132b662b271cc2f14ba3c8e13c3a5e1ab4de5acf47

Download Submit
C:\Users\Admin\Desktop\MergeSend.tiff

Filesize
441KB

MD5
bfe78b38ff8eb821fa5f6db0e6ff78f4

SHA1
7c1851bde82989d87bc5c93e30755503b0cb1047

SHA256
20e41642d6344ecb1ba5aaf45ab8e7563d59ab1405eccfaacc3b0ca8b405184a

SHA512
b4757d425991e5d2a7c58451d9efb4a5eec493e19e6dbbf025894bfdb4ada9e459cd393ab1eb496f497e5280ae0400632e7cd44e3468930d20bba678eb3189e7

Download Submit
C:\Users\Admin\Desktop\PublishUndo.m1v.Frivinho0

Filesize
638KB

MD5
fa2096539d06fd123680d754ebddad1d

SHA1
d49361013ec61922b04221192bf58a64dec44801

SHA256
86c9c74c8b954e2aa949dfeb5ab82320c3c5cc354c11f1759f393cf4b43a96cf

SHA512
03b241a6d0f53a05270b9408fc678c2a7cf9d8e0d9a80c43d5d8feb9a132e0f58ef7bcc47a1d4571ec48b94f157917e9c4f1906e2d3b32a86401ec27a7c530ac

Download Submit
C:\Users\Admin\Desktop\ReceiveUnlock.docm.Frivinho0

Filesize
643KB

MD5
2dbc9d33f04dc14523d67d24fa740f44

SHA1
fc000512cf26724cd56b174cc964c8320ff90d71

SHA256
13a256eb851e79ce3d3aba30ed61a8f21a67e960b74899349ef112a624ca9808

SHA512
0a7d01a45150b9801c6b4904fbfc22e677974f15c29c325d934be2069f34b19282fb1b80b8f9b281e266d557bb1370815f929ad5736ebecb8b3f04de35323fc6

Download Submit
C:\Users\Admin\Desktop\ResetUpdate.mpg.Frivinho0

Filesize
236KB

MD5
655e8d332c65a0cad28895255bca38c8

SHA1
cc94905857f9a445fd971316fd7ae4600907e72c

SHA256
3ec4a0549bb4b0ef541290638093e61f2d0c275bf99b86fba3736d0a9c4641ff

SHA512
52b5db89b474bdaf94650a2668a8def961da07c32246f9d2eb21da3e0ce8bbb0c1f69fcbe05589134a08fdcaffa39c17e6b823f46dcf3311bc9fa08adb868fc3

Download Submit
C:\Users\Admin\Desktop\ResolveOpen.ttf

Filesize
776KB

MD5
eda4391689a3cd0fa90c4f4fc69fb9e4

SHA1
df2b9abf76c22e52e55a67a4a4a92cbf67b40a0f

SHA256
53ab5b7b71dd26ef7e7570d708de8089d95dbabe64402337cc2eb9a70db7e403

SHA512
20a42f078864777ee5139c14130482fdbf586c005ed42a8f1e3bc9c6321e79681e9e0e6d53813e6f5f7fa3d903d3ec1f9eb5ab153dd24b1627de3743d691d095

Download Submit
C:\Users\Admin\Desktop\ResolveWatch.xltm.Frivinho0

Filesize
1.2MB

MD5
f7433ebb816230b301520953b97158cd

SHA1
5748ef69b7978d34cc413b59296c1d664ca8380c

SHA256
f441cf4f422a8fa46b834ae450d0725040331c0e83f78ce87fc5fb3a4fc28979

SHA512
c9066a894ab2da167fd622b1ce2899425ba5df7edfff24f2e9116dcbf04b43a7f19b3bbf3f5143b770832062bb365744ac51c0b6abc3f4f592c3cdf49db03568

Download Submit
C:\Users\Admin\Desktop\SyncJoin.xsl.Frivinho0

Filesize
621KB

MD5
fee269bdc4bb2014496d5003e59f038a

SHA1
c04303bfcd3bf97f88d3d75b2742bce9afe08ab7

SHA256
615ebf8f4f06c90c1768d8b821da94aeb4435d3371397085e235d05d641e9ade

SHA512
4da23a8bd39af8297fe7b1fd82a7f2d639a0048df3d618273b38f5dd8363a8f50b7e41b9722df098672c42234a6ede8521a9b53cd7727102c3efd9688394edf3

Download Submit
C:\Users\Admin\Desktop\SyncMount.aifc

Filesize
696KB

MD5
55db1f34fb64378204613fd291567650

SHA1
19271d18912abddfad98ddf7d6be33d56f5ccc2c

SHA256
c6ccb4619b9f50c5f4a59a5d878ed6f5eea3eb042203f0660b3e1a6b33eefd9d

SHA512
f9acb8ddd3dc2a65cdb3c391851472ebab7da9fc37b40c1758a047ea0d92686ef7a4442d8cb93e7da86bf73b9abb80acb59ed881e4c6b90c5b3e0747e7879564

Download Submit
C:\Users\Admin\Desktop\TestAdd.css.Frivinho0

Filesize
355KB

MD5
b35d28f5b9a741da59e4ab4730cc86a8

SHA1
6b179fad3fde9d876f8df18b79cc52ddc9b78bdd

SHA256
839c9e6c72890508b87448e9494900fda21ce3dc85b24c291110c39d0053e704

SHA512
56bfc1117379ea9e949583fb6d48a9cee0b42f6c7e09cc2b4cb04073398a31942d67a3110e814f2e67ecbf72951ec389fc7ce7c3b149ef48d153e60ad2b8ddab

Download Submit
C:\Users\Admin\Desktop\TestRead.mpv2

Filesize
484KB

MD5
a654441f8381485440061e71485eea7f

SHA1
d26758a81efaa5fcdeb9159e64827ea46acd6991

SHA256
fca150cc425878eac1284c8a7e75db6fbd2e5e08ce880aae916e9520e6333182

SHA512
b943ef0df99168c5eeebd47d45a873ed1b573f98f3fe9cc3cb5fe063a93f13820010604825d33769baead1837133b1763b9b2adef64dcf79b7c0bd731b437d48

Download Submit
C:\Users\Admin\Desktop\TestRegister.3gp2

Filesize
537KB

MD5
e34c981b40c02271b68b6c241e54fd59

SHA1
a145a8aa0143d0b2622db302fe3e1495724090da

SHA256
da63113ab8bda845b09be6790b6c9c3a1beaf111ffc88723cc4be23ab5165d23

SHA512
b146931f160420b65931ff434d9026401239eb20373d4d4c47e496d279e3dbfcf6d6de654b8c0e8e5470566b771771d505b2e26c01eac58172d2c1f7c309f825

Download Submit
C:\Users\Admin\Desktop\UnblockRemove.AAC

Filesize
680KB

MD5
03ca7991bd2eea0939871451065049c8

SHA1
092c412695da1144dfc5cd5f1676d34346a51f34

SHA256
c5414aab9ecd85996a0057a7732a1fdf2a5c56a63089c3cb3394408106560092

SHA512
764d476497740d1ac8f3f201a471eeb5ab92bfb33c14c0b2894aaf9aeea86011ad349c5cf83798ecc7856442ce3cdf76c4488520eb0c3919bc22278608f1cc0e

Download Submit
C:\Users\Admin\Desktop\UnlockHide.dot.Frivinho0

Filesize
471KB

MD5
0e09cc6705e65036699cb6c5a77c245a

SHA1
31b1f6e97defea2e069fd12961de7d7c1b699b4d

SHA256
e3c52830579c451024580539e9aae6323bc3b5dc0380438889993bd5aecb0a46

SHA512
dd94acf492ea8bf08a2bdcdf55c80534a38d326f1ce4a1f573aa5748ec8e37e266f3e154b9db1f1c0076ae421933ef02cea9a95ac4f922b316705f14365ec382

Download Submit
C:\Users\Admin\Desktop\UnlockPush.ppsx

Filesize
656KB

MD5
37eb7627f94cc3171f0ad683fe9bb5d5

SHA1
3c9806891fc48dfd83994b67528e2650d5421523

SHA256
bbb8f77f253969184fc054800d9583b06cd57a6a5749b768d8e34e0f174c5be3

SHA512
a430a8d0f8c461b92ca4b302c311e445b6de7e936ed83c5db245753869d20304bb457e6811b362460278514525fa3f9028f77cd381ddd510d44bd1aec57ea994

Download Submit
C:\Users\Admin\Desktop\UnlockShow.pcx

Filesize
561KB

MD5
2c6e23c3410262db03773e3825663296

SHA1
350a5e07c94104428a1e922876e2f4b4ceb4b9ec

SHA256
74875796096363c4654e9cbb86dc2003051452316f640cdedcdff82f63365201

SHA512
5598e28c2e780fe02e211b44d0aac56b786e68924a811cf2b490b9c50c045c8973b7fb2e2c11a8b8a0e6dd97b467b5c9651f4f7a125181cc9c651b73fa467f0c

Download Submit
C:\Users\Admin\Desktop\UnpublishConvertTo.xps.Frivinho0

Filesize
390KB

MD5
4e78e8c5c9faf804ccd36b1bd3baf45a

SHA1
41b9f45a9a0bfc35562b70132d5a0b1c5d436819

SHA256
d0276115136c24e80e1b83bea9d2a7f8b5f94e8d56ef39f2a32a76865549d8ab

SHA512
a3141fbdac116a61bc4db8c1a662655040482fa8bb2153e9c02b144b3ac502bf72efcb52cc6b6724fb629e6dec460ba0d36d6fff91059a663e49395c845afc4d

Download Submit
C:\Users\Admin\Desktop\desktop.ini.Frivinho0

Filesize
584B

MD5
269aeb78ae254a00b9c401093f4d0654

SHA1
5eab6998337849783fe62b8e7eccf2e7e6b88558

SHA256
0ed9aa43242015acc14995ef9e830cd05f5c925fe3b386858f6f0effeb27d686

SHA512
2a17569de9f17482ff9c2cdd42c62410ccb97ec82860d9be692af0920d84c648c57e3b84c1851ac0acc2c3e411ed54d75877c5a602c150e8306ecd627f140ee0

Download Submit
C:\Users\Admin\Documents\PLS_READ_ME.txt

Filesize
1019B

MD5
bf4f42180e1f6f0dc0dc8e5863fbfdff

SHA1
11ebaf5dd9d926371b27c9cdb86a0b7978deb383

SHA256
c22510ba329236dacd2e14be4c260eca7a8deb7433cb4291311232f37ee40bd7

SHA512
6004b7d2e6a6b4035363d25cb7291dc0be0c0070a8bbadea0c4275278fb4299e3348cb5aebb5d9870ff7986bf43c59983bb3aa1680f1b27fcad8c68064c09c16

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk.Frivinho0

Filesize
2KB

MD5
e1e8a9ae96dec8eacaadf9eb8f65110b

SHA1
b44ef818579428556777fefa54a8328948acdf0a

SHA256
ed67c5f3ac51478f4cb12ef91145eeb9bc71a5139ddab703e922b1d41f879f62

SHA512
f42417f76ae8890450187c1fe0c8c569243ef8268e46e850a9f771e58a1901d90aa78b9c12b5efbaaa6e26dbd5d777d5ddaa1cb87acf47f190788d6ca9da4715

Download Submit
C:\Users\Public\Desktop\Firefox.lnk.Frivinho0

Filesize
1KB

MD5
9a6fc9969954229fb101068931928a3c

SHA1
335a4112f27fe1f8f7fc5643b7292e84c797f402

SHA256
d70ae931f7d66aa7271aa1ca09a2785f0ddbef952e903f5354f5e3c34c7cbd27

SHA512
b8ef6a42657c81e152d5afe73cf221301eaa693eaeb6f5fc3d927f0078ab0e0e3e7f4f2af7b1de111c1444a8e58cc6d0fc16dcac3c902498689316055e334328

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk.Frivinho0

Filesize
3KB

MD5
c14834b647abf2187f36d369516bb428

SHA1
e81192bba1da300e3f974fedb3e479f66a10bb3e

SHA256
dc3fb2fe2155c15afe29a02e325658181f8f34bad2384a22b9fa6e34e6494a83

SHA512
1ceb7c4381d5d1807f9cf6d4b8c89536d924cff1bcf2ddbe5d1f58a7196b6fd55dfbf085ba95c85909f378de526019b5458fe9ede963a7033c62c07d7ae7bea4

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk.Frivinho0

Filesize
1KB

MD5
f2815e4425280345feb269140bd7f72c

SHA1
d2e1b7c38791d983a67c15d7850a8eacc6039f36

SHA256
f6a7bd62322cdbb1901447b79241a19021c8af9eaa87c454251887ae83d067fc

SHA512
62f9dd12ad15839cde7f7370b826db9aa3898f9381b0bc12f5fc0126554d21c697732ea67eb870f16f148d02d3c7e7339c32ed9295e341f86d5203a0ad8e9ad9

Download Submit
C:\Users\Public\Desktop\desktop.ini.Frivinho0

Filesize
436B

MD5
af879fa07278e8ff7a4a5da2dfaa69e1

SHA1
e8e25540339e9ce53b9b181c6153713302558809

SHA256
c5deb1f7f4688429f1c2d8a32ced27cee8b67fdd75e610fc81049ac626625b5b

SHA512
c9ec3907961325a8e46474198fe917fde9a64b08242077f5467e1fb1c0a82631ca65f94255f8af0ed802d6250cd87294311b330a50729ce70adee27cb1dc6be7

Download Submit
memory/1152-8-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/1152-0-0x0000000000F70000-0x00000000012DA000-memory.dmp

Filesize
3.4MB

Download
memory/1152-1-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2064-11-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2064-7-0x0000000000800000-0x0000000000B6A000-memory.dmp

Filesize
3.4MB

Download
memory/2064-457-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2064-9-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2064-458-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2592-498-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2592-499-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download